MONITORING AND ANALYSIS OF THE BEHAVIOR OF USERS OF COMPUTER SYSTEMS

The issues of building effective software systems for protection against internal intrusions based on non-signature methods and having the properties of autonomy, adaptability and self-learning are considered. Separately, the problems of consolidating initial data from logs and OC protocols, methods of intermediate representation, data transmission and storage of collected data are considered. The architecture of the consolidation system and the workplace of a security analyst is proposed. Methods for using OLAP technology to analyze the collected data on user activity, as well as Data Mining algorithms for building a user behavior model based on association rules, are proposed. The constructed behavior model can be used to visually represent a security analyst in the form of a network of dependencies, as well as to automatically search for anomalies in user behavior and assess the degree of potential threat posed by each user. An experimental pilot version of such a system was implemented, which was verified according to the DARPA Intrusion Detection Evaluation Program method, using reference data sets. The results of experimental verification are given in the work. The issues of building effective software systems for protection against internal intrusions based on non-signature methods and having the properties of autonomy, adaptability and self-learning are considered.Separately, the problems of consolidating initial data from logs and OC protocols, methods of intermediate representation, data transmission and storage of collected data are considered. The architecture of the consolidation system and the workplace of a security analyst is proposed. Methods for using OLAP technology to analyze the collected data on user activity, as well as Data Mining algorithms for building a user behavior model based on association rules, are proposed. The constructed behavior model can be used to visually represent a security analyst in the form of a network of dependencies, as well as to automatically search for anomalies in user behavior and assess the degree of potential threat posed by each user. An experimental pilot version of such a system was implemented, which was verified according to the DARPA Intrusion Detection Evaluation Program method, using reference data sets. The results of experimental verification are given in the work.