Information technology specialists at the Moscow State University of Psychology & Education (MSUPE) together with their colleagues from an IT company specializing in artificial intelligence-based solutions have found a way to detect deviating behaviour among users of computer networks and cloud computing environments.
They have developed two criteria for identifying deviations in user behaviour when diagnosing network threats: one based on self-organizing neural networks, and the other classifying users according to the sequences of typical actions that they perform. The study, carried out with the support of the Ministry of Science and Higher Education, was published in the Experimental Psychology peer-reviewed journal.
Protecting computers from network threats is one of the most important information security issues. Standard security tools used in cloud environments today (data encryption, user identification tools, restriction of access rights and traffic volumes, etc.) are often not effective enough.
«There is a new way of identifying possible threats based on analyzing user behaviour in real time. Western companies are already using several services analyzing the activity of a large number of users such as Cloud Access Security Broker, LANeye, and UEBA,» commented Dean of the MSUPE Information Technologies Department Lev Kuravsky.
According to experts, one of the most important components in developing these solutions is to build a modern mathematical system for recognizing incorrect user behaviour. The systems should be automated, should be able to operate in the cloud environment and, if possible, have the ability to learn. The scientific novelty of this approach is the use of Kohonen self-organizing networks for generating statistics in testing hypotheses about users of various types.
The new criterion is much more effective than the classical methods of multidimensional statistical analysis, MSUPE experts noted. The second criterion determines the categories of users with deviations in behaviour according to the sequences of typical actions performed.
This algorithm uses the theory of Markov stochastic processes and the maximum likelihood estimation method, with a separate model with a unique set of transition probabilities between its states introduced for each category of users with correct or incorrect behaviour.