They have developed two criteria for identifying deviations in user behaviour when diagnosing network threats: one based on self-organizing neural networks, and the other classifying users according to the sequences of typical actions that they perform. The study, carried out with the support of the Ministry of Science and Higher Education, was published in the Experimental Psychology peer-reviewed journal.
Protecting computers from network threats is one of the most important information security issues. Standard security tools used in cloud environments today (data encryption, user identification tools, restriction of access rights and traffic volumes, etc.) are often not effective enough.
"There is a new way of identifying possible threats based on analyzing user behaviour in real time. Western companies are already using several services analyzing the activity of a large number of users such as Cloud Access Security Broker, LANeye, and UEBA," commented Dean of the MSUPE Information Technologies Department Lev Kuravsky.
The new criterion is much more effective than the classical methods of multidimensional statistical analysis, MSUPE experts noted. The second criterion determines the categories of users with deviations in behaviour according to the sequences of typical actions performed.
This algorithm uses the theory of Markov stochastic processes and the maximum likelihood estimation method, with a separate model with a unique set of transition probabilities between its states introduced for each category of users with correct or incorrect behaviour.