Research of methods and algorithms of insider detection in a computer network using machine learning technologies

Pelevin, Dmitrii

January 2021

Background. Security Information and Event Management (SIEM) systems today are sophisticated sets of software packages combined with hardware platforms, which can perform real-time analysis on security events and can respond to them before potential damage due to the actions of intruders. A huge number of systems rely on the continuous transmission of data through computer networks. Nowadays it is difficult to imagine a sphere of human activity that would not be affected by information technologies and would not use computer networks. Along with the means of protecting information, the technologies that are used by cybercriminals to achieve their goals are also improving. Moreover, the so-called insiders - information security perpetrators inside the protected perimeter, who can cause much more damage by their actions, as they are among the legitimate users and can have access to more confidential information - are becoming a growing threat. Objectives. To identify insider activity within an acceptable time inside the network, we need to develop a methodology to detect abnormal activity within the network using advanced data processing techniques, based on machine learning. After recreating the data processing system, we will also need to determine the most efficient algorithm that can be applied to the task of insider detection. Methods. The work analyzed research papers with similar objectives to investigate methods and technologies for securing against intruder intrusions, in conjunction with a study of machine learning techniques for detecting anomalies in the data. Experimental data were also collected containing information about network activity within the same network over two weeks. With this data, it is possible to conduct an experiment in network traffic processing using state-of-the-art technology. Results. During the study of relevant works, several effective ways to detect anomalies in the data were identified, technologies for processing large amounts of data using NoSQL were studied, and work on creating an experimental bench was performed. As a result, the experimental data obtained was sufficient to verify the effectiveness of the obtained solution. Conclusions. As a result, we analyzed existing approaches to detect insider activity within a computer system. Algorithms based on machine learning and big data processing methods were evaluated. In addition, a model for representing big data in NoSQL format was developed, which made it possible to create an architecture of a system for detecting insiders in computer networks using a graph database and machine learning methods.

IPS

IDS

UBA

NoSQL

Information Security

Computer Sciences

Datavetenskap (datalogi)

The Influence of Self-Determined Motivation on Security Education Training and Awareness (SETA) Programs

Menard, Philip Roy

14 August 2015

Despite the best efforts of many organizations, protection of information assets continues to be a major problem for a number of firms. A large portion of data breaches can be attributed to employees of the organization, who have been commonly identified as the weakest link in an organization’s overall security profile. Organizations implement security policies to give their employees guidelines for appropriate behavior related to information protection. For policies to be effective, employees must exhibit adequate comprehension of the secure behaviors described in the policy. Security Education, Training, and Awareness (SETA) programs have been utilized as an organizational mechanism for communicating the details of security policies and the importance of employees’ compliance. Although researchers have identified the importance of SETA programs in the implementation of security policies, individual differences among employees may contribute to the effectiveness of a SETA program. One such difference is an employee’s orientation toward self-determined (intrinsic) or control-oriented (extrinsic) forms of motivation related to both the workplace context and situational tasks, such as participation in a SETA program. A theoretical model is developed to assess the influence of an employee’s overall work motivation and perceptions of the work environment on his or her situational motivation toward participating in an organization’s SETA program. Methods for capturing the hypothesized relationships and analysis of the associated data are described. The findings indicate that an employee’s perceptions of autonomy, competence, and relatedness while participating in the SETA program have a significant impact on the employee’s motivation toward the SETA program. SETA program motivation significantly influenced an employee’s attitude toward the information security policy (ISP), cognition of ISP concepts, and intention to comply with the ISP while also serving as a significant predictor of an employee’s decision to participate in an additional training program. Implications for both research and practice are discussed.

self-determination theory

motivation

SETA

training

information security

Measuring Efficacy of Information Security Policies : A Case Study of UAE based company

Qureshi, Muhammad Sohail

January 2012

Nowadays information security policies are operative in many organizations. Currently few organizations take the pain of verifying the efficacy of these policies. Different standards and procedures exist about methods of measuring efficacy of information security policies. Choosing and implementing them depends mainly on the key performance indicators (KPIs) and key risk indicators (KRIs) of any particular organization. This thesis is a case study of an organization in United Arab Emirates (UAE). The basic aim of the research is to inquire and analyze how the efficacy of the implemented security policies is being measured in this particular organization and to propose a method which is more suitable to the needs of organization. The research is based on theoretical study, an interview and a questionnaire. The results of this thesis indicate that there are no formal mechanisms for measuring the efficacy of information security policies in the organization under consideration. Moreover the employees of the organization are also not much satisfied with information security awareness in the company, which can be another reason for ensuring that the efficacy is measured on regular basis. Therefore, a technique from ISO27004 has been used to demonstrate how this efficacy can be measured. It is a step by step procedure for which the information has been extracted from the interview and survey questionnaire responses.

Information security policies

ISO27004

KPIs

KRIs

Engineering and Technology

Teknik och teknologier

GPUHElib and DistributedHElib: Distributed Computing Variants of HElib, a Homomorphic Encryption Library

Frame, Ethan Andrew

01 June 2015

Homomorphic Encryption, an encryption scheme only developed in the last five years, allows for arbitrary operations to be performed on encrypted data. Using this scheme, a user can encrypt data, and send it to an online service. The online service can then perform an operation on the data and generate an encrypted result. This encrypted result is then sent back to the user, who decrypts it. This decryption produces the same data as if the operation performed by the online service had been performed on the unencrypted data. This is revolutionary because it allows for users to rely on online services, even untrusted online services, to perform operations on their data, without the online service gaining any knowledge from their data. A prominent implementation of homomorphic encryption is HElib. While one is able to perform homomorphic encryption with this library, there are problems with it. It, like all other homomorphic encryption libraries, is slow relative to other encryption systems. Thus there is a need to speed it up. Because homomorphic encryption will be deployed on online services, many of them distributed systems, it is natural to modify HElib to utilize some of the tools that are available on them in an attempt to speed up run times. Thus two modified libraries were designed: GPUHElib, which utilizes a GPU, and DistributedHElib, which utilizes a distributed computing design. These designs were then tested against the original library to see if they provided any speed up.

GPU

Distributed computing

Homomorphic encryption

HElib

Computer Sciences

Information Security

Analyzing Global Cyber Attack Correlates Through an Open Database

Aiello, Brady Benjamin

01 June 2018

As humanity becomes more reliant on digital storage and communication for every aspect of life, cyber attacks pose a growing threat. However, cyber attacks are generally understood as individual incidents reported in technological circles, sometimes tied to a particular vulnerability. They are not generally understood through the macroscopic lens of statistical analysis spanning years over several countries and sectors, leaving researchers largely ignorant of the larger trends and correlates between attacks. This is large part due to the lack of a coherent and open database of prominent attacks. Most data about cyber attacks has been captured using a repository of common vulnerabilities and exposures (CVE’s), and \honey pots", unsecured internet-connected devices which record attacks as they occur against them. These approaches help in the process of identifying vulnerabilities, but they do not capture the real world impact these attacks achieve. Therefore, in this thesis I create a database of 4,000 cyber attacks using a semi-open data source, and perform analytical queries on it to gather insights into how cyber attack volume varies among countries and sectors, and the correlates of cyber attack victims. From here, it is also possible to relate socio-economic data such as GDP and World Happiness Index to cyber attack volume. The end result is an open database of cyber attacks that allows researchers to understand the larger underlying forces which propel cyber attacks.

cybersecurity

cyber attacks

socioeconomic

political

malware

Information Security

A Study on Hash-based Signature Schemes / ハッシュ関数に基づく署名方式の研究

YUAN, QUAN

26 September 2022

京都大学 / 新制・課程博士 / 博士(情報学) / 甲第24258号 / 情博第802号 / 新制||情||135(附属図書館) / 京都大学大学院情報学研究科社会情報学専攻 / (主査)教授 神田 崇行, 教授 吉川 正俊, 教授 梅野 健 / 学位規則第4条第1項該当 / Doctor of Informatics / Kyoto University / DFAM

Cryptography

Information Security

Digital Signatures

Hash Functions

007

The Effects of Inhibitory Control and Perceptual Attention on Cyber Security

Pearson, Ed

03 May 2019

This dissertation recommends research to investigate the effects inhibitory control and perceptual attention have on the cyber security decision-making process. Understanding the effects that inhibitory control and perceptual attention have on the security decision- making process will allow for better defenses to be developed against social engineering and phishing. A survey and review of previous research in the area of Human Computer- Interaction and Security is presented. An experiment is performed to evaluate inhibitory control, which is composed of prepotent response inhibition, resistance to distractor interference, and resistance to proactive interference (PI). Additionally, the experiment evaluates perceptual attention and the security decision-making process.

information security

security icons

cyber security knowledge

security indicators

Risk as a Function of Information Technology Artifact Perceptions

Lee, James, Jr

17 May 2014

Ubiquitous networking challenges organizational security by enabling employees to work from virtually anywhere. Different networking environments have distinguishing characteristics that create vulnerabilities, and non-employer controlled networks are outside the security boundary of the organization. Organizations must rely on users to determine the risk to information when operating in external environments. The purpose of this study is to identify the impact of non-malicious insiders’ judgments of Information Technology artifacts when determining risk to organizational information transmitted from multiple networking environments. The study manipulates the Network Environment Characteristics and Information Types, then measures the respondent’s Network Trust, Information Protection Concerns, and Perceived Information Risk. Each of these evaluations are informed by Information Security Awareness, which is measured through General Information Security Awareness and Information Security Policy Knowledge. The factorial survey method was used to investigate the risk assessment because it utilizes multivariate experimental design with sample survey collection methods. This allows for additional precision, and helps to reduce bias. A two-phase investigation was performed that utilized two separate data collection and analysis procedures. The first phase develops and establishes the experimental treatments’ and the measurement instrument’s validity, and the second phase is used to test the hypotheses. The findings of this study contribute to the Information Systems discipline by advancing the understanding of trust, protection, and risk judgments of the Information Technology artifact. This provides insights on how users perceive risk, and could be used to develop Security Education Training and Awareness programs that directly address system risk.

information technology

risk

multi-level modeling

information systems

Information security

Three Essays of Consumer Inference Making and Metacognitive Experience in Perceived Information Security

Park, Yong Wan

25 April 2013

The internet has served as the virtual world since the beginning of the digital era, and it has provided consumers the valuable source of information and become a fundamental basis of e-commerce by passing the limit of time and distance of offline stores. It is hard to imagine our life without the internet. Because consumers store and access their private and financial information on the internet, information security is even more important than ever. Although many studies demonstrate the importance of information security to consumers, researchers have paid little attention to consumers\' inference processing underlying their perceptions of information security. We investigate how consumers infer and evaluate online information security based on consumer inference making process and metacognitive experience. We argue that consumers\' perceived security could be enhanced by simply increasing complexity, even if that increased complexity is meaningless. It is because consumers have a belief that security is achieved by sacrificing convenience or increasing complexity. We demonstrated that consumers evaluated a website more secure when asked to enter redundant information in Chapter 1. Chapter 2 suggested that disfluency and difficulty of retrieval could increase perceived security because metacognitive experience makes consumers misattribute their feeling of difficulty to technical difficulty. We found that the positive effect of disfluency was held when a product was not security-related. In Chapter 3, we focused on how to improve the accuracy of security judgments. We found that perceived security enhanced by meaningless complexity would be adjusted by asking specific dimensions of security (Confidentiality, Integrity, and Availability), and the positive impact of a disfluency effect could be debiased by providing participants the true source of their subjective difficulty. Furthermore, we demonstrated that consumers\' interpretation about accessibility experience varied depending on what kind of naïve theory was activated. Through a series of experiments, we demonstrated our arguments were valid and these results provided useful insights and implications about consumers\' inference processing and perception of information security. / Ph. D.

Information Security

Perceived Security

Inference Making

Metacognitive Experience

Fluency

Debias

Security By Design

Tanner, M. James

10 August 2009

Securing a computer from unwanted intrusion requires astute planning and effort to effectively minimize the security invasions computers are plagued with today. While all of the efforts to secure a computer are needed, it seems that the underlying issue of what is being secured has been overlooked. The operating system is at the core of the security issue. Many applications and devices have been put into place to add layers of protection to an already weak operating system. Security did not used to be such a prominent issue because computers were not connected 24/7, they used dialup and did not experience the effects from connecting to multiple computers. Today computers connect to high speed Internet and seem useless without access to email, chat, Internet, and videos. This interconnectedness of computers has allowed the security of many computers to be compromised because they have not been programmatically secured. The core component of computer security might best be done through security layers protecting the operating system. For this research, those who work in the computer field were asked to complete a survey. The survey was used to gather information such as the security layers and enhancements implemented on Linux computers and networks their surrounding network. This research is a stepping stone for further research as to what can be done to further improve upon security and its current implementations. / Securing a computer from unwanted intrusion requires astute planning and effort to effectively minimize the security invasions computers are plagued with today.

Linux security layers

Information Security

Linux System administrators

T1