Anomaly-based insider threat detection with expert feedback and descriptions

Abstract. Insider threat is one of the most significant security risks for organizations, hence insider threat detection is an important task. Anomaly detection is a one approach to insider threat detection. Anomaly detection techniques can be categorized into three categories with respect to how much labelled data is needed: unsupervised, semi-supervised and supervised. Obtaining accurate labels of all kinds of incidents for supervised learning is often expensive and impractical. Unsupervised methods do not require labelled data, but they have a high false positive rate because they operate on the assumption that anomalies are rarer than nominals. This can be mitigated by introducing feedback, known as expert-feedback or active learning. This allows the analyst to label a subset of the data. Another problem is the fact that models often are not interpretable, thus it is unclear why the model decided that a data instance is an anomaly. This thesis presents a literature review of insider threat detection, unsupervised and semi-supervised anomaly detection. The performance of various unsupervised anomaly detectors are evaluated. Knowledge is introduced into the system by using state-of-the-art feedback technique for ensembles, known as active anomaly discovery, which is incorporated into the anomaly detector, known as isolation forest. Additionally, to improve interpretability techniques of creating rule-based descriptions for the isolation forest are evaluated. Experiments were performed on CMU-CERT dataset, which is the only publicly available insider threat dataset with logon, removable device and HTTP log data. Models use usage count and session-based features that are computed for users on every day. The results show that active anomaly discovery helps in ranking true positives higher on the list, lowering the amount of data analysts have to analyse. Results also show that both compact description and Bayesian rulesets have the potential to be used in generating decision-rules that aid in analysing incidents; however, these rules are not correct in every instance.Poikkeamapohjainen sisäpiiriuhkien havainta palautteen ja kuvauksien avulla. Tiivistelmä. Sisäpiirinuhat ovat yksi vakavimmista riskeistä organisaatioille. Tästä syystä sisäpiiriuhkien havaitseminen on tärkeää. Sisäpiiriuhkia voidaan havaita poikkeamien havaitsemismenetelmillä. Nämä menetelmät voidaan luokitella kolmeen oppimisluokkaan saatavilla olevan tietomäärän perusteella: ohjaamaton, puoli-ohjattu ja ohjattu. Täysin oikein merkatun tiedon saaminen ohjattua oppimista varten voi olla hyvin kallista ja epäkäytännöllistä. Ohjaamattomat oppimismenetelmät eivät vaadi merkattua tietoa, mutta väärien positiivisten osuus on suurempi, koska nämä menetelmät perustuvat oletukseen että poikkeamat ovat harvinaisempia kuin normaalit tapaukset. Väärien positiivisten osuutta voidaan pienentää ottamalla käyttöön palaute, jolloin analyytikko voi merkata osan datasta. Tässä opinnäytetyössä tutustutaan ensin sisäpiiriuhkien havaitsemiseen, mitä tutkimuksia on tehty ja ohjaamattomaan ja puoli-ohjattuun poikkeamien havaitsemiseen. Muutamien lupaavien ohjaamattomien poikkeamatunnistimien toimintakyky arvioidaan. Järjestelmään lisätään tietoisuutta havaitsemisongelmasta käyttämällä urauurtavaa active anomaly discovery -palautemetelmää, joka on tehty havaitsinjoukoille (engl. ensembles). Tätä arvioidaan Isolation Forest -havaitsimen kanssa. Lisäksi, jotta analytiikko pystyisi paremmin käsittelemään havainnot, tässä työssä myös arvioidaan sääntöpohjaisten kuvausten luontimenetelmä Isolation Forest -havaitsimelle. Kokeilut suoritettiin käyttäen julkista CMU-CERT:in aineistoa, joka on ainoa julkinen aineisto, missä on muun muuassa kirjautumis-, USB-laite- ja HTTP-tapahtumia. Mallit käyttävät käyttöluku- ja istuntopohjaisia piirteitä, jotka luodaan jokaista käyttäjää ja päivää kohti. Tuloksien perusteella Active Anomaly Discovery auttaa epäilyttävämpien tapahtumien sijoittamisessa listan kärkeen vähentäen tiedon määrä, jonka analyytikon tarvitsee tutkia. Kompaktikuvakset (engl. compact descriptions)- ja Bayesian sääntöjoukko -menetelmät pystyvät luomaan sääntöjä, jotka kuvaavat minkä takia tapahtuma on epäilyttävä, mutta nämä säännöt eivät aina ole oikein

Reduced Number of Pediatric Orthopedic Trauma Requiring Operative Treatment during COVID-19 Restrictions: A Nationwide Cohort Study

Background and Aims:The coronavirus outbreak significantly changed the need of healthcare services. We hypothesized that the COVID-19 pandemic decreased the frequency of pediatric fracture operations. We also hypothesized that the frequency of emergency pediatric surgical operations decreased as well, as a result of patient-related reasons, such as neglecting or underestimating the symptoms, to avoid hospital admission.Materials and Methods:Nationwide data were individually collected and analyzed in all five tertiary pediatric surgical/trauma centers in Finland. Operations related to fractures, appendicitis, and acute scrotum in children aged above 16 years between March 1 and May 31 from 2017 to 2020 were identified. The monthly frequencies of operations and type of traumas were compared between prepandemic 3 years and 2020.Results:Altogether, 1755 patients were identified in five tertiary hospitals who had an emergency operation during the investigation period. There was a significant decrease (31%, p = 0.03) in trauma operations. It was mostly due to reduction in lower limb trauma operations (32%, p = 0.006). Daycare, school, and organized sports-related injuries decreased significantly during the pandemic. These reductions were observed in March and in April. The frequencies of appendectomies and scrotal explorations remained constant.Conclusion:According to the postulation, a great decrease in the need of trauma operations was observed during the peak of COVID-19 pandemic. In the future, in case similar public restrictions are ordered, the spared resources could be deployed to other clinical areas. However, the need of pediatric surgical emergencies held stable during the COVID-19 restrictions

Trampoline-related proximal tibia impaction fractures in children:a population-based approach to epidemiology and radiographic findings between 2006 and 2017

Abstract Purpose: Proximal tibia impaction fractures are specific injuries, usually caused by trampolining. They may associate with later growth disturbances. There is sparse understanding about their recent epidemiology, in particular the changing incidence. Their typical radiographic findings are not completely known. Methods: All children, aged < 16 years, who had suffered from proximal tibia fracture in Oulu Arc and Oulu between 2006 and 2017 were enrolled (n = 101). Their annual incidence was determined using the official population-at-risk, obtained from the Statistics Finland. The specific characteristics and risk factors of the patients and their fractures were evaluated. Radiographic findings were analyzed, in particular the anterior tilting of the proximal growth plate, due to impaction. Results: The annual incidence increased two-fold from 9.5 per 100 000 children (2006 to 2009) to 22.0 per 100 000 (2014 to 2017) (difference: 12.5; 95% confidence interval 5.1 to 20.3 per 100 000; p = 0.0008). The mean annual incidence of trampoline impaction leg fractures was 15.4 per 100 000 children. In 80% of the cases multiple children had been jumping together on the trampoline. Anterior tilting (mean 7.3°, SD 2.5°, 6.1° to 19.1°) ) of the proximal tibial plate was seen in 68.3% of the patients. Satisfactory bone union was found in 92.7% during follow-up. Isolated patients presented delayed bone healing. Conclusion: The incidence of trampoline leg fractures has increased 130% during the 12 years of the study period. Many of these injuries could have been prevented by avoiding having several jumpers on the trampoline at the same time. Anterior tilting of the growth plate was a common finding and should be recognized in the primary radiographs. Level of evidence: I

Understanding the Study Experiences of Students in Low Agency Profile : Towards a Smart Education Approach

In this paper, we use student agency analytics to examine how university students who assessed to have low agency resources describe their study experiences. Students ( n=292 ) completed the Agency of University Students (AUS) questionnaire. Furthermore, they reported what kinds of restrictions they experienced during the university course they attended. Four different agency profiles were identified using robust clustering. We then conducted a thematic analysis of the open-ended answers of students who assessed to have low agency resources. Issues relating to competence beliefs, self-efficacy, student-teacher relations, time as a resource, student well-being, and course contents seemed to be restrictive factors among the students in the low agency profile. The results could provide guidelines for designing systems for smart education.peerReviewe

Long-term outcomes of tibial spine avulsion fractures after open reduction with osteosuturing versus arthroscopic screw fixation:a multicenter comparative study

Abstract Background: More information is needed regarding return to preinjury sport levels and patient-reported outcomes after tibial spine avulsion (TSA) fracture, which is most common in children aged 8 to 12 years. Purpose: To analyze return to play/sport (RTP), subjective knee-specific recovery, and quality of life in patients after TSA fracture treated with open reduction with osteosuturing versus arthroscopic reduction with internal screw fixation. Study Design: Cohort study; Level of evidence, 3. Methods: This study included 61 patients <16 years old with TSA fracture treated via open reduction with osteosuturing (n = 32) or arthroscopic reduction with screw fixation (n = 29) at 4 institutions between 2000 and 2018; all patients had at least 24 months of follow-up (mean ± SD, 87.0 ± 47.1 months; range, 24-189 months). The patients completed questionnaires regarding ability to return to preinjury-level sports, subjective knee-specific recovery, and health-related quality of life, and results were compared between treatment groups. Univariate and multivariate logistic regression analyses were conducted to determine variables associated with failure to return to preinjury level of sport. Results: The mean patient age was 11 years, with a slight male predominance (57%). Open reduction with osteosuturing was associated with a quicker RTP time than arthroscopy with screw implantation (median, 8.0 vs 21.0 weeks; P < .001). Open reduction with osteosuturing was also associated with a lower risk of failure to RTP at preinjury level (adjusted odds ratio, 6.4; 95% CI, 1.1-36.0; P = .035). Postoperative displacement >3 mm increased the risk of failure to RTP at preinjury level regardless of treatment group (adjusted odds ratio, 15.2; 95% CI, 1.2-194.9; P = .037). There was no difference in knee-specific recovery or quality of life between the treatment groups. Conclusion: Open surgery with osteosuturing was a more viable option for treating TSA fractures because it resulted in a quicker RTP time and a lower rate of failure to RTP as compared with arthroscopic screw fixation. Precise reduction contributed to improved RTP

Sign Restrictions in Structural Vector Autoregressions: A Critical Review

The paper provides a review of the estimation of structural vector autoregressions with sign restrictions. It is shown how sign restrictions solve the parametric identification problem present in structural systems but leaves the model identification problem unresolved. A market and a macro model are used to illustrate these points. Suggestions have been made on how to find a unique model. These are reviewed. An analysis is provided of whether one can recover the true impulse responses and what difficulties might arise when one wishes to use the impulse responses found with sign restrictions. (JEL C32, C51, E12)