Conference Paper

Role of User and Entity Behavior Analytics in Detecting Insider Attacks

October 2020

DOI:10.1109/ICCWS48432.2020.9292394

Conference: 2020 International Conference on Cyber Warfare and Security (ICCWS)

Authors:

Hamad bin Khalifa University

Application of User and Entity Behavioral Analytics (UEBA) in the Detection of Cyber Threats and Vulnerabilities Management

Chapter

Full-text available

Apr 2023

Technological advancements such as the Internet of Things, mobile technology, and cloud computing are embraced by organizations, individuals, and society. The world is becoming more reliant on open networks, which fosters global communication and cloud technologies like Amazon Web Services to store sensitive data and personal information. This changes the danger landscape and opens new opportunities. As the number of people who use the Internet grows, so does the number of cyber risks and data security challenges that hackers pose. A cybersecurity threat is an action that aims to destroy or damage data, steal data, or otherwise disrupt digital life. Computer viruses, data breaches, and Denial of Service (DoS) assaults are all examples of cyber dangers. We'd be witnessing a notion of scanning enormous volumes of data across the internet if we described how AI systems might discover where hacks came from and recommend solutions to decision-makers within the corporation.KeywordsArtificial intelligenceMachine learningUEBACybersecurity threatsVulnerabilityMachine learningSecurity

A SIEM Architecture for Advanced Anomaly Detection

Article

Full-text available

Jun 2022

Dramatic increases in the number of cyber security attacks and breaches toward businesses and organizations have been experienced in recent years. The negative impacts of these breaches not only cause the stealing and compromising of sensitive information, malfunctioning of network devices, disruption of everyday operations, financial damage to the attacked business or organization itself, but also may navigate to peer businesses/organizations in the same industry. Therefore, prevention and early detection of these attacks play a significant role in the continuity of operations in IT-dependent organizations. At the same time detection of various types of attacks has become extremely difficult as attacks get more sophisticated, distributed and enabled by Artificial Intelligence (AI). Detection and handling of these attacks require sophisticated intrusion detection systems which run on powerful hardware and are administered by highly experienced security staff. Yet, these resources are costly to employ, especially for small and medium-sized enterprises (SMEs). To address these issues, we developed an architecture -within the GLACIER project- that can be realized as an in-house operated Security Information Event Management (SIEM) system for SMEs. It is affordable for SMEs as it is solely based on free and open-source components and thus does not require any licensing fees. Moreover, it is a Self-Contained System (SCS) and does not require too much management effort. It requires short configuration and learning phases after which it can be self-contained as long as the monitored infrastructure is stable (apart from a reaction to the generated alerts which may be outsourced to a service provider in SMEs, if necessary). Another main benefit of this system is to supply data to advanced detection algorithms, such as multidimensional analysis algorithms, in addition to traditional SIEMspecific tasks like data collection, normalization, enrichment, and storage. It supports the application of novel methods to detect security-related anomalies. The most distinct feature of this system that differentiates it from similar solutions in the market is its user feedback capability. Detected anomalies are displayed in a Graphical User Interface (GUI) to the security staff who are allowed to give feedback for anomalies. Subsequently, this feedback is utilized to fine-tune the anomaly detection algorithm. In addition, this GUI also provides access to network actors for quick incident responses. The system in general is suitable for both Information Technology (IT) and Operational Technology (OT) environments, while the detection algorithm must be specifically trained for each of these environments individually.

SA-UBA: Automatically Privileged User Behavior Auditing for Cloud Platforms with Securely Accounts Management

Article

Full-text available

Aug 2022

Cloud platforms allow administrators or management applications with privileged accounts to remotely perform privileged operations for specific tasks, such as deleting virtual hosts. When privileged accounts are leaked and conduct dangerous privileged operations, severe security problems will appear on cloud platforms. To solve these problems, researchers focus on auditing privileged users’ behaviors. However, it is difficult to automatically audit fine-grained privileged behaviors for graphical operating systems. Moreover, it is hard to prevent users from bypassing the audit system or to prevent hackers from attacking audit system. In this paper, we propose a Secure and Automatic Behavior Audit system named SA-UBA. It provides advanced deep learning models to automatically achieve fine-grained user behavior audits for graphical operating systems. Furthermore, it adopts cryptography-based account storage and sharing methods to securely manage privileged accounts. In particular, privileged accounts cannot be leaked even if SA-UBA is compromised by attackers. We built a threat model of a cloud platform to evaluate the security of the SA-UBA and conduct extensive experiments with SA-UBA in real scenarios. The results show SA-UBA introduces a small overhead on securely managing privileged accounts and accurately recognizes fine-grained user behaviors.

Illegal Cybersecurity Threats Created by Organizational Arsonists in Healthcare Organizations

Article

Full-text available

Feb 2025

Insider cybersecurity threats in healthcare, often overlooked or narrowly defined as technical vulnerabilities, can be more accurately described as acts of organizational arson, representing deliberate, malicious acts designed to ignite chaos within digital ecosystems. Like physical arsonists who destroy property through fire, insider actors exploit their privileged access to organizational systems, causing financial devastation, operational disruption, and severe damage to organizational morale and stability. Insider incidents cost organizations millions annually, with cybersecurity teams dedicating significant time and resources to crisis management rather than strategic planning. This commentary-style paper reframes insider cybersecurity threats using the metaphor of organizational arsonists, offering a unique and powerful framework for understanding these complex risks. By integrating cybersecurity, law, and organizational psychology insights, the paper presents a comprehensive approach to mitigating insider threats that extend beyond technical defenses. It emphasizes the necessity of human-centric strategies, ethical accountability, and legal compliance, calling for organizations to adopt a holistic defense posture that addresses both technological vulnerabilities and behavioral risks. The paper's originality lies in bridging multiple disciplines and framing insider threats as technical challenges and full-scale organizational crises. Combining advanced technologies such as artificial intelligence with human behavior analysis provides actionable strategies for organizations to combat their own digital arsonists. This interdisciplinary approach encourages cybersecurity professionals, legal scholars, and organizational leaders to rethink insider threat management, creating a more resilient and secure organizational environment.

Integrated Framework for Data Security in Cloud Computing Using Deep Learning Techniques

Article

Full-text available

Feb 2025

Gantela Prabhakar

Alongside the expansion of the digital economy, data centers have grown substantially in size and quantity. Data centers are becoming increasingly essential to the development of the economy and society. However, even a brief outage in a data center might have severely negative effects. Resolving this issue requires secure management of data centers' physical infrastructure. Defenses against different cyber threats are being developed for the Internet of Things (IoT) and Cyber Physical Systems (CPS). As malicious code becomes more prevalent, using cloud environments to find dangerous code might not be a viable approach in the future. Due to the growing inefficiency of traditional perimeter-based security models in today’s cloud-centric and remote work contexts, we employed integrated deep learning techniques for cloud data security in this article. According on risk profiles and real-time behavior, the suggested Zero-Trust security framework continuously evaluates and modifies the trust levels for users, devices, and applications. Using an integrated framework, we employed User and Entity Behavior Analytics (UEBA), Risk Scoring, and Adaptive Authentication approaches. This enabled us to reach an accuracy of 85–90% in all areas of data security when compared to the conventional methods.

Mitigating Cyber Attacks for Organization Assets using UEBA (User and Entity Behavior Analytics) and other Machine Learning Solutions from Cloud Security Threats: A Literature Review

Article

Jan 2025
Netw Secur

User and Entity Behavior Analytics has been one of the key steppingstones towards protecting valuable data and information for organizations that decided to store their assets in a cloud-based storage. The implications suggest that third-party software may not be as reliable as these are prone to attacks due to its accessibility and vulnerable nature. This study aims to provide a comprehensive review that covers User and Entity Behavior Analytics (UEBA) and other machine learning techniques to effectively mitigate cyberattacks and protect organizational assets from cloud-based security threats. The objective is to identify and analyze anomalous user and entity behaviors that may indicate potential cyberattacks and provide recommendations for organizations to enhance their cloud security posture and minimize the risk of data breaches and other security incidents. The research covers some of the algorithms used in detecting anomalies such as Isolation Forest, Deep Autoencoder, and Linear Regression, and emphasizes the adaptability of these chosen algorithms to the dynamic landscape of cyber threats, especially in cloud environments. By arriving at a cohesive integration of machine learning algorithms, this study advocates for a holistic approach that aligns with evolving security challenges. Ultimately, the significance lies in offering a nuanced perspective on effective cyber threat mitigation strategies, contributing to the broader conversation on securing organizational assets in the face of evolving cybersecurity landscapes.

` Advances in cybersecurity strategies for financial institutions: A focus on combating E-Channel fraud in the Digital era

Article

Full-text available

Dec 2024

In the digital era, financial institutions are increasingly vulnerable to sophisticated cyber threats, particularly e-channel fraud, which poses significant risks to financial stability, customer trust, and regulatory compliance. This paper explores the multifaceted nature of e-channel fraud, including its various forms such as phishing, malware, and account takeovers, and examines recent trends that highlight the evolving tactics of cybercriminals. The discussion extends to advanced cybersecurity strategies that financial institutions can deploy to combat these threats. These strategies encompass the adoption of cutting-edge technologies like artificial intelligence, machine learning, blockchain, and biometrics, which enhance fraud detection and secure transaction processes. Additionally, the paper emphasizes the importance of behavioral analytics and real-time monitoring systems in identifying and mitigating fraudulent activities. Organizational measures and best practices are also examined, underscoring the need for comprehensive cybersecurity policies, robust employee training and awareness programs, and active collaboration with other financial entities, regulatory bodies, and cybersecurity firms. By implementing these recommendations, financial institutions can fortify their defenses against e-channel fraud, ensuring the integrity of their operations and maintaining customer confidence. Keywords: E-channel Fraud, Cybersecurity Strategies, Financial Institutions, Artificial Intelligence, Behavioral Analytics.

Cybersecurity in a Remote Work Era: Strategies for Securing Distributed Workforces

Article

Full-text available

Jun 2023

Nikhil Bhagat

COVID-19 pandemic triggered a fundamental shift to remote work as it has forced companies across the world to migrate to a new virtual environment. This change has created a massive cybersecurity challenge, as employees can connect to corporate network and view sensitive information across different locations and devices. This paper describes the rise of remote work and the special security threats this brings: increased attack surface, phishing, and increased threat from insiders. It also highlights the need for a security-focused culture in remote employees. In order to offset these risks, the paper presents some extensive ways of securing distributed workforces. Some of the key recommendations are: Deploying Zero Trust Architecture to always verify users and devices, using endpoint security with the help of monitoring products, and training for regular security awareness trainings to make sure staff know how to recognize a threat. It also recommends policies for remote work and safe communication mechanisms as vital for secure data collection. Organizations can effectively secure digital assets during this new virtual workforce era through the multi-layered security model and a cautious culture. This paper will further present practical guidance and models for companies to better prepare their cybersecurity defenses and protect the business integrity in a distributed workforce.

Unveiling Human Factors: Aligning Facets of Cybersecurity Leadership, Insider Threats, and Arsonist Attributes to Reduce Cyber Risk

Article

Full-text available

Jul 2024

Laura A. Jones

This qualitative study is a systematic literature review (draws on literature primarily published within the last five years) addresses a comprehensive approach to a crucial but often overlooked aspect of cybersecurity: the human factors underlying insider threats. Attention is focused on the so-called “organizational arsonists” – individuals who willfully seek to adversely impact the organization by inducing anarchy aligned with their own motivations, insiders who purposefully damage their companies using digital methods, someone intentionally causing mayhem within a company, which can be criminal in cyber environments. The purpose of the research is to identify how cybersecurity leadership can effectively detect and mitigate the risks associated with insiders, particularly those exhibiting arsonist-like behaviors. Review uncovering that organizational arsonists can escalate cybersecurity risks substantially, with insider incidents costing organizations an average of $16.2 million per incident. These incidents now represent a persistent challenge, increasing in frequency by 68% over the past year according to the 2022 Insider Threat Report. The findings highlight the necessity of leadership strategies that preemptively recognize and neutralize potential insider threats to improve organizational resilience and security posture. This approach not only informs current cybersecurity practices but also aids in the development of targeted policies and refined regulatory measures. By integrating insights from psychology, criminology, and cybersecurity, the study provides a comprehensive understanding of the human elements influencing insider threats, essential for enhancing both academic knowledge and practical applications in risk management. The results showed a parallel between the motivations of arsonists who set physical fires to the characteristics and motivations of insider threats who exploit organizational vulnerabilities. The impact of this research can be helpful in assisting cybersecurity professionals, leaders who strategize against cyber threats, and risk managers and analysts who understand and mitigate human factors and insider threats. Leaders and executives may use these insights to improve security resource allocation and culture. Policymakers and regulators may use the study’s results to create more nuanced cybersecurity legislation, while academics and students in related disciplines can use it for future research.

Early detection and mitigation of cyber attacks with machine learning and artificial intelligence

Article

Full-text available

Jul 2024

Encheng Liu

This research article explores the influence of leveraging machine learning algorithms (ML) and artificial intelligence (AI) in the early detection and mitigation of cyber attacks. With the rise of cybercriminal activities, traditional cybersecurity measures have proven inadequate. This study reviews the various AI and ML techniques, such as anomaly and cyber intelligence, which can be used in detecting cyberattacks before they occur. A case study on IBM security illustrates the practical implications and outcome of implementing machine learning and artificial intelligence in cybersecurity.

Towards Human-AI Teaming to Mitigate Alert Fatigue in Security Operations Centres

Article

May 2024

Security Operations Centres (SOCs) play a pivotal role in defending organisations against evolving cyber threats. They function as central hubs for detecting, analysing, and responding promptly to cyber incidents with the primary objective of ensuring the confidentiality, integrity, and availability of digital assets. However, they struggle against the growing problem of alert fatigue, where the sheer volume of alerts overwhelms SOC analysts and raises the risk of overlooking critical threats. In recent times, there has been a growing call for human-AI teaming, wherein humans and AI collaborate with each other, leveraging their complementary strengths and compensating for their weaknesses. The rapid advances in AI and the growing integration of AI-enabled tools and technologies within SOCs give rise to a compelling argument for the implementation of human-AI teaming within the SOC environment. Therefore, in this position paper, we present our vision for human-AI teaming to address the problem of alert fatigue in SOC. We propose the

\mathcal {A}^2\mathcal {C}

Framework, which enables flexible and dynamic decision-making by allowing seamless transitions between automated, augmented, and collaborative modes of operation. Our framework allows AI-powered automation for routine alerts, AI-driven augmentation for expedited expert decision-making, and collaborative exploration for tackling complex, novel threats. By implementing and operationalising

\mathcal {A}^2\mathcal {C}

, SOCs can significantly reduce alert fatigue while empowering analysts to efficiently and effectively respond to security incidents.

A comprehensive investigation of clustering algorithms for User and Entity Behavior Analytics

Article

Full-text available

Apr 2024

Introduction Government agencies are now encouraging industries to enhance their security systems to detect and respond proactively to cybersecurity incidents. Consequently, equipping with a security operation center that combines the analytical capabilities of human experts with systems based on Machine Learning (ML) plays a critical role. In this setting, Security Information and Event Management (SIEM) platforms can effectively handle network-related events to trigger cybersecurity alerts. Furthermore, a SIEM may include a User and Entity Behavior Analytics (UEBA) engine that examines the behavior of both users and devices, or entities, within a corporate network. Methods In recent literature, several contributions have employed ML algorithms for UEBA, especially those based on the unsupervised learning paradigm, because anomalous behaviors are usually not known in advance. However, to shorten the gap between research advances and practice, it is necessary to comprehensively analyze the effectiveness of these methodologies. This paper proposes a thorough investigation of traditional and emerging clustering algorithms for UEBA, considering multiple application contexts, i.e., different user-entity interaction scenarios. Results and discussion Our study involves three datasets sourced from the existing literature and fifteen clustering algorithms. Among the compared techniques, HDBSCAN and DenMune showed promising performance on the state-of-the-art CERT behavior-related dataset, producing groups with a density very close to the number of users.

Machine Learning Approaches Intrusion for Improving Network-Based Detection System

Chapter

Jan 2023

The field of network security has gained paramount importance in response to the ever-growing advancements in internet and communication technologies. With the aim of safeguarding the integrity of networks and their components in the digital realm, a suite of tools including firewalls, antivirus software, and intrusion detection systems (IDS) has been deployed. Among these, network-based intrusion detection systems (NIDS) hold a pivotal role by continuously monitoring network traffic for any signs of malicious or suspicious activities. However, the relentless pace of technological progress in the past decade has led to the expansion of larger, more complex networks supporting a multitude of applications, thereby creating significant challenges in maintaining data and network node security. The existing IDSs have revealed their limitations in detecting various forms of attacks, including zero-day attacks, and mitigating false alarm rates (FAR). Consequently, the demand for cost-effective, precise, and efficient NIDS solutions is on the rise to fortify network security

PHOENI2X – A European Cyber Resilience Framework With Artificial-Intelligence-Assisted Orchestration, Automation & Response Capabilities for Business Continuity and Recovery, Incident Response, and Information Exchange

Conference Paper

Jul 2023

PHOENI2X -- A European Cyber Resilience Framework With Artificial-Intelligence-Assisted Orchestration, Automation and Response Capabilities for Business Continuity and Recovery, Incident Response, and Information Exchange

Preprint

Full-text available

Jul 2023

As digital technologies become more pervasive in society and the economy, cybersecurity incidents become more frequent and impactful. According to the NIS and NIS2 Directives, EU Member States and their Operators of Essential Services must establish a minimum baseline set of cybersecurity capabilities and engage in cross-border coordination and cooperation. However, this is only a small step towards European cyber resilience. In this landscape, preparedness, shared situational awareness, and coordinated incident response are essential for effective cyber crisis management and resilience. Motivated by the above, this paper presents PHOENI2X, an EU-funded project aiming to design, develop, and deliver a Cyber Resilience Framework providing Artificial-Intelligence-assisted orchestration, automation and response capabilities for business continuity and recovery, incident response, and information exchange, tailored to the needs of Operators of Essential Services and the EU Member State authorities entrusted with cybersecurity.

Prediction, Detection and Control of Insider Threats in Organizations

Chapter

Mar 2025

Toward an Insider Threat Education Platform: A Theoretical Literature Review

Preprint

Dec 2024

Insider threats (InTs) within organizations are small in number but have a disproportionate ability to damage systems, information, and infrastructure. Existing InT research studies the problem from psychological, technical, and educational perspectives. Proposed theories include research on psychological indicators, machine learning, user behavioral log analysis, and educational methods to teach employees recognition and mitigation techniques. Because InTs are a human problem, training methods that address InT detection from a behavioral perspective are critical. While numerous technological and psychological theories exist on detection, prevention, and mitigation, few training methods prioritize psychological indicators. This literature review studied peer-reviewed, InT research organized by subtopic and extracted critical theories from psychological, technical, and educational disciplines. In doing so, this is the first study to comprehensively organize research across all three approaches in a manner which properly informs the development of an InT education platform.

An MBS Model For Enterprise Security Using User and Entity Behavior Analytics

Article

Full-text available

Dec 2023

Businesses are experiencing an ever-growing problem of how to identify and guard in opposition to insider threats. Users with legal access to sensitive organizational data are positioned in a role of power that can be abused and could do harm to an enterprise. This can range from monetary and intellectual property theft to the destruction of assets and enterprise reputation. Traditional intrusion detection structures are neither designed nor able to figure out those who act maliciously inside a business enterprise. In this paper, we describe an automated system capable of detecting insider threats within an enterprise. We outline a tree-shape profiling technique that includes the information on activities conducted by each user and every task after which we use this to obtain a consistent representation of functions that provide a rich description of the user's behavior. The deviation may be assessed based on the amount of variance that each user exhibits across multiple attributes, compared in opposition to their peers. The primary function of User and Entity behavior Analysis(UEBA) is to track normal user behaviors. UEBA defines a baseline for each entity in the environment, and actions will be evaluated by comparing with pr-defined baselines.

CGBA: A Efficient Insider Attacker Detection Technique in Machine Learning

Conference Paper

May 2024

Cyber Chronicles: Tracking Behavior Patterns for Detecting Threats in Large Networks

Conference Paper

May 2024

An MBS Model For Enterprise Security Using User and Entity Behavior Analytics

Technical Report

Mar 2024

Applications, Challenges, and Future Directions of Cybersecurity Surveillance Systems

Chapter

Jan 2024

Systems for monitoring cybersecurity are now crucial instruments for safeguarding digital assets and fending off numerous attacks. This chapter covers the various uses, challenges, and new developments of using surveillance systems in order to enhance cybersecurity. Discussion themes include threat detection, incident response, insider threat identification, and vulnerability management. The primary challenges—including data overload, false positives, privacy concerns, skill gaps, regulatory compliance, adaptive threats, and cultural acceptance—are also exhaustively examined. The report also covers recent advancements, such as the use of zero trust architectures, the development of behavioral analytics, and the blending of AI and ML technologies. By addressing these problems and implementing these trends, organizations can strengthen their entire cybersecurity posture.

Proposed Method for Threat Detection Using User Behavior Analysis

Conference Paper

Feb 2023

Implementing Data Exfiltration Defense in Situ: A Survey of Countermeasures and Human Involvement

Article

Full-text available

Jan 2023

In this paper we consider the problem of defending against increasing data exfiltration threats in the domain of cybersecurity. We review existing work on exfiltration threats and corresponding countermeasures. We consider current problems and challenges that need to be addressed to provide a qualitatively better level of protection against data exfiltration. After considering the magnitude of the data exfiltration threat, we outline the objectives of this paper and the scope of the review. We then provide an extensive discussion of present methods of defending against data exfiltration. We note that current methodologies for defending against data exfiltration do not connect well with domain experts, both as sources of knowledge and as partners in decision-making. However, human interventions continue to be required in cybersecurity. Thus, cybersecurity applications are necessarily socio-technical systems which cannot be safely and efficiently operated without considering relevant human factors issues. We conclude with a call for approaches that can more effectively integrate human expertise into defense against data exfiltration.

Using Deep Learning and Big Data Analytics for Managing Cyber-Attacks

Chapter

Full-text available

Sep 2022

This chapter acquaints the reader to the terms and terminologies of cyber-attacks, cybersecurity, big data, data analytics, and related new age technologies, including deep learning. The types of cyber-attacks, how they become special and different within the big data analytic frameworks, a multi-layer framework for their detection, and the challenges therein are detailed next. Thereafter, an extensive review of some research works has been undertaken to provide an in-depth insight to the various cyber security detection systems using the new age technologies such as naive Bayesian networks in intrusion detection systems, deep learning in Android malware detection, and intelligent malware detection, etc. Conclusions have been drawn from these studies to establish that the emerging technologies, like artificial intelligence, machine learning, deep learning, and internet of Things, are the need of the hour to assist organizations in navigating the increasingly aggressive cyber threat landscape.

The role of User Entity Behavior Analytics to detect network attacks in real time

Conference Paper

Full-text available

Nov 2018

Organizations are using advanced security solutions to protect their information resources. However, even such high investments, traditional security approaches failed to protect the network structure against state-of-the-art attacks. New proactive approaches to security are on the rise such as User Entity Behavior Analytics (UEBA). UEBA is a type of cybersecurity process that uses machine learning, algorithms, and statistical analyses to detect real-time network attacks. This paper aims to assess the value and success of using behavior analytics in securing the network from not-before-seen attacks such as zero-day attacks. This paper uses a systematic literature review and self-administrated survey and interviews with convenience sampling of high profile network users and top security vendors. Survey and interviews with various security experts are utilized to verify the matter-of-fact effectiveness of the solutions based on behavior analytics. During collecting the primary data via a survey, researchers will go for a structured interview with vendors who are selling solutions to understand the performance of behavior analytics-based solutions and the distinct features of their solutions. The results of literature review, survey, interviews and focus groups will be used to assess the value and success of using behavior analytics in securing the network from not-before-seen attacks such as zeroday attacks. The endeavor of this paper is to highlight the weaknesses and strengths of different UEBA solutions and their effectiveness for detecting network attacks in real-time interaction. This research contrasts top fifteen UEBA technologies based on use cases and capabilities and highlights common usage scenarios. Based on the evidence, recommendations will be given.

Reducing False Positives Of User-to-Entity First-Access Alerts for User Behavior Analytics

Conference Paper

Full-text available

Nov 2017

Detecting security threats from compromised account or malicious insider by leveraging enterprise traffic logs is the goal of user behavior-based analytics. For its ease of interpretation, a common analytic indicator used in the industry for user behavior analytics is whether a user accesses a network entity, such as a machine or process, for the first time. While this popular indicator does correlate well with the threat activities, it has the potential of generating volumes of false positives. This creates a problem for an analytic system of which the first-time access alerting capability is a part. We believe that the false positive rate from the indicator can be reduced by learning from users' historical entity access patterns and user context information. If the first-time access is expected, then its corresponding alert is suppressed. In this paper, we propose a user-to-entity prediction score which uses a recommender system for learning user data. In particular, we use factorization machines, along with necessary data nor-malization steps, to make predictions on real-world enterprise logs. We demonstrate this novel method is capable of reducing false positives of users' first-time entity access alerts in user behavior analytics applications.

Visualizing Insider Threats: An Effective Interface for Security Analytics

Conference Paper

Full-text available

Mar 2017

With the ever-growing volume of cyber-attacks on organizations, security analysts require effective visual interfaces and interaction techniques to detect security breaches and, equally importantly, to efficiently share threat information. To support this need, we present a tool called ?User Behavior Analytics? (UBA) that conducts continuous analysis of individuals' usage of their organizational IT networks, and effectively visualizes the associated security exposures of the organization. The UBA tool was developed as an extension of IBM?s security analytics environment, and incorporates a risk-focused dashboard that highlights anomalous user behaviors and the aggregated risk levels associated with individual users, user groups, and overall system security state. Moreover, the tool?s dashboard has been designed to facilitate rapid review of security incidents and correlate them with data from various sources such as user directory and HR systems. In doing so, the tool presents busy security analysts with an effective means to visually identify and respond to cyber threats on the organization's crown jewels.

Automated Insider Threat Detection System Using User and Role-Based Profile Assessment

Article

Full-text available

Jun 2015

Organizations are experiencing an ever-growing concern of how to identify and defend against insider threats. Those who have authorized access to sensitive organizational data are placed in a position of power that could well be abused and could cause significant damage to an organization. This could range from financial theft and intellectual property theft to the destruction of property and business reputation. Traditional intrusion detection systems are neither designed nor capable of identifying those who act maliciously within an organization. In this paper, we describe an automated system that is capable of detecting insider threats within an organization. We define a tree-structure profiling approach that incorporates the details of activities conducted by each user and each job role and then use this to obtain a consistent representation of features that provide a rich description of the user's behavior. Deviation can be assessed based on the amount of variance that each user exhibits across multiple attributes, compared against their peers. We have performed experimentation using ten synthetic data-driven scenarios and found that the system can identify anomalous behavior that may be indicative of a potential threat. We also show how our detection system can be combined with visual analytics tools to support further investigation by an analyst.

A Comparative Study of Correlation Engines for Security Event Management

Conference Paper

Full-text available

Apr 2015

SIEM (Software Information and Event Management) systems are becoming increasingly commonplace in scenarios as diverse as ICT environments or Critical infrastructures, providing the means to process and analyse multiple distributed sources of information and events, for auditing or security purposes. The main component of its architecture is the correlation engine, which is used to normalize, reduce, filter and aggregate events from a set of heterogeneous inputs. Other modules of SIEM systems include agents for data acquisition; reporting modules for event notification, and storage components for log and auditing purposes. From a cyber-security standpoint, correlators play a vital role in SIEM architectures, providing the means to infer security information from existing event sources such as security agents or services and device logs. In this perspective, correlator performance is a very relevant matter, as it needs to process large amounts of inputs, while having to provide fast results (i.e. security event notifications). Despite the existence of several correlation engines, there is a scarcity of published work comparing their characteristics and performance, a gap this paper addresses. This paper presents the concept of SIEM systems and correlation engines, providing a description of their architecture and functional characteristics, with a focus on some of the most popular open source rule-based correlation engines, such as the Simple Event Correlator (SEC), Esper, Nodebrain and Drools. It also provides a comparative performance evaluation of these correlation engines, based on experimental results.

VASABI: Hierarchical User Profiles for Interactive Visual User Behaviour Analytics

Article

Aug 2019

User behaviour analytics (UBA) systems offer sophisticated models that capture users' behaviour over time with an aim to identify fraudulent activities that do not match their profiles. Motivated by the challenges in the interpretation of UBA models, this paper presents a visual analytics approach to help analysts gain a comprehensive understanding of user behaviour at multiple levels, namely individual and group level. We take a user-centred approach to design a visual analytics framework supporting the analysis of collections of users and the numerous sessions of activities they conduct within digital applications. The framework is centred around the concept of hierarchical user profiles that are built based on features derived from sessions, as well as on user tasks extracted using a topic modelling approach to summarise and stratify user behaviour. We externalise a series of analysis goals and tasks, and evaluate our methods through use cases conducted with experts. We observe that with the aid of interactive visual hierarchical user profiles, analysts are able to conduct exploratory and investigative analysis effectively, and able to understand the characteristics of user behaviour to make informed decisions whilst evaluating suspicious users and activities.

Towards visual analytics tasks for the security information and event management

Conference Paper

Sep 2017

User and entity behavior analytics for enterprise security

Conference Paper

Dec 2016

Detecting Insider Threats Using RADISH: A System for Real-Time Anomaly Detection in Heterogeneous Data Streams

Article

Jan 2017

We present a scalable system for high-throughput real-time analysis of heterogeneous data streams. Our architecture enables incremental development of models for predictive analytics and anomaly detection as data arrives into the system. In contrast with batch data-processing systems, such as Hadoop, that can have high latency, our architecture allows for ingest and analysis of data on the fly, thereby detecting and responding to anomalous behavior in near real time. This timeliness is important for applications such as insider threat, financial fraud, and network intrusions. We demonstrate an application of this system to the problem of detecting insider threats, namely, the misuse of an organization’s resources by users of the system and present results of our experiments on a publicly available insider threat dataset.

INSIDER THREAT REPORT

Jan 2019

schulze

The CERT Division and ExactData LLC. Insider threat tools, the cert division

Cert The
Division
Llc Exactdata

The Economic Impact of Cybercrime and Cyber Espionage

J Lewis
S Baker

Market Guide for User and Entity Behavior Analytics

Gorka Sadowski
Avivah Litan
Toby Bussa
Tricia Phillips

Lin Reducing False Positives Of User-to-Entity First-Access Alerts for User Behavior Analytics

tang qiaona

Market Guide for User and Entity Behavior Analytics

Jan 2018

sadowski

Role of User and Entity Behavior Analytics in Detecting Insider Attacks

No full-text available

Recommended publications

Selektive photometrische bestimmung aliphatischer nitroolefine mit hilfe des alkylierungsindikators...

IEEE 6th Int. Symp. on Spread-Spectrum Tech. Appli., NJIT, New Jersey, USA, Sept. 6-8, 2000

Selective determination of phenol and aniline in aqueous solutions

Detecting the concurrence of an unknown state with a single observable