Introduction

In today's digital world, where access to information is becoming increasingly important for the successful operation of organizations, user interaction with information resources is becoming a key factor in efficiency and security. Organizations invest significant effort in developing and maintaining systems that provide access to data and resources for their employees and customers. However, the detection of anomalies in this interaction can have a significant impact on the security and functionality of these systems. Anomalies in interaction with an organization's information resources can include a wide range of events, from unusual user activity to potential cyber attacks or security breaches. Understanding, detecting, and responding in a timely manner to such anomalies become critical to ensuring the reliability of information systems.

In this study, we will consider the method of determining anomalies of user interaction with the organization's information resources. The study is a continuation of our previous publication [1], where we already proposed a method for detecting anomalies in the activity of information system users. It is aimed at identifying insiders, which will help increase the security and efficiency of information systems of organizations by identifying and solving anomalies in their interaction with users.

Problem statement

The general problem of identifying anomalies in the interaction of users with the organization's information resources is that this task is complex and requires an integrated approach due to several key reasons:

• Variety of Anomalies: Anomalous user behavior can take many forms, including unusual patterns of information access, unusual activity, unauthorized access attempts, or insider threats. The diversity of these anomalies makes their detection difficult. • Volume of data: Organizations have huge volumes of data generated as a result of user interaction with information systems. Analyzing these large volumes of data to detect anomalies requires powerful processing and analysis tools. • Dynamics of change: User behavior and the structure of information systems can change over time. What was normal yesterday may become an anomaly today. You need a system that can adapt to changes in the environment. • Data heterogeneity: User interaction data can be presented in different formats and sources.

Combining them and processing them to detect anomalies can be difficult due to differences in data structures and types. • Need for accuracy: Anomaly detection requires high accuracy because misinterpretation can lead to misclassification of normal behavior as abnormal or vice versa. • Ensuring privacy: When detecting anomalies, the confidentiality and privacy of user data must be preserved, which can make it difficult to implement some analysis methods.

Since these problems are complex and diverse, the detection of anomalies in the interaction of users with information resources requires the use of various methods of data analysis, machine learning, and the development of specialized systems to effectively solve this problem.

Related works overview

Anomaly detection is a direction that is becoming more and more relevant every year. There are various ways of detecting anomalies in the activity of information system users. Most of them are based on the analysis of various technical indicators, such as network activity, use of peripheral devices, system load, intensity of interaction with information systems, etc.

In the article [1], we investigated the intrusion detection method based on the calculation of the similarity of user actions. The disadvantage of the previous study is that, despite its advantages, the proposed method is poorly protected against deception by unscrupulous users, as it is based on the calculation of the similarity coefficient of the user's actions using cosine similarity. This approach allows the attacker to easily imitate loyal activity, thereby leveling off his malicious activity. Our other paper [2] investigates the detection of insider attacks based on the time parameters of the protection system. In this publication, we conclude that detection of such an attack is possible only when the defense system is able to react faster than the attacker.

The article [3] provides a comprehensive review of the existing literature, which examines recent advances in anomaly detection methods for detecting security threats in cyber-physical systems. The authors analyze 296 articles devoted to the detection of anomalies and identify the shortcomings of various detection methods, including: limited resources, lack of standardized communication protocols, heterogeneity of technologies and protection systems, different information security policies. The authors of the article [4] propose approaches to the classification of anomaly detection methods in modern attack detection systems. It is shown that the methods of detecting anomalies in modern attack detection systems are not sufficiently elaborated in terms of the formal attack model, and, therefore, it is quite difficult for them to strictly evaluate such properties as computational complexity, correctness, and completeness.

The authors of the publication [5] evaluate anomaly detection methods based on the aspect of their applicability to various systems with the minimization of the user input. The obtained results show that the most effective method of detecting anomalies, which can be transferred to different systems and minimizes the user's work, are systems based on machine learning. The publication [6] defines three main methodological areas for diagnosing anomalies (machine learning, deep learning, statistical approaches) and summarizes exactly how the corresponding models are used to detect anomalies. In addition, the authors explain which specific application areas are typically addressed by anomaly detection in the context of cloud computing environments and which relevant public datasets are often used for evaluation.

In [7], the authors propose an intelligent system for detecting anomalies and identifying smart home devices using collective communication. The concept of the system's operation is based on obtaining benefits from the integration of smart homes into a social network in terms of increasing the security of both a single smart home and the entire social network of connected smart homes. Publication [8] proposes an unsupervised method that was developed to detect anomalies when information is not labeled or classified. Information extraction approaches based on machine learning, developed for the implementation of the anomaly detection system, were used. implemented in the practice of organizations. Their work is based on the use of a database of attack patterns (signatures) and machine learning methods. In addition, such systems can register a set of data characterizing the interaction of employees with the organization's information assets and have proven themselves well in solving the problem of detecting anomalies.

The article [9] describes a study of log mining in the field of microservices technologies with the detection of anomalies from logs, that is, events that require deeper inspection by analysts. The authors propose a new approach to finding numerical representations of computer logs without making assumptions about the format of the underlying data and without requiring programming knowledge. The article [10] presents a distributed approach for real-time anomaly detection in largescale environments. The method has the ability to detect consistent and quantitative anomalies within a multi-source streaming log.

The purpose of this article is to improve the previously proposed method of detecting anomalies of user interaction with the organization's information resources, which would allow using the results of modern intrusion detection systems (IDS) and would be simple enough for practical implementation by information security administrators.

The method of detecting insider attacks on the organization's information resources

General approach

As before, we will take as a basis the methodology based on the use of a bipartite graph [1,11] to display the interaction of users (employees of the organization) with assets (information systems) on the basis of network data collected by the IDS system. The set of users will be denoted by 𝑈 = {𝑢 1 , … , 𝑢 𝑛 }, the information assets will be defined as the set 𝐴 = {𝑎 1 , … , 𝑎 𝑛 }, and the set of users who accessed to assets 𝑎 𝑖 over a certain period of time will be defined as the set 𝑈 𝐴 𝑖 . We denote as 𝐺 𝐴 𝑖 𝑈 𝐴 𝑖 , where the value of the weight between pairs of vertices is the value of similarity.

A bipartite graph reflecting the fact of users' access to assets is denoted by a binary matrix 𝐴 𝑈 . At the same time 𝐴 𝑈 (𝑖, 𝑗) = 1, if the user 𝑢 𝑖 accesses the 𝑎 𝑖 asset, and 𝐴 𝑈 (𝑖, 𝑗) = 0 if not. It is suggested to use the statistical measure IDF (Inverse Document Frequency) to assess the connection of users with assets. As a measure of IDF 𝐼 𝐷𝐹 , it is suggested to take a sigmoidal function in the form:

𝐼 𝐷𝐹 (𝑈 𝑖 ) = 1 1+𝑒 𝛾 2 − 𝛾𝐸×𝑈 𝑖 |𝐴| ,(1)

where 𝐸 = (1,1, … ,1) is unit vector of dimension 𝑚; |𝐴| is a power of set 𝐴; 𝑈 𝑖 is a column 𝑖-user of the matrix 𝐴 𝑆 (access vector); 𝛾 is a sensitivity coefficient of the function.

The matrix obtained after the transformation will be denoted by 𝐼 𝐷𝐹 𝑈𝐴 . The similarity between pairs of users can be obtained based on their access vectors. To measure the similarity of two vector assets, it is suggested to use cosine similarity [12]: .

𝐶(

(

)2

Given two feature vectors 𝑋 and 𝑌, the cosine similarity can be represented using the scalar product and the norm. When a user interacts with an organization's information assets, the cosine similarity of two users ranges from 0 to 1, since the angle between the two frequency vectors cannot be greater than 90°. Cosine similarity is effective as an evaluation measure, especially for sparse vectors, since only non-zero values are taken into account [10].

As a result of the calculations, a similarity matrix of user interaction with information assets will be obtained. It is assumed that if one of the users is an intruder, then his actions will be reflected in the similarity matrix. Around each asset, an individual group of users is formed who work with it and refer to it. To calculate the similarity between groups of users, it is necessary to calculate the average similarity between all pairs of users (total user similarity):

𝐶(𝐺 𝐴 𝑘 ) = ∑ ∑ 𝐶(𝑈 𝑖 ,𝑈 𝑗 ) 𝑛 𝑗=1 𝑛 𝑖=1 |𝑈 𝐴 𝑘 |× 𝑈 𝐴 𝑘 −1 2 , ∀𝑈 𝑖 ≠ 𝑈 𝑗 ∈ 𝑈 𝐴 𝑘 ∀𝑈 𝑗 ,(3)

where |𝑈 𝐴 𝑘 | is number of users in the group.

If 𝐶(𝐺 𝐴 𝑘 ) has a high value, it means that users have a strong engagement with asset 𝑎 𝑘 . To detect anomalous user actions, it is necessary to determine the average similarity for the subgroup 𝐶(𝐺 𝐴 𝑘 ), ∀𝑖 ∨ 𝑗 = 𝑘, in which a single user 𝑘 is compared with other users, and to determine the rating of this user relative to the average value for the organization:

𝑅(𝑢 𝑘 , 𝐴) = 𝐶(𝐺 𝑈 𝑘 )−𝐶(𝐺 𝐴 𝑘 ) 𝐶(𝐺 𝐴 𝑘 ) × 100%, 𝑘 = 1, … , 𝑚,(4)

where 𝐶(𝐺 𝑈 𝑘 ) is the subset of users that are compared to user 𝑢 𝑗 . The larger the value of 𝑅(𝑢 𝑘 , 𝐴), the more likely that user 𝑢 𝑗 's access to assets 𝑎 𝑖 is abnormal.

The proposed technique for detecting abnormal user actions based on network data analysis can be presented in the form of a sequence of steps:

1. Building sets of users and assets. 2. Construction of a bipartite interaction graph. 3. Calculation of the statistical measure of IDF. 4. Calculation of the similarity matrix of user actions. 5. Calculation of the overall similarity of user actions. 6. Detection of abnormal actions.

Algorithm for detecting anomalies in the interaction of users with the organization's information assets (Algorithm of similarity)

Improvement of the method (Advanced method)

Despite the obvious advantages, such an approach, which is based on determining the similarity of the actions of individual users, has significant disadvantages, in particular:

1. The approach works well in those organizations where information resources are clearly demarcated between employees. That is, sets of information resources of individual employees do not overlap. 2. In this model, the impact of suspicious employee access to the organization's resources can be neutralized by the appropriate combination of access to authorized resources.

In order to avoid the mentioned shortcomings, it is suggested to improve the method as follows.

To control user access to the organization's resources, we introduce an access matrix

𝐴 𝐴 = [ 𝑎 𝑎 1,1 ⋯ 𝑎 𝑎 1,𝑛 ⋮ ⋱ ⋮ 𝑎 𝑎 𝑚,1 ⋯ 𝑎 𝑎 𝑚,𝑛

]. The elements of this matrix denote: 𝐴 𝐴 (𝑖, 𝑗) = 1, if the user 𝑢 𝑖 is granted access to asset 𝑎 𝑗 , and 𝐴 𝐴 (𝑖, 𝑗) = 0, if not.

The actual access of users to assets will still be determined by the matrix

𝐴 𝑈 = [ 𝑎 𝑢 1,1 ⋯ 𝑎 𝑢 1,𝑛 ⋮ ⋱ ⋮ 𝑎 𝑢 𝑚,1 ⋯ 𝑎 𝑢 𝑚,𝑛 ].

To determine the malicious activity of users, we will calculate the difference between the matrices 𝑀 = 𝐴 𝐴 − 𝐴 𝑈 . As a result, we will get a matrix, the elements of which will be numbers from the set 𝑀 ∈ {−1,0,1}, where: 𝑚 𝑖,𝑗 = −1 in the case of malicious user activity; 𝑚 𝑖,𝑗 = 0 the user has made legal access to the authorized assets; 𝑚 𝑖,𝑗 = 1 the user did not access the authorized assets.

Let's count the number of " 1" values in each column of the matrix 𝑀 and divide these values by the number of "1" values in each column of the matrix 𝐴 𝐴 . We will present the obtained results in percentage ratio. This is necessary in order to take into account the general activity of users: for a user with a limited scope of access, even a single malicious access will produce a result similar to a user with wide access rights to the organization's resources.

Simulation and discussion of results

As before, we will consider the effect of the technique on an abstract example [13]. Assume that the organization has 10 users and 15 information assets. Then the bipartite graph of user interactions with information assets can be described by a binary matrix 𝐴 𝑆 of dimension 15×10.

Let's consider and compare the main scenarios of the application of the two methods.

Scenario 1

Two groups of users work with authorized information assets and their actions regarding access to the assets do not overlap. However, one of the users (#5) is trying to access asset #8, which he does not have permission to access. In addition, user #5, knowing the algorithm for detecting anomalies in user interaction, tries to bypass the protection system, for which he does not use one of the allowed resources, for example, asset #1. These two situations can be described by matrices of access [14] 𝐴

𝑈 𝑎 = [ 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 0 0 0 0 𝟏 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 ] , 𝐴 𝑈 𝑏 = [ 1 1 1 1 𝟎 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 0 0 0 0 𝟏 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 ] ,(5)

where matrix columns denote users of the organization; the rows of the matrix indicate the organization's assets; values of "1" in blue color indicate assets to which users are allowed to access; value "0" in black color assets to which access is prohibited.

According to Scenario 1, the matrix 𝐴 𝑈 𝑎 of formula (5) describes the attempt of user #5 to access the prohibited asset #8. Matrix 𝐴 𝑈 𝑏 of formula ( 5) is the attempt of user #5 to access asset #8 bypassing the security system by ignoring the asset #1 allowed to him.

In the case of 𝐴 𝑈 𝑎 , the application of the algorithm immediately gives a result in which the abnormality of the behavior of user #5 is 7.2% against the background of the rest of the users, whose Figure 1). This clearly indicates anomalous behavior of this user, which may be an indication of an insider threat [15]. In the situation 𝐴 𝑈 𝑏 , when user #5 tries to bypass the protection system, for which he does not use one of the permitted resources, for example, asset #1, when calculating the abnormality of the behavior of user #5, the algorithm will give an erroneous result (Figure 2) . In this case, for user #5, the degree of abnormality will be only 1.9% and therefore, against the background of general indicators from 4.0% to 2.8%, it will be impossible to recognize an insider attack [16]. In the same situation, when applying the improved methodology, in both cases (when user #5 access is attempted without bypassing the protection system and with the protection system bypassed), we get a result that clearly indicates the anomalous behavior of user #5 (Figure 3).

Scenario 2

In the previous scenario, the organization's information assets were clearly demarcated between users. However, this situation in most organizations is the exception rather than the rule. As a rule, when performing tasks, employees of organizations very often use common resources. In this case, the application of the method based on the similarity matrix [17] gives extremely contradictory results that cannot be interpreted.

As in Scenario 1, we denote the access rights of users to the assets of the organization by the matrix 𝐴 𝐴 𝑐 . The fact of user access to assets is denoted by the access matrix 𝐴 𝑈 𝑑 . In the matrix of actual access, let's mark with red symbols "1" attempts of users to gain unauthorized access to assets, and with "0" symbols in brown authorized assets that were not used by users. In this case, the matrices 𝐴 𝐴 𝑐 and 𝐴 𝑈 𝑑 , as an example, can have the form

𝐴 𝐴 𝑐 = [ 0 0 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 0 0 0 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 1 1 1 1 1 1 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 0 0 1 1 1 1 0 0 0 1 1 0 0 1 1 1 0 0 1 1 1 1 0 0 1 1 0 1 1 1 1 1 0 0 1 1 1 1 1 1 1 0 0 0 0 1 ] , 𝐴 𝑈 𝑑 = [ 0 0 0 1 𝟎 𝟎 𝟎 1 1 1 0 1 1 𝟎 1 𝟎 1 1 1 0 1 1 𝟎 1 1 1 1 0 0 0 1 1 1 1 1 0 0 0 𝟏 0 0 0 0 0 0 0 0 1 1 0 0 1 1 1 1 1 1 1 0 0 1 1 𝟎 1 1 1 0 0 𝟏 0 1 1 1 𝟎 1 0 0 0 𝟏 0 1 1 0 0 0 1 1 1 1 1 1 0 0 𝟏 0 1 1 1 1 1 0 0 0 0 0 𝟏 1 1 1 1 𝟏 0 0 1 1 0 0 1 1 1 0 0 1 1 1 1 0 0 1 1 0 1 𝟎 𝟎 1 1 0 0 1 1 1 𝟎 1 1 1 𝟏 0 0 0 1 ] .(6)

We simulate the situation described by matrices (6) using the similarity algorithm and the improved method. The results of modeling using the similarity algorithm and the improved method are shown in Figure 4 and Figure 5. As we can see from Figure 4, in the case when the access rights of different users overlap (when users can use shared resources), the similarity algorithm gives results that do not unambiguously indicate anomalies in user behavior. At the same time, the results in Figure 5 fully reproduce the pattern of malicious activity described by the matrix 𝐴 𝑈 𝑑 . At the same time, the system can also determine the level of malicious activity [18,19]. In particular, the matrix 𝐴 𝑈 𝑑 of formula (6) shows that attempts to gain unauthorized access to the organization's assets were made by users #1, #2, #4, #6, #9. At the same time, user #6 made 2 such attempts, and user #9 made three such attempts. The results of the application of the improved technique give indicators for user #6 at the level of 22.2%, and for #9 33.3%. At the same time, for other malicious actions of users #1, #2, #4, the result is within 9.09...14.3%, which clearly distinguishes more dangerous users against the background of less dangerous ones. The separation of suspicious activity into different levels is important from the point of view of identifying real insiders, because in this case it is possible to reject those users who make unintentionally erroneous actions with information assets. In this way, the system will be more protected against false alarms.

Conclusions

The improved method given in this article makes it possible to unambiguously determine that the user's interaction with some information asset of the organization is anomalous. This, in turn, may indicate a possible insider attack. The results of the application of the improved method may be transferred to the information security administrator for further analysis and action. It is assumed that in some cases such an approach will not allow to reliably determine whether a given activity is a malicious activity, since such an analysis does not take into account the context of interaction and the reason for its occurrence, in addition, other, personal characteristics of a specific user are not taken into account. In any case, the application of this technique is advisable in combination with the analysis of other indicators that allow determining the presence of the user's propensity for malicious activity, for example, taking into account the loyalty of the staff. By integrating real-time monitoring and behavior profiling, the technique can serve as an early warning system, flagging users whose actions deviate significantly from established norms. This can allow security administrators to intervene promptly, reducing response times and minimizing potential damage. Moreover, combining this method with context-aware analysis and psychological profiling could provide a more holistic approach to insider threat management, balancing technological detection with an understanding of human factors.

Future research in this area could explore the integration of machine learning techniques with the proposed method to enhance the detection of insider threats in more complex organizational environments. Specifically, incorporating predictive analytics and anomaly detection algorithms could improve the system's ability to identify patterns of malicious behavior even when insiders attempt to mask their activity.