Dissertations, Theses, and Capstone Projects

Date of Degree


Document Type


Degree Name



Computer Science


Sven Dietrich

Committee Members

Ping Ji

Saptarshi Debroy

Yong Guan

Subject Categories

Artificial Intelligence and Robotics | Information Security | Theory and Algorithms


Structural Anomaly, Role Detection, Generative AI, Intrusion Detecrtion


As computer systems become more complex and powerful, the threat of sophisticated and persistent computer attacks increases dramatically. Traditional intrusion detection systems that rely on log analysis struggle to keep pace with these evolving threats, as the attacking trails are often buried in high-volume and high-velocity legitimate activities in the system. Despite tremendous progress in applying machine learning techniques to anomaly-based intrusion detection, such methods continue to suffer from a high false positive rate due to the diversity and variability of individual behavior.To address this problem, this thesis proposes a new framework for detecting structural anomalies in computer systems. The framework is based on the hypothesis that an intruder to a system is motivated by the desire to conduct unwanted or malicious behavior that defies the purpose of the system. When a system is designed for specific purposes, entities in the system driven by certain functionalities act purposely, and interactions among entities are not random, and structures exist. By contrast, malicious behavior will appear out of place with the internal inherited structure a system may have, i.e., structural anomalies.

The proposed framework targets detecting functional structures and identifying anomalies related to inherited system functionalities. System functionalities are captured by entity activities in the system, and entity activities are driven by roles they play. As a key element of the framework, the thesis proposes the System Latent Dirichlet Allocation (SysLDA) approach to detect entity roles, assuming that an entity plays multiple roles, and each role represents a set of activities driven by their designated functionalities. The framework is evaluated using a simulated system, and the results demonstrate its capability of detecting structural anomalies. In particular, SysLDA outperforms existing approaches for role detection in the simulated system. The thesis also discusses the challenges and opportunities of the proposed approach and highlights its potential for detecting structural anomalies in computer systems. In summary, this work contributes to the field of anomaly-based intrusion detection by proposing a novel approach that targets detecting functional structures and identifying anomalies related to inherited system functionalities.

This work is embargoed and will be available for download on Monday, June 02, 2025

Graduate Center users:
To read this work, log in to your GC ILL account and place a thesis request.

Non-GC Users:
See the GC’s lending policies to learn more.