The Feasibility of Using Behavioural Profiling Technique for Mitigating Insider Threats: Review

Insider threat has become a serious issue to the many organizations. Various companies are increasingly deploying many information technologies to prevent unauthorized access to getting inside their system. Biometrics approaches have some techniques that contribute towards controlling the point of entry. However, these methods mainly are not able to continuously validate the users reliability. In contrast behavioral profiling is one of the biometrics technologies but it focusing on the activities of the users during using the system and comparing that with a previous history. This paper presents a comprehensive analysis, literature review and limitations on behavioral profiling approach and to what extent that can be used for mitigating insider misuse

PROFILING - CONCEPTS AND APPLICATIONS

Profiling is an approach to put a label or a set of labels on a subject, considering the characteristics of this subject. The New Oxford American Dictionary defines profiling as: “recording and analysis of a person’s psychological and behavioral characteristics, so as to assess or predict his/her capabilities in a certain sphere or to assist in identifying a particular subgroup of people”. This research extends this definition towards things demonstrating that many methods used for profiling of people may be applied for a different type of subjects, namely things. The goal of this research concerns proposing methods for discovery of profiles of users and things with application of Data Science methods. The profiles are utilized in vertical and 2 horizontal scenarios and concern such domains as smart grid and telecommunication (vertical scenarios), and support provided both for the needs of authorization and personalization (horizontal usage).:The thesis consists of eight chapters including an introduction and a summary. First chapter describes motivation for work that was carried out for the last 8 years together with discussion on its importance both for research and business practice. The motivation for this work is much broader and emerges also from business importance of profiling and personalization. The introduction summarizes major research directions, provides research questions, goals and supplementary objectives addressed in the thesis. Research methodology is also described, showing impact of methodological aspects on the work undertaken. Chapter 2 provides introduction to the notion of profiling. The definition of profiling is introduced. Here, also a relation of a user profile to an identity is discussed. The papers included in this chapter show not only how broadly a profile may be understood, but also how a profile may be constructed considering different data sources. Profiling methods are introduced in Chapter 3. This chapter refers to the notion of a profile developed using the BFI-44 personality test and outcomes of a survey related to color preferences of people with a specific personality. Moreover, insights into profiling of relations between people are provided, with a focus on quality of a relation emerging from contacts between two entities. Chapters from 4 to 7 present different scenarios that benefit from application of profiling methods. Chapter 4 starts with introducing the notion of a public utility company that in the thesis is discussed using examples from smart grid and telecommunication. Then, in chapter 4 follows a description of research results regarding profiling for the smart grid, focusing on a profile of a prosumer and forecasting demand and production of the electric energy in the smart grid what can be influenced e.g. by weather or profiles of appliances. Chapter 5 presents application of profiling techniques in the field of telecommunication. Besides presenting profiling methods based on telecommunication data, in particular on Call Detail Records, also scenarios and issues related to privacy and trust are addressed. Chapter 6 and Chapter 7 target at horizontal applications of profiling that may be of benefit for multiple domains. Chapter 6 concerns profiling for authentication using un-typical data sources such as Call Detail Records or data from a mobile phone describing the user behavior. Besides proposing methods, also limitations are discussed. In addition, as a side research effect a methodology for evaluation of authentication methods is proposed. Chapter 7 concerns personalization and consists of two diverse parts. Firstly, behavioral profiles to change interface and behavior of the system are proposed and applied. The performance of solutions personalizing content either locally or on the server is studied. Then, profiles of customers of shopping centers are created based on paths identified using Call Detail Records. The analysis demonstrates that the data that is collected for one purpose, may significantly influence other business scenarios. Chapter 8 summarizes the research results achieved by the author of this document. It presents contribution over state of the art as well as some insights into the future work planned

Behavioural Monitoring via Network Communications

It is commonly acknowledged that using Internet applications is an integral part of an individual’s everyday life, with more than three billion users now using Internet services across the world; and this number is growing every year. Unfortunately, with this rise in Internet use comes an increasing rise in cyber-related crime. Whilst significant effort has been expended on protecting systems from outside attack, only more recently have researchers sought to develop countermeasures against insider attack. However, for an organisation, the detection of an attack is merely the start of a process that requires them to investigate and attribute the attack to an individual (or group of individuals). The investigation of an attack typically revolves around the analysis of network traffic, in order to better understand the nature of the traffic flows and importantly resolves this to an IP address of the insider. However, with mobile computing and Dynamic Host Control Protocol (DHCP), which results in Internet Protocol (IP) addresses changing frequently, it is particularly challenging to resolve the traffic back to a specific individual. The thesis explores the feasibility of profiling network traffic in a biometric-manner in order to be able to identify users independently of the IP address. In order to maintain privacy and the issue of encryption (which exists on an increasing volume of network traffic), the proposed approach utilises data derived only from the metadata of packets, not the payload. The research proposed a novel feature extraction approach focussed upon extracting user-oriented application-level features from the wider network traffic. An investigation across nine of the most common web applications (Facebook, Twitter, YouTube, Dropbox, Google, Outlook, Skype, BBC and Wikipedia) was undertaken to determine whether such high-level features could be derived from the low-level network signals. The results showed that whilst some user interactions were not possible to extract due to the complexities of the resulting web application, a majority of them were. Having developed a feature extraction process that focussed more upon the user, rather than machine-to-machine traffic, the research sought to use this information to determine whether a behavioural profile could be developed to enable identification of the users. Network traffic of 27 users over 2 months was collected and processed using the aforementioned feature extraction process. Over 140 million packets were collected and processed into 45 user-level interactions across the nine applications. The results from behavioural profiling showed that the system is capable of identifying users, with an average True Positive Identification Rate (TPIR) in the top three applications of 87.4%, 75% and 61.9% respectively. Whilst the initial study provided some encouraging results, the research continued to develop further refinements which could improve the performance. Two techniques were applied, fusion and timeline analysis techniques. The former approach sought to fuse the output of the classification stage to better incorporate and manage the variability of the classification and resulting decision phases of the biometric system. The latter approach sought to capitalise on the fact that whilst the IP address is not reliable over a period of time due to reallocation, over shorter timeframes (e.g. a few minutes) it is likely to reliable and map to the same user. The results for fusion across the top three applications were 93.3%, 82.5% and 68.9%. The overall performance adding in the timeline analysis (with a 240 second time window) on average across all applications was 72.1%. Whilst in terms of biometric identification in the normal sense, 72.1% is not outstanding, its use within this problem of attributing misuse to an individual provides the investigator with an enormous advantage over existing approaches. At best, it will provide him with a user’s specific traffic and at worst allow them to significantly reduce the volume of traffic to be analysed

Continuous Identity Verification in Cloud Computing Services

Cloud computing has become a hugely popular new paradigm for hosting and delivering services over the internet for individuals and organisations with low cost. However, security is a sensitive issue in cloud computing, as it its services remain accessible to anyone after initial authenticated login and for significant periods. This has led to an increase in the number of attacks on sensitive cus-tomer information. This research identified biometric approaches as a possible solution for security to be maintained beyond the point of entry. Specifically, behaviour profiling has been proposed and applied across various other applications in the area of Transparent Authentication Systems (TAS’s) and Intrusion Detection Systems (IDS’s) to detect account misuse. However, little research has sought to imple-ment this technique within cloud computing services to detect misuse. This research proposes a novel continuous identity verification system as a supporting factor to protect cloud users by operating transparently to detect ab-normal access. The research examines the feasibility of applying a behavioural profiling technique on cloud users with respect to Software as a Service (SaaS) and Infrastructure as a Service (IaaS). Two real-life datasets were collected from 30 and 60 users for SaaS and IaaS studies, respectively. A thorough design and investigation of the biometric techniques was undertaken, including description statistics analysis and pattern classification optimisation. A number of factors were analysed to evaluate the impact on system performance, such as volume of data and type of sample selection. On average, using random sampling, the best experimental result achieved an EER (Equal Error Rate) of as low as 5.8%; six users experienced EERs equal to or less than 0.3%. Moreover, the IaaS study achieved a higher performance than the SaaS study with an overall EER of 0.32%. Based on the intensive analysis of the experimental performance of SaaS and IaaS studies, it has been identified that changes in user behaviour over time can negatively affect the performance of the suggested technique. Therefore, a dy-namic template renewal procedure has been proposed as a novel solution to keep recent user behaviour updated in the current users’ templates. The practi-cal experimental result using the more realistic time-series sampling methodolo-gy has shown the validity of the proposed solution with higher accuracy of 5.77 % EER

Mitigate denial of service attacks in mobile ad-hoc networks

Wireless networks are proven to be more acceptable by users compared with wired networks for many reasons, namely the ease of setup, reduction in running cost, and ease of use in different situations such as disasters recovery. A Mobile ad-hoc network (MANET) is as an example of wireless networks. MANET consists of a group of hosts called nodes which can communicate freely via wireless links. MANET is a dynamic topology, self-configured, non-fixed infrastructure, and does not have any central administration that controls all nodes among the network. Every device, used in day-to-day living, is assumed to be a network device, and it is managed using Internet Protocols (IP). Information on every electronic device is collected using infrared sensors, voice or video sensors, Radio-Frequency Identification (RFID), etc. The new wireless networks and communications paradigm known as Internet of Things (IoT) is introduced which refers to the range of multiple interconnected devices which communicate and exchange data between one another. MANET becomes prone to many attacks mainly due to its specifications and challenges such as limited bandwidth, nodes mobility and limited energy. This research study focuses specifically on detecting Denial of Service attack (DoS) in MANET. The main purpose of DoS attack is to deprive legitimate users from using their authenticated services such as network resources. Thus, the network performance would degrade and exhaust the network resources such as computing power and bandwidth considerably which lead the network to be deteriorated. Therefore, this research aims to detect DoS attacks in both Single MANET (SM) and Multi MANETs (MM). A novel Monitoring, Detection, and Rehabilitation (MrDR) method is proposed in order to detect DoS attack in MANET. The proposed method is incorporating trust concept between nodes. Trust value is calculated in each node to decide whether the node is trusted or not. To address the problem when two or more MANETs merge to become one big MANET, the novel technique of Merging Using MrDR (MUMrDR) is also applied to detect DoS attack. As the mobility of nodes in MANET, the chance of MANETs merge or partition occurs. Both centralised and decentralised trust concepts are used to deal with IP address conflict and the merging process is completed by applying the MUMrDR method to detect DoS attacks in MM. The simulation results validate the effectiveness in the proposed method to detect different DoS attacks in both SM and MM

Measuring Behavior 2018 Conference Proceedings

These proceedings contain the papers presented at Measuring Behavior 2018, the 11th International Conference on Methods and Techniques in Behavioral Research. The conference was organised by Manchester Metropolitan University, in collaboration with Noldus Information Technology. The conference was held during June 5th – 8th, 2018 in Manchester, UK. Building on the format that has emerged from previous meetings, we hosted a fascinating program about a wide variety of methodological aspects of the behavioral sciences. We had scientific presentations scheduled into seven general oral sessions and fifteen symposia, which covered a topical spread from rodent to human behavior. We had fourteen demonstrations, in which academics and companies demonstrated their latest prototypes. The scientific program also contained three workshops, one tutorial and a number of scientific discussion sessions. We also had scientific tours of our facilities at Manchester Metropolitan Univeristy, and the nearby British Cycling Velodrome. We hope this proceedings caters for many of your interests and we look forward to seeing and hearing more of your contributions

Semantic discovery and reuse of business process patterns

Patterns currently play an important role in modern information systems (IS) development and their use has mainly been restricted to the design and implementation phases of the development lifecycle. Given the increasing significance of business modelling in IS development, patterns have the potential of providing a viable solution for promoting reusability of recurrent generalized models in the very early stages of development. As a statement of research-in-progress this paper focuses on business process patterns and proposes an initial methodological framework for the discovery and reuse of business process patterns within the IS development lifecycle. The framework borrows ideas from the domain engineering literature and proposes the use of semantics to drive both the discovery of patterns as well as their reuse

Proceedings of the 2nd Conference on Production Systems and Logistics (CPSL 2021)

Proceedings of the CPSL 202