Machine Learning Based User Modeling for Enterprise Security and Privacy Risk Mitigation

Dutta, Preetam Kumar

January 2019

Modern organizations are faced with a host of security concerns despite advances in security research. The challenges are diverse, ranging from malicious parties to vulnerable hardware. One particularly strong pain point for enterprises is the insider threat detection problem in which an internal employee, current or former, behaves against the interest of the company. Approaches designed to discourage and to prevent insiders are multifaceted, but efforts to detect malicious users typically involves a combination of an active monitoring infrastructure and a User Behavior Analytics (UBA) system, which applies Machine Learning (ML) algorithms to learn user behavior to identify abnormal behaviors indicative of a security violation. The principal problem with the aforementioned approach is the uncertainty regarding how to measure the functionality of an insider threat detection system. The difficulty of research in UBA technology hinges on sparse knowledge about the models utilized and insufficient data to effectively study the problem. Realistic ground truth data is next to impossible to acquire for open research. This dissertation tackles those challenges and asserts that predictive UBA models can be applied to simulate a wide range of user behaviors in situ and can be broadened to examine test regimes of deployed UBA technology (including evasive low and slow malicious behaviors) without disclosing private and sensitive information. Furthermore, the underlying technology presented in this thesis can increase data availability through a combination of generative adversarial networks, which create realistic yet fake data, and the system log files created by the technology itself. Given the commercial viability of UBA technology, academic researchers are oft challenged with the inability to test on widely deployed, proprietary software and thus must rely on standard ML based approaches such as Gaussian Mixture Models (GMMs), Support Vector Machines (SVMs) and Bayesian Networks (BNs) to emulate UBA systems. We begin the dissertation with the introduction and implementation of CovTrain, the first neuron coverage guided training algorithm that improves robustness of Deep Learning (DL) systems. CovTrain is tested on a variety of massive, well-tested datasets and has outperformed standard DL models in terms of both loss and accuracy. We then use it to create an enhanced DL based UBA system used in our formal experimental studies. However, the challenges of measuring and testing a UBA system remain open problems in both academic and commercial communities. With those thoughts in mind, we next present the design, implementation and evaluation of the Bad User Behavior Analytics (BUBA) system, the first framework of its kind to test UBA systems through the iterative introduction of adversarial examples to a UBA system using simulated user bots. The framework's flexibility enables it to tackle an array of problems, including enterprise security at both the system and cloud storage levels. We test BUBA in a synthetic environment with UBA systems that employ state of the art ML models including an enhanced DL model trained using CovTrain and the live Columbia University network. The results show the ability to generate synthetic users that can successfully fool UBA systems at the boundaries. In particular, we find that adjusting the time horizon of a given attack can help it escape UBA detection and in live tests on the Columbia network that SSH attacks could be done without detection if the time parameter is carefully adjusted. We may consider this as an example of Adversarial ML, where temporal test data is modified to evade detection. We then consider a novel extension of BUBA to test cloud storage security in light of the observation that large enterprises are not actively monitoring their cloud storage, for which recent surveys have security personnel fearing that companies are moving to the cloud faster than they can secure it. We believe that there are opportunities to improve cloud storage security, especially given the increasing trend towards cloud utilization. BUBA is intended to reveal the potential security violations and highlight what security mechanisms are needed to prevent significant data loss. In spite of the advances, the development of BUBA underscores yet another difficulty for a researcher in big data analytics for security - a scarcity of data. Insider threat system development requires granular details about the behaviors of the individuals on its local ecosystem in order to discern anomalous patterns or behaviors. Deep Neural Networks (DNNs) have allowed researchers to discover patterns that were never before seen, but mandate large datasets. Thus, systematic data generation through techniques such as Generative Adversarial Networks (GANs) has become ubiquitous in the face of increased data needs for scientific research as was employed in part for BUBA. Through the first legal analysis of its kind, we test the legality of synthetic data for sharing given privacy requirements. An analysis of statutes through different lens helps us determine that synthetic data may be the next, best step for research advancement. We conclude that realistic yet artificially generated data offers a tangible path forward for academic and broader research endeavors, but policy must meet technological advance before general adoption can take place.

Computer science

Machine learning

Computer security

Business enterprises--Security measures

Internet users

User compliance with the organisation's information security policy: a deterrence theory study

Fachin, Dario

January 2016

MCom Information Systems Research report 2015 / In today’s age of increasing cyber-attacks, with even national governments interests forming cyber warfare departments to defend their countries, there is no company globally which cannot be prepared for their critical infrastructure or information to be stolen, destroyed, manipulated or be made unavailable from various cyber-attacks. In most organisations, the user of the Information Systems is vital to ensuring that systems are protected by adhering to the Information Security Policy. Failure to comply with the Information Security Policy by end users exposes the company to the risk of the loss of sensitive information which could have major reputational, legal and financial impacts. The study followed a positivist research philosophy using a hypothetical model to test various hypotheses. Through the lens of deterrence theory, using a survey method to gather the information, the hypotheses are tested and analysed to further understand user compliance with an organisation’s Information Security Policy. The findings reveal that some elements of the deterrence theory are strong predictors to ensuring user compliance within a large global mining firm. The certainty of being caught for end users and the celerity of not adhering to the Information Security policy are strong predictors to ensure user compliance. The awareness of severity for not complying with the Information Security Policy or the awareness of being monitored is reflected to not be strong predictors to ensure user compliance. The research is intended to further assist both academics and practitioners to further their understanding of user compliance to the Information Security Policy. / MT2017

Computer networks--Security measures

Business enterprises--Security measures

The implementation of integrated security systems: case study of the industrial sector of Harare-Zimbabwe

Musonza, Dimax

02 1900

Text in English / Industrial sites in Harare contribute significantly to the economy of Zimbabwe. Harare is the capital city of Zimbabwe and therefore has significant manufacturing and commercial activity. The protection of industrial sites is very important because of the presence of valuable assets and operations. Therefore the main purpose of deploying security measures at industry premises is to create a safe and secure environment for the business functions. Security management is consequently an important element of an industrial organisation’s continuity. The implementation of integrated security systems was examined to some extent within this study. The size and nature of industrial facilities influenced this study to view integrated security systems as more effective than stand-alone security measures. The study sought to investigate the various aspects associated with the implementation. The purposes of the research included the following: • Examine current practices, benefits, shortcomings in the implementation of integrated security systems; • Critically evaluate the security management aspects required for the implementation ofintegrated security systems; • Investigate successes and failures associated with integrated security systems and how implementation can be improved; • Examine and identify factors necessary for a best practice approach to integrated security systems; and • Determine a methodology for the effective implementation of integrated security systems. Additionally the study briefly examined how security systems integration can assist in reducing the problem of connivance to theft at receiving and dispatch points at industrial facilities. The report is divided into five chapters. Chapter 1 covers the research problem, Chapter 2 deals with the research methods while Chapter 3 has insightful information from literature review. Chapter 4 presents the data and how it was analysed. Lastly Chapter 5 has findings, recommendations and conclusions. The study used the mixed-method approach. This approach includes both qualitative and quantitative research in order to gain a more in-depth understanding of the research problem. The methods of data collection were site visits, interviews and questionnaires. The sample was drawn from a cross-section of sites within the industrial areas of Workington, Southerton, Willowvale, Graniteside, Msasa and few outside industries in the vicinity of Harare. A total of 11 sites were observed. The interviews consisted of 30 participants who were mainly security practitioners at management level as well as some non-security managers. In addition, a total of 102 respondents participated in this study by completing the questionnaire. The majority of the respondents were security practitioners who were the main focus of the study. The findings support the various aspects of the implementation of integrated security systems. The conclusions emanating from the statistical analysis of the collected data included the following: • The critical assets for protection at industrial facilities are infrastructure, products, revenue, people and other movable items or equipment; • The main threat sources are from outsiders, crime syndicates and employees; • Security systems suitable for integration are CCTV, electronic access control, alarms, personnel, policies and procedures backed by information communication technologies. • Security should be functionally integrated with other departments which include Information Technology, Human Resources, Finance, Operations and Marketing; • The preferred mode of linkage was established to be fibre optic on a local area or wide area network using intranet or internet; • The key players in the integration were found to be security practitioners, top management, IT specialist, system suppliers, installers and operators; • The implementation process consists of security policy, survey, system design, procurement, installation, training, operating, review and upgrade; • Factors necessary for best practice include system purpose, availability of resources, top management commitment, skills, and feasibility to implement; • The benefits are mainly improved effectiveness, easy of monitoring, improved outlook and record keeping; • The most significant challenges are system breakdown, sabotage and power outage; and • Connivance to theft can be mitigated by a combination of staff rotation, dedicated CCTV, spot checks, undercover surveillance and functional integration. area network using intranet or internet; • The key players in the integration were found to be security practitioners, top management, IT specialist, system suppliers, installers and operators; • The implementation process consists of security policy, survey, system design, procurement, installation, training, operating, review and upgrade; • Factors necessary for best practice include system purpose, availability of resources, top management commitment, skills, and feasibility to implement; • The benefits are mainly improved effectiveness, easy of monitoring, improved outlook and record keeping; • The most significant challenges are system breakdown, sabotage and power outage; and • Connivance to theft can be mitigated by a combination of staff rotation, dedicated CCTV, spot checks, undercover surveillance and functional integration. / Security Risk Management / M. Tech. (Security Management)

658.47096891

Jewellery store robbery: a victim risk and intervention perspective

Zannoni, Elio

30 April 2008

The exploratory study investigated jewellery store robbery from a victim risk and intervention perspective. An explanation of the phenomenon was offered based on the information obtained from a review of the existing literature, case studies, personal observations at jewellery stores, discussions with jewellers, a scientific questionnaire submitted to jewellers, and semi-structured and structured interviews conducted with a group of knowledgeable respondents and victimised jewellers respectively. A predominantly quantitative research method was applied. The research findings obtained during the study enabled a proposal for a jewellery store robbery intervention model based on the situational crime prevention perspective, which is inclusive of decisional, environmental, situational, procedural, personnel and business-oriented strategies. / Criminology / M.A. (Criminology)

Robbery intervention model

Situational crime prevention

Crime opportunity

Victim facilitation

Victim precipitation

Victim vulnerability

Victim risk

Robbery victimisation

Commercial robbery

Jewellery store robbery

Jewellery store

Jeweller

364.15520968

Robbery -- South Africa

Robbery -- South Africa -- Prevention

Jewelry theft --- South Africa

Victims of crimes -- South Africa

Violence -- South Africa -- Prevention

Jewellery store robbery: a victim risk and intervention perspective

Zannoni, Elio

30 April 2008

The exploratory study investigated jewellery store robbery from a victim risk and intervention perspective. An explanation of the phenomenon was offered based on the information obtained from a review of the existing literature, case studies, personal observations at jewellery stores, discussions with jewellers, a scientific questionnaire submitted to jewellers, and semi-structured and structured interviews conducted with a group of knowledgeable respondents and victimised jewellers respectively. A predominantly quantitative research method was applied. The research findings obtained during the study enabled a proposal for a jewellery store robbery intervention model based on the situational crime prevention perspective, which is inclusive of decisional, environmental, situational, procedural, personnel and business-oriented strategies. / Criminology and Security Science / M.A. (Criminology)

Robbery intervention model

Situational crime prevention

Crime opportunity

Victim facilitation

Victim precipitation

Victim vulnerability

Victim risk

Robbery victimisation

Commercial robbery

Jewellery store robbery

Jewellery store

Jeweller

364.15520968

Robbery -- South Africa

Robbery -- South Africa -- Prevention

Jewelry theft --- South Africa

Victims of crimes -- South Africa

Violence -- South Africa -- Prevention