MONITORING AND ANALYSIS OF THE BEHAVIOR OF USERS OF COMPUTER SYSTEMS
Article Sidebar
Main Article Content
Abstract
The issues of building effective software systems for protection against internal intrusions based on non-signature methods and having the properties of autonomy, adaptability and self-learning are considered. Separately, the problems of consolidating initial data from logs and OC protocols, methods of intermediate representation, data transmission and storage of collected data are considered. The architecture of the consolidation system and the workplace of a security analyst is proposed. Methods for using OLAP technology to analyze the collected data on user activity, as well as Data Mining algorithms for building a user behavior model based on association rules, are proposed. The constructed behavior model can be used to visually represent a security analyst in the form of a network of dependencies, as well as to automatically search for anomalies in user behavior and assess the degree of potential threat posed by each user. An experimental pilot version of such a system was implemented, which was verified according to the DARPA Intrusion Detection Evaluation Program method, using reference data sets. The results of experimental verification are given in the work. The issues of building effective software systems for protection against internal intrusions based on non-signature methods and having the properties of autonomy, adaptability and self-learning are considered.Separately, the problems of consolidating initial data from logs and OC protocols, methods of intermediate representation, data transmission and storage of collected data are considered. The architecture of the consolidation system and the workplace of a security analyst is proposed. Methods for using OLAP technology to analyze the collected data on user activity, as well as Data Mining algorithms for building a user behavior model based on association rules, are proposed. The constructed behavior model can be used to visually represent a security analyst in the form of a network of dependencies, as well as to automatically search for anomalies in user behavior and assess the degree of potential threat posed by each user. An experimental pilot version of such a system was implemented, which was verified according to the DARPA Intrusion Detection Evaluation Program method, using reference data sets. The results of experimental verification are given in the work.
Article Details
References
Theuns Verwoerd, Ray Hunt. Intrusion Detection Techniques and Approaches // Department of Computer Science University of Canterbury, New Zealand, – 2002. – P. 2 – 14.
Kathleen A. Jackson. Intrusion detection system (ids) product survey // Distributed Knowledge Systems Team Computer Research and Applications Group Computing, Information, and Communications Division Los Alamos National Laboratory Los Alamos, New Mexico USA, 1999. – P. 6 –22.
Cristina Abadyz, Jed Taylory, Cigdem Senguly, William Yurcik. Log Correlation for Intrusion Detection: A Proof of Concept // Department of Computer Science, University of Illinois at Urbana-Champaign, 2003. – p. 3–6.