User behavior pattern based security provisioning for distributed systems
Date
2016-01-01
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Behaviors of authorized users must be monitored and controlled due to the rise
of insider threats. Security analysts in large distributed systems are overwhelmed
by the number of system users, the complexity and changing nature of user activities.
Identifying user behavior patterns by analyzing audit logs is challenging.
Lacking a general user behavior pattern model restricts the effective usage of data
mining techniques. Limited access to real world audit logs due to privacy concerns
also blocks user behavior leaning. The central problem addressed in this thesis is
the need to assist security analysts obtain deep insight into user behavior patterns.
To address the research problem, the thesis defines a user behavior pattern
as consisting of four factors: actor, action sequence, context, and time interval.
Based on this behavior pattern model, the thesis proposes a knowledge-driven
user behavior pattern discovery approach, with step-by-step guidance for security
analysts throughout the whole process. The user behavior pattern mining process
are all uniformly represented using a formalism. A user/tool collaborative environment
on top of data mining techniques is designed for constructing a baseline
of common behavior patterns to individuals, peer groups, and specific contexts.
A prototype toolkit that is developed as part of this thesis provides an environment
for user behavior pattern mining and analysis. To evaluate the proposed
approach, a behavior-based dataset generator is developed to simulate audit logs
containing designed user behavior patterns. Moreover, two real world datasets
collected from distributed medical imaging systems and public cloud services are
respectively applied to test the proposed model.
Description
Keywords
User behavior pattern, Data mining, Synthetic dataset generation, Security provisioning