The article deals with the problem of detecting insider attacks on the organization's information resources. This article is a continuation of the authors' publication, which proposed a method for detecting malicious activity based on the statistical measure IDF (Inverse Document Frequency) and calculating the cosine similarity of two vector assets. The authors show that this similarity-based approach works well in organizations where employees' access rights to the organization's information resources do not overlap. However, in the case of using shared resources or masking the activity of an insider, this approach is not very effective. The authors of the article propose an improved method, the difference of which is the presence of two matrices: the matrix of permissions and the matrix of real access. The difference of such matrices expressed as a percentage of the user's total access to information assets makes it possible to calculate a measure of the user's malicious activity. Input data for the technique is information from IDS intrusion detection systems. The simulation results based on the given examples show that the improved method is more adequate compared to the cosine similarity method, which makes it possible to use it in a wide range of applications. The method allows you to determine the abnormal activity of users in the organization, which makes it possible to detect insider attacks at an early stage. The method can be used by information security administrators for further analysis of user activity.
information systems of organizations by identifying and solving anomalies in their interaction with users.
The general problem of identifying anomalies in the interaction of users with the organization's information resources is that this task is complex and requires an integrated approach due to several key reasons: • • • • • •
Variety of Anomalies: Anomalous user behavior can take many forms, including unusual patterns of information access, unusual activity, unauthorized access attempts, or insider threats. The diversity of these anomalies makes their detection difficult.
Volume of data: Organizations have huge volumes of data generated as a result of user interaction with information systems. Analyzing these large volumes of data to detect anomalies requires powerful processing and analysis tools.
Dynamics of change: User behavior and the structure of information systems can change over time. What was normal yesterday may become an anomaly today. You need a system that can adapt to changes in the environment.
Data heterogeneity: User interaction data can be presented in different formats and sources. Combining them and processing them to detect anomalies can be difficult due to differences in data structures and types.
Need for accuracy: Anomaly detection requires high accuracy because misinterpretation can lead to misclassification of normal behavior as abnormal or vice versa.
Ensuring privacy: When detecting anomalies, the confidentiality and privacy of user data must be preserved, which can make it difficult to implement some analysis methods.
Since these problems are complex and diverse, the detection of anomalies in the interaction of users with information resources requires the use of various methods of data analysis, machine learning, and the development of specialized systems to effectively solve this problem.
Anomaly detection is a direction that is becoming more and more relevant every year. There are various ways of detecting anomalies in the activity of information system users. Most of them are based on the analysis of various technical indicators, such as network activity, use of peripheral devices, system load, intensity of interaction with information systems, etc.
In the article [
The article [
The authors of the publication [5] evaluate anomaly detection methods based on the aspect of their applicability to various systems with the minimization of the user input. The obtained results show that the most effective method of detecting anomalies, which can be transferred to different systems and minimizes the user's work, are systems based on machine learning. The publication [6] defines three main methodological areas for diagnosing anomalies (machine learning, deep learning, statistical approaches) and summarizes exactly how the corresponding models are used to detect anomalies. In addition, the authors explain which specific application areas are typically addressed by anomaly detection in the context of cloud computing environments and which relevant public datasets are often used for evaluation.
In [
The article [
The purpose of this article is to improve the previously proposed method of detecting anomalies of user interaction with the organization's information resources, which would allow using the results of modern intrusion detection systems (IDS) and would be simple enough for practical implementation by information security administrators. 4. The method of detecting insider attacks on the organization's information resources
As before, we will take as a basis the methodology based on the use of a bipartite graph [
The set of users will be denoted by = { 1, … , }, the information assets will be defined as the set = { 1, … , }, and the set of users who accessed to assets over a certain period of time will be defined as the set . We denote as , where the value of the weight between pairs of vertices is the value of similarity.
A bipartite graph reflecting the fact of users' access to assets is denoted by a binary matrix . At the same time ( , ) = 1, if the user accesses the asset, and ( , ) = 0 if not. It is suggested 181 to use the statistical measure IDF (Inverse Document Frequency) to assess the connection of users with assets. As a measure of IDF , it is suggested to take a sigmoidal function in the form: ( ) = where = (1,1, … ,1) is unit vector of dimension ; | | is a power of set ; is a column -user of the matrix (access vector); is a sensitivity coefficient of the function.
The matrix obtained after the transformation will be denoted by . The similarity between pairs of users can be obtained based on their access vectors. To measure the similarity of two vector assets, it is suggested to use cosine similarity [12]: ( , ) = ‖ ( )× ( ) ( )‖×‖ ( )‖ =
∑ =1 ( , )×
( , ) √∑ =1(
2 ( , )) ×√∑ =1( ( , )) 2
Given two feature vectors and , the cosine similarity can be represented using the scalar
product and the norm. When a user interacts with an organization's information assets, the cosine
similarity of two users ranges from 0 to 1, since the angle between the two frequency vectors cannot
be greater than 90°. Cosine similarity is effective as an evaluation measure, especially for sparse
vectors, since only non-zero values are taken into account [
As a result of the calculations, a similarity matrix of user interaction with information assets will be obtained. It is assumed that if one of the users is an intruder, then his actions will be reflected in the similarity matrix. Around each asset, an individual group of users is formed who work with it and refer to it. To calculate the similarity between groups of users, it is necessary to calculate the average similarity between all pairs of users (total user similarity): | |×
2
( ) = ∑ =1 ∑ =1 ( , ) , ∀ ≠ ∈ −1 ∀ , where | | is number of users in the group.
Construction of a bipartite interaction graph. Calculation of the statistical measure of IDF. Calculation of the similarity matrix of user actions. Calculation of the overall similarity of user actions.
If ( ) has a high value, it means that users have a strong engagement with asset . To detect anomalous user actions, it is necessary to determine the average similarity for the subgroup ( ), ∀ ∨ = , in which a single user is compared with other users, and to determine the rating of this user relative to the average value for the organization: the more likely that user 's access to assets is abnormal.
The proposed technique for detecting abnormal user actions based on network data analysis can be presented in the form of a sequence of steps: (1) (2) (3) (4) 4.2. Algorithm for detecting anomalies in the interaction of users with the organization's information assets (Algorithm of similarity) 1,1 ,1
1, ⋯ ⋱ ⋯ , 1. ← [ ⋮ 2. ← 3.
= 4. = 5. ← (1, … , 1 ) 6.
( ) = 7. ( ) = ℎ[ ] ℎ[ ] [
− the matrix of sigmoidal functions. 8. ( , ) = 9. ( ) = 10. ( ) =
actions. 11. ( , ) = individual users. similarity matrix for user actions. actions of individual users.
1
∑ =1 ( ) ⋮ ] forming a matrix of user access to assets. [ , = 1, ( ) , 0] , { , }, { , }]
∑ =1 ( ) , × ( ) , √∑ =1( ( ) , )2×√∑ =1( ( ) , ) 2
, { , }, { , }] ⋮ ]. The elements of this matrix denote: ( , ) = 1, if the user is granted access The actual access of users to assets will still be determined by the matrix = [ (
) − ( ) to asset , and ( , ) = 0, if not.
Despite the obvious advantages, such an approach, which is based on determining the similarity of
the actions of individual users, has significant disadvantages, in particular:
1. The approach works well in those organizations where information resources are clearly
demarcated between employees. That is, sets of information resources of individual
employees do not overlap.
2. In this model, the impact of suspicious employee access to the organization's resources can
be neutralized by the appropriate combination of access to authorized resources.
In order to avoid the mentioned shortcomings, it is suggested to improve the method as follows.
To control user access to the organization's resources, we introduce an access matrix =
In the situation , when user #5 tries to bypass the protection system, for which he does not use
one of the permitted resources, for example, asset #1, when calculating the abnormality of the
behavior of user #5, the algorithm will give an erroneous result (Figure 2) . In this case, for user #5,
the degree of abnormality will be only 1.9% and therefore, against the background of general
indicators from 4.0% to 2.8%, it will be impossible to recognize an insider attack [
In the same situation, when applying the improved methodology, in both cases (when user #5 access is attempted without bypassing the protection system and with the protection system bypassed), we get a result that clearly indicates the anomalous behavior of user #5 (Figure 3).
In the previous scenario, the organization's information assets were clearly demarcated between
users. However, this situation in most organizations is the exception rather than the rule. As a rule,
when performing tasks, employees of organizations very often use common resources. In this case,
the application of the method based on the similarity matrix [
As in Scenario 1, we denote the access rights of users to the assets of the organization by the matrix . The fact of user access to assets is denoted by the access matrix . In the matrix of actual access, let's mark with red symbols "1" attempts of users to gain unauthorized access to assets, and with "0" symbols in brown
authorized assets that were not used by users. In this case, the matrices and , as an example, can have the form = 1
0 , = 1 0 0 1 1 0 0 1 1 1 0 0 0 0 0 1 1
1 0 0 1 1 0 0 1 1 1 0 0 0 [1 1 1 0 1 1 0 1 1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 1 1 1 1 0 1 1 0 0 1 1 1 1 1 0 1 1 1 0 0 1 1 1 0 1 1 0 0 1 1 0 1 1 0 1 1 1 1 0 0 1 0 0 1 1 1 0 0 0 0 0 0 0 1 1 0 1 1 1 1 1 1 0 0 0 1 1 0 1 0 1 1 1 1 1 1 0 1 0 0 0 0 0 0 1 1 1 1 1 1 0 . (6)
We simulate the situation described by matrices (6) using the similarity algorithm and the improved method. The results of modeling using the similarity algorithm and the improved method are shown in Figure 4 and Figure 5.
As we can see from Figure 4, in the case when the access rights of different users overlap (when
users can use shared resources), the similarity algorithm gives results that do not unambiguously
indicate anomalies in user behavior. At the same time, the results in Figure 5 fully reproduce the
pattern of malicious activity described by the matrix . At the same time, the system can also
determine the level of malicious activity [
The improved method given in this article makes it possible to unambiguously determine that the user's interaction with some information asset of the organization is anomalous. This, in turn, may indicate a possible insider attack. The results of the application of the improved method may be transferred to the information security administrator for further analysis and action. It is assumed that in some cases such an approach will not allow to reliably determine whether a given activity is a malicious activity, since such an analysis does not take into account the context of interaction and the reason for its occurrence, in addition, other, personal characteristics of a specific user are not taken into account. In any case, the application of this technique is advisable in combination with the analysis of other indicators that allow determining the presence of the user's propensity for malicious activity, for example, taking into account the loyalty of the staff.
By integrating real-time monitoring and behavior profiling, the technique can serve as an early warning system, flagging users whose actions deviate significantly from established norms. This can allow security administrators to intervene promptly, reducing response times and minimizing potential damage. Moreover, combining this method with context-aware analysis and psychological profiling could provide a more holistic approach to insider threat management, balancing technological detection with an understanding of human factors.
Future research in this area could explore the integration of machine learning techniques with the proposed method to enhance the detection of insider threats in more complex organizational environments. Specifically, incorporating predictive analytics and anomaly detection algorithms could improve the system's ability to identify patterns of malicious behavior even when insiders attempt to mask their activity.
The authors have not employed any Generative AI tools. [5]