Methodology for identifying anomalies of user interaction with information resources of the organization

Abstract

The article deals with the problem of detecting anomalies in the interaction of users with the organization's information resources. It is shown that the interaction of users with information resources becomes a key factor of efficiency and security. Most of the methods of detecting anomalies are based on the analysis of various technical and instrumental indicators, such as network activity, use of peripheral devices, system load, intensity of interaction with information systems, etc. Modern intrusion detection systems (IDS ‒ Intrusion Detection System) allow detection of attacks in real time based on a database of attack templates (signatures), machine learning methods and a set of data characterizing the interaction of employees with the organization's information assets. At the same time, most machine learning methods are sufficiently complex for operational implementation and do not allow making unambiguous decisions about the presence of anomalies. The work proposes a technique for detecting anomalies of user interaction with the organization's information resources, which allows using the results of modern intrusion detection systems and is simple enough for practical implementation by information security administrators. The technique is based on the use of a bipartite graph to display the interaction of users (employees of the organization) with assets (information systems) on the basis of network data collected by the IDS system. The simulation results based on the given examples show that this technique is sufficiently sensitive to different user activity. The method makes it possible to determine that the user's interaction with some information asset of the organization is anomalous. The data may be transferred to the information security administrator for further analysis.