Content uploaded by Ali Zolait
Author content
All content in this area was uploaded by Ali Zolait on Apr 13, 2024
Content may be subject to copyright.
Content uploaded by Ali Zolait
Author content
All content in this area was uploaded by Ali Zolait on Jan 02, 2024
Content may be subject to copyright.
Content uploaded by Ali Zolait
Author content
All content in this area was uploaded by Ali Zolait on Jun 13, 2020
Content may be subject to copyright.
Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT 2018) ©2018 IEEE
The role of User Entity Behavior Analytics to detect
network attacks in real time
Manya Ali Salitin
College of Information Technology
University of Bahrain, Department of
Information Systems
Sakhir, Bahrain
m.salitin@gmail.com
Ali Hussein Zolait
College of Information Technology
University of Bahrain, Department of
Information Systems
Sakhir, Bahrain
azolait@uob.edu.bh
Abstract— Organizations are using advanced security
solutions to protect their information resources. However, even
such high investments, traditional security approaches failed to
protect the network structure against state-of-the-art attacks.
New proactive approaches to security are on the rise such as
User Entity Behavior Analytics (UEBA). UEBA is a type of
cybersecurity process that uses machine learning, algorithms,
and statistical analyses to detect real-time network attacks. This
paper aims to assess the value and success of using behavior
analytics in securing the network from not-before-seen attacks
such as zero-day attacks. This paper uses a systematic literature
review and self-administrated survey and interviews with
convenience sampling of high profile network users and top
security vendors. Survey and interviews with various security
experts are utilized to verify the matter-of-fact effectiveness of
the solutions based on behavior analytics. During collecting the
primary data via a survey, researchers will go for a structured
interview with vendors who are selling solutions to understand
the performance of behavior analytics-based solutions and the
distinct features of their solutions. The results of literature
review, survey, interviews and focus groups will be used to
assess the value and success of using behavior analytics in
securing the network from not-before-seen attacks such as zero-
day attacks. The endeavor of this paper is to highlight the
weaknesses and strengths of different UEBA solutions and their
effectiveness for detecting network attacks in real-time
interaction. This research contrasts top fifteen UEBA
technologies based on use cases and capabilities and highlights
common usage scenarios. Based on the evidence,
recommendations will be given.
Keywords—— traditional security approaches, Security
attacks, User Entity Behavior Analytics, Real-time
I. INTRODUCTION
Today’s security threat landscape has many constantly
changing forms and shapes. According to Young (2017), these
changing forms of threat making it nearly impossible to be
detected with traditional security approaches. Convertino
(2017) reported that companies around the world are spending
billions of dollars on network security and yet 90% of them
are breached ) [1] [2].
According to the Data Breach Investigations Report [3],
analysis of 53,000 security incidents, shows that 48% of
incidents was hacking and malware was second at 30%.
Most cybercriminals take few minutes or less to
compromise a system, but just 3% of security breaches are
discovered as they accrued, while 68% went undiscovered for
months or more [4].
Most breach cases, a third party detect the data breach
within the organization, like law enforcement which revealed
the security breaches in TJX Companies in 2006, and
VeriSign in 2010, or a partner who notified Heartland
Payment Systems in 2008, and Yahoo in 2014 of the breaches.
Worst of all, many breaches are detected by customers like
what happened to Adobe in 2015, and LinkedIn in 2016.
Malware incorporates techniques to extract user
credentials stored in the memory of the compromised system.
These can include credentials of domain users or admins who
log into the machine, detecting and blocking these attacks
comes down to being able to identify malicious behaviors and
respond fast to mitigate damage.
Malware repeatedly changes its techniques in order to
avoid being discovered, according to (Data Breach
Investigations Report, 2018) 37% of malware signatures
appear only once. Securing a network perimeter using a
signature-based approach to protect organization systems and
data is no longer effective. It is important to be able to detect
the abnormal behavior, credentials abuse, network misusage
and isolating network devices which their security is
compromised in order to deactivate attackers and respond
quickly and effectively [4] [3].
The growing of adopting security architecture enriched
with advanced analytics and machine learning, instead of the
traditional approaches which cannot detect and prevent the
recent polymorphic security threats, has decreased Malware
breaches by 20% in one year [3] this significant drop brings
cybersecurity to a completely new level.
Gartner Security and Risk Management Summit (2016)
has addressed the urge for approaches that can detect insider
threats and external hackers effectively and efficiently,
therefore few new trendy approaches have been introduced
such as user and entity behavioral analytics (UEBA) and
anticipating security identity event management (SIEM) with
user and entity behavioral analytics (UEBA) evolution.
User and Entity Behavioral Analytics (UEBA), the first
product was called User Behavioral Analytics (UBA) has been
on the market since 2015. Later in August of 2015, Avivah
Litan's Gartner analyst introduced the term “entity” into the
title creating “user and entity behavioral analytics” (UEBA),
as vendors added the capability of monitoring and analyzing
the behavior of entities besides the users. In 2016, Gartner
Security and Risk Management Summit categorized (UEBA)
as a risk management solution in use but still in the Innovation
Trigger stage [5].
2018 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT)
978-1-5386-9207-3/18/$31.00 ©2018 IEEE
Authorized licensed use limited to: Trial User - UNIVERSITY OF BAHRAIN. Downloaded on October 16,2023 at 09:22:07 UTC from IEEE Xplore. Restrictions apply.
Figure .1. Hype Cycle for Risk Management Solutions
(Source; Gartner, 2016)
UEBA embed unsupervised machine learning to spot
significant changes in user, device or network activity that
indicates attack. Security teams can set the priority of alerts to
rectify in order to mitigate security risks, moreover UEBA can
utilize automated response procedures in order to reduce time-
to-response cycle.
UEBA vendors offer a range of capabilities with the
support of machine learning and analytic models, UEBA
analyze and monitor the users behaviors and at the same time
the other entities to detect the signs that indicate the attacks,
use advanced analytics to detect multiple kinds of threats, and
offer the ability to correlate multiple anomalous activities that
could be related to a single security incident, all these
capabilities are performed in real time or near-real time and
offer a new kind of threat visibility.
For an emerging technology like UEBA, there is a need to
asses and evaluate UEBA vendors base on the capabilities
which they offer. Therefore, this study aims to use a
systematic literature review and self-administrated survey and
interviews to assess the value and success of using behavior
analytics in securing the network from not-before-seen
attacks, and to verify the effectiveness of the solutions based
on behavior analytics.
The endeavor of this study is to highlight the weaknesses
and strengths of different UEBA solutions and their
effectiveness for detecting network attacks in real-time
interaction. This study compares the top fifteen UEBA
technologies base on capabilities and use cases and focuses in
common scenarios of usage. Build on the evidence,
recommendations will be given.
II. CURRENT CYBERSECURITY APPROACHES
Today, signature-based detection is still the predominant
method of finding and eliminating security threats in the
enterprise, Intrusion-prevention systems and antivirus
software only look to match attack fingerprints They check the
activities and recognize that one which matches the signature
of a known attack then suspicious activity will be prevented.
Attackers use sophisticated methods to skip systems such
as Intrusion Prevention System and Intrusion Detection
System IPS/IDS by using techniques like Denial of Service,
fragmentation, obfuscation, and application seizing, they try
to pass their attack as a legitimate traffic to prevent IPS/IDS
from detecting the security breach.
Some IPS/IDS depend on abnormality detection; by
comparing the current traffic with the baseline traffic, alert
will show when unfamiliar traffic is shown. IPS/IDS based on
abnormality detection have a more accurate and customizable
intrusion detection methods but from the administrative side
it is more intensive and need more computational expense.
It is universally accepted that IPS/IDS are insufficient to
point out all attacks especially zero-day attacks, repeated false
positive alerts, and incompetence to provide a worthy Return
on Investment (ROI).
While the shortcomings of signatures used by IPS/IDS and
other perimeter security systems are well known, much of the
industry effort has been focused on delivering signatures
faster. This tactic has simply led to faster attackers or the use
of vectors with unknown signature.
In order to protect organization network from these
unknown threats and attacks, many Next-Gen security
solutions are using a variety of emerging approaches and
technologies, which are mostly relying on some form of
advanced analytics to monitor network behavior and stop
unusual events.
III. LITERATURE REVIEW
In an article on “The Expanding Role of Data Analytics in
Threat Detection” by SANS Institute, Barbara Filkins (2015)
argues that most systems depend on one or more of three threat
detection methodologies - Signature-Based (or Misuse)
Detection, Anomaly-Based (or Behavior-Based) Threat
Detection, and Continuous System Health Monitoring [6].
The first method, Signature-Based (or Misuse) Detection
uses a set of rules to identify threats such as intrusions and
viruses by watching for patterns of events specific to known
and documented attacks. Preprocessing methods, such as deep
packet inspection for network traffic, find possible signatures
in captured network traffic. The resulting signatures from the
monitored environment are matched to known signatures in a
signature database. alert is issued in case if any match appear
and the detector will do nothing in case of there is no match at
all.
This method typically produces fewer false positives than
traditional methods, with relatively low processing demands.
The main disadvantage is that it only detects attacks for which
a defined signature is known and available. New attacks must
be identified, modeled and added to signature databases,
which must be updated regularly to keep innovative exploits,
or those based on previously unknown flaws, from evading
defenses.
The second method, Filkins (2015) states that an
Anomaly-Based or (Behavior-Based) in which threat
detection depends on the assumption that attack behaviors
differ enough from normal activity that malicious actions can
be detected and identified. Tools using this method begin by
creating models of behavior patterns that represent “normal”
behavior for the networks, systems, applications, end users
and devices that make up the environment in which they’re
installed. They then look for deviations from that pattern.
The second method advantage is the ability of it to
discover the threat without knowing the significance of it.
Historically, this method has high false positive rates, the
complicity of training a system in a highly dynamic
environment, and computational expense.
2018 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT)
Authorized licensed use limited to: Trial User - UNIVERSITY OF BAHRAIN. Downloaded on October 16,2023 at 09:22:07 UTC from IEEE Xplore. Restrictions apply.
The third method, Continuous System Health Monitoring
detects intrusions by active monitoring of key system “health”
or performance factors to identify suspicious changes or
trends in activity and resource usage. On the network, this may
mean monitoring the protocols used in the network,
bandwidth usage over time, consider ports which has
unexpected traffic increases
This method maps both to unique behaviors that malicious
activities may have in common by using the developed tune
system-wide measures and understand the significance of
identified variations and trends.
A security platform uses a set of mechanisms and
techniques to detect any anomalousness behavior and security
breaches within the network. The security platform apply “big
data” techniques and perform security analytics by utilizing
machine learning.
The security platform performs 'real-time' user/entity
behavioral analytics (UEBA) to detect the security-related
anomalies and threats, whether such suspicious behavior were
previously known or not. A visual presentation for the
analytical results shows the rank of risk with the supporting
evidence, this visual presentation enables network security
administrators to response and take action to detected
anomaly or threat immediately. Network administrators can
spot abnormal behavior by searching the behaviors' patterns
[7].
IV. UEBA DESIGN
UEBA work to detects the changes in the communication's
behavior between server and endpoint which may indicate an
attack. By using unsupervised machine learning that works to
detect considerable changes in device, user or network activity
that signal the presence of an attack. security administrators
can rectify the high priority alerts first in order to protect
sensitive assets, or they can choose automated response
procedures to minimize time-to-contain cycle.
Figure 2 shows that behavior analytics process is generally
powered by machine learning which apply mathematical
models to view the analytics of user, entity and network's
behavior. hence this approach allows the detecting of existing
attacks within the enterprise.
Figure.2. User Entity Behavior Analytics Model
(Source; ARUBA, 2018)
This approach is being used successfully by some of the
network security vendors who claim that WanaCry or Petya
Ransomware could not hack the clients on their watch [8].
Therefore, network security vendors suggest enterprises
deploy their solutions based on behavioral analytics to detect
intrusions that slip traditional preventive technologies.
Although vendors add different features and keep their
methods for anomaly detection secret, there are some basic
characteristics common to all UEBA tools. UEBA monitors
and collects data of activities of user and entity from system
logs and analyses the collected data using advanced analytical
methods. A baseline profile of user behavior and entity is
created by finding behavioral patterns and deviations from
acceptable or normal activity and thresholds of normal
behavior are established. Creating a baseline profile is the
most important stage of a UEBA system, as it defines the
accuracy of further detection of potential.
Initially, profile construction is done using training data
from the application data repository. Baseline modeling of
user and entity behavior profile is provided by UEBA vendor.
This profile is the most critical asset in any system because
reports and alerts are based on the accuracy of this profile. A
raw profile is created and stored in the profile repository. Then
the Profile application which is provided by the vendor
performs profile operation on this raw profile and sends it to
profile evaluation which generates evaluation results, this
evaluation results to be used by profile construction to
enhance the quality of profiles. Profile construction is
continually updated either by results of profile evaluation or
testing dataset (stored in the application data repository).
To improve the accuracy of behavior profile in order to
support its applications effectively and efficiently, it is
essential to automate or semi-automate profiling systems
throughout the process of constructing, evaluating and storing
profiles, and providing profile operations for developing
profiling applications [9].
User behavior profiling models include among others
machine learning, statistical models, rules & signatures based
models and out of the box analytics models for different use
cases. The effectiveness of the aforementioned models are
measured by the capability of the model in base-lining and
profiling dynamically so that it quickly adapts to user role
changes etc.
Standalone UBEA tools build profiles/models for the
behavior of Users and Entities over a period of time and use
that as a baseline to detect any malicious actions by noting any
abrupt or sudden change in their behavior. The current user
and entity behavior is compared with the established baseline
and then UEBA system decides whether deviations are
acceptable or anomalous. In case an anomaly is detected, the
system estimates the degree of deviation and its risk level and
sends alerts to security officers in real time.
Zero-day attacks and Ransomware are two big security
threats that have caused enormous damage to enterprises in
recent years. Financial losses are reaching millions because it
is not just the cost of the ransom but many other associated
costs. In order to protect organization network from these
attacks, many Next-Gen Security Solutions are using a variety
of emerging approaches and technologies, mostly relying on
2018 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT)
Authorized licensed use limited to: Trial User - UNIVERSITY OF BAHRAIN. Downloaded on October 16,2023 at 09:22:07 UTC from IEEE Xplore. Restrictions apply.
some form of advanced analytics to monitor network behavior
and stop unusual events.
V. THE SIGNIFICANCE OF UEBA APPROACH
Solutions based on behavior analytics maintain a database
of system objects and also store the system’s normal and
abnormal behavior called anomaly detection. Anomaly
detection attempts to determine if a data pattern does not
conform to expected normal behavior. A straightforward
approach, therefore, is to define what is considered as a
normal behavior and state any observation in the data which
is not a normal behavior as an anomaly [10]. Recently, many
techniques have been developed in past years for spotting
outliers and anomalies [11]. Soft-computing and machine
learning techniques are rigorously used to build autonomous
anomaly detection.
Singh and Nene (2013) made a survey on machine
learning techniques for an anomaly. Pattern matching, string
matching, and machine learning techniques and hardware
computation power are used to provide a great and strongest
security against numerous attacks detection [12]. “It is
important to design big data-driven cybersecurity solutions
that effectively and efficiently derive actionable intelligence
from available heterogeneous sources of information using
principled data analytic methods” to mitigate cyber threats
[13]Authors further added that the data analytics need to
integrate various advanced machine learning algorithms and
human driven knowledge for iteration aggregated learning.
looking at the need for analyzing huge amount of collected
data in real-time processing, a scalable data processing
supporting structure is required to handle big data with low
latency.
Tools based on data science and machine learning can help
organizations quickly detect malicious activity and act
according to the inherent risk presented by potential rogue
elements. Monitoring the critical performance characteristics,
such as network activity, computer's processor are obtainable
by using the analytical methods. Furthermore, analytics are
used to spot abnormal behavior of users, entities and
applications inside the organization, this done by establishing
normal baseline behavior over a period of time, then draw a
behavioral model and compare the registered real-time
activity against this model to flag abnormal behavior [6].
According to Ernst & Young Analytics Survey (2016),
successful and secure organizations are harnessing more
sophisticated analytics tools and data visualization to identify
patterns and trends of rogue activities [14]. The survey found
that in order to enhance information security and reduce
vulnerability, firms are implementing close observation
systems corroborative by powerful data analytics to arrange
the various data units and manage growing regulatory
compliance. In order to keep continuous control of firm
activity, communications, and critical infrastructure, IT
security leaders are investing in programs that pattern and
observe behavioral models.
Companies transitioned from current reactive surveillance
activities into proactive surveillance where user behavioral
analytics capabilities are used as a basis for user behavior
patterns and anomalies.
With thousands of integrated analytical capabilities and
algorithms for natural language processing, pattern
discovery/detection, and ongoing surveillance, behavior-
based analytics solutions can automatically alert organizations
to potential policy breaches and significant negative trends or
events. Because of its perpetual machine learning capability,
behavior analytics understands which activities commonly
occur in any particular scenario, flagging for human attention
objects or behaviors that are out of the ordinary.
Commenting on the ranking of top information security
technologies released at a security conference by Gartner Inc.,
Leopold [15] argues that a user and entity behavioral analytics
(UEBA) is emerging as a leading information security
technology for embattled IT managers. Releasing its list of top
information security technologies Gartner [16] argues that
(UEBA) is become known as a most influential information
security technology for IT security leaders. Releasing its list
of top information security technologies Gartner [16] argues
that UEBA gives analytics centralized not only around user
behavior, but around other entities (endpoints, networks, and
applications) also. This correlation of the analyses cover
several entities ensure more accurate results and more
effective threat detection.
Gartner recommends using UEBA (User Entity Behavior
Analytics) coupled with SIEM (Security Information & Event
Management along with EDR (Endpoint Detection and
Response). Since UEBA products typically need a data
source, and SIEM products are commonly the central
aggregation point for security logs for an organization, these
tools complement each other. It can almost be a two-way street
in the sense that the SIEM forwards applicable log events to
the UEBA for user profiling, while the UEBA tool generates
alerts that can be sent into the SIEM tool for enhancement of
the events from other sources, in turn presenting the alert to a
security analyst for triage. Also, a SIEM solution in place with
the necessary data makes the UEBA deployment far easier, as
data collection becomes straightforward. This is the reason
that we have recently seen some of the UEBA vendors
building their own SIEM solutions and competing in that
market as well. Artificial Intelligence (AI), Machine Learning
(ML), Neural networks, deep neural networks, Hidden
Markov Model (HMM), and Support Vector Machines (SVM)
only define the inner workings of solutions based on UEBA.
This research is limited to contrasting select UEBA
technologies derive from use cases and capabilities and points
out common usage scenarios and tool evaluation processes.
VI. UEBA DRAWBACKS
The negative part of applying machine learning in UEBA
is the same drawbacks that any machine learning brings.
Machine learning has limitations dealing with privileged
users, developers, and knowledgeable insiders. Those users
represent a unique situation because their job functions often
require irregular behaviours. This cause difficulties for
statistical analysis to create a baseline the algorithms.
Another drawback is that UEBA can’t indicate the long-term
sophisticated “low and slow” as attacks because they does not
have day to day impact and become as if non-existent.
VII. DISCUSSIO N
Zero-day attacks and Ransomware are two big security
threats that have caused enormous damage to enterprises in
recent years. Financial losses are reaching millions because it
is not just the cost of the ransom but many other associated
costs. In order to protect organization network from these
2018 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT)
Authorized licensed use limited to: Trial User - UNIVERSITY OF BAHRAIN. Downloaded on October 16,2023 at 09:22:07 UTC from IEEE Xplore. Restrictions apply.
attacks, many Next-Gen Security Solutions are using a variety
of emerging approaches and technologies, mostly relying on
some form of advanced analytics to monitor network behavior
and stop unusual events.
Protection in all these solutions is not created equal. Some
solutions simply aren’t as effective at stopping an attack.
Users are simply indecisive which solution is best for them.
This thesis will try to deliver powerful insights into the
prevalent security issues facing organizations today, by
evaluating the strength and weakness of the UEBA approach,
identifying a typical model of UEBA with comprehensive
detection features and identifying a UEBA solution that will
provide most reliable protection.
VIII. CONCLUSION
UEBA employs machine learning to build
profiles/models for the behavior of Users and Entities over a
period of time, by applying security analytics UEBA can
detect behavior's anomalies and threats in a computer
network environment. It is detecting security-related
anomalies and threats in both real-time and batch
paths/modes. UEBA provides visual presentation for the
analytical results shows the rank of risk with the supporting
evidence, this visual presentation enables network security
administrators to response and take action to detected
anomaly or threat immediately. This paper provides an
overview of signature-based approaches and –their
limitation. Then it expands the overview over UEBA and the
related research work and then describes the basic
characteristics of UEBA design which are common to all
UEBA tools. Then this paper evaluates and presents UEBA
approach both significances and drawbacks. The researchers
will enhance the understanding of UEBA approach with
contrasts top UEBA technologies and validated them using
real-world datasets.
REFERENCES
[1]
G. Young, "How to Respond to the 2018 Threat Landscape," 2017.
[Online]. Available: https://www.gartner.com/. [Accessed 6 June
2018].
[2]
M. Convertino, "Why Your Security Budget May Be Focused On
The Wrong Threats," 2017. [Online]. Available:
https://www.forbes.com. [Accessed 6 June 2018].
[3]
Verizon, "Data Breach Investigations Report," Verizon, 2018.
[4]
Verizon, "Data Breach Investigations Report," Verizon, 2017.
[5]
A. Litan, "Forecast Snapshot: User and Entity Behavior Analytics,
Worldwid e," 2017.
[6]
B. Filkins, "The Expanding Role of Data Analytics in Threat
Detection," SANS Institute, Swansea, UK, 2015.
[7]
S. Muddu and C. Tryfonas, "Network security threat detection by
user/user-entity behavioral analysis," 15 August 2015. [Online].
Available: https://patents.google.com/patent/US9516053B1/en.
[Accessed 7 June 2018].
[8]
K. Richards, "User behavior analytics leads the security analytics
charge," 2018.
[9]
W. Gao, "Constructing user behavioral profiles using data-mining-
based approach," ProQuest Dissertations Publishing, Ann Arbor, MI,
2015.
[10]
Bhuyan, Bhattacharyya and Kalita, "Network Anomaly Detection:
Methods, Systems and Tools," IEEE Communications Surveys &
Tutorials, vol. 16, no. 1, pp. 303-336, 2014.
[11]
L. Akoglu, H. Tong and D. Koutra, "Graph based anomaly detection
and description: A survey," Data Mining and Knowledge Discovery,
vol. 29, no. 3, pp. 626-688, 2015.
[12]
J. Singh and M. Nene, "A Survey on Machine Learning Techniques
for Intrusion Detection Systems," International’, Journal of
Advanced Research in Computer and Communication Engineering,
vol. 2, no. 11, p. 4349–4355, 2013.
[13]
Y. Dang, B. Wang, R. Brant, Z. Zhang, M. Alqallaf and Z. Wu,
"Anomaly detection for data streams in large-scale distributed
heterogeneous computing environments," in 121-XVII., 2017.
[14]
Earnst & Young, "EY’s Global Forensic Data Analytics Survey:
Shifting into high gear: mitigating risks and demonstrating returns,"
2016. [Online]. Available:
http://www.ey.com/Publication/vwLUAssets/ey-global-fda-survey-
2016/$FILE/ey-global-fda-survey-2016.pdf, (Accessed: 2. [Accessed
8 June 2018].
[15]
G. Leopold, "Gartner: Role of Analytics in Security is Growing,"
2016. [Online]. Availab le:
https://www.datanami.com/2016/06/15/gartner-role-analytics-
security-growing. [Accessed 7 June 2018].
[16]
K. Panetta, "Gartner Top Technologies for Security in 2017,"
Gartner.com, 2018. [Online]. Available:
https://www.gartner.com/smarterwithgartner/gartner-top-
technologies-for-security-in-2017/. [Accessed 22 Sep 2018].
2018 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT)
Authorized licensed use limited to: Trial User - UNIVERSITY OF BAHRAIN. Downloaded on October 16,2023 at 09:22:07 UTC from IEEE Xplore. Restrictions apply.