Background:
A key problem in an enterprise is to safeguard its user’s accounts against potentially bad actors (or rogue users). The Verizon Data Breach Investigations Report 2021 (DBIR-2021) reported 79,635 incidents and 5,258 breaches involving millions of sensitive records in 2021. Data incidents and breaches are a fact of life and companies need to spend as much effort on planning how to prevent them efficiently as they do on other services.
As it’s evident from the given figure 5. & 6., Social Engineering, System Intrusion and Basic Web application attacks make for the largest proportion of attacks among both the categories & the interesting fact about these attacks is in them being having a property of behaviours over a session or time frame.
Also, it’s evident from fig 7. that 85% of breaches involved the human elements that again indicates the behaviour of an organic entity behind those breaches. Finally, fig 8. sums up the colossal monetary loss that could have been avoided had there been a robust mechanism or platform to avoid or mitigate the breaches & incidents. With tremendous monetary losses, the need for a preventive solution can’t be uncalled for.
User behavioural profiling & Its need:
With the aforementioned discussion, the need for a preventive solution is implied but the traditional solutions, which are rule-based, often goes rogue with the ever new incidents or breaches due to being usually endowed with variable characteristics of environments across websites that make the problem of detecting bad users using a rule-based system very complex & unscalable. However, presuming the actions of a compromised & rogue user are inherently different from its usual behaviour makes this problem somewhat simpler to tackle if the user profile based on its behaviour is maintained. If each of the user’s actions is monitored over time and against actions of similar users, one can bring about a baseline profile of the user’s behaviour, then any deviations from this behaviour can be flagged as potential anomalies that call for further investigation.
Moreover, with the maintenance of users profile of their behaviour, proactive defences come into vogue contrary to traditional reactive defences. Traditional reactive defences operate only when security incidents take place, or immediately thereafter whereas a proactive solution proactively protects users devices and networks. By observing user behaviour, it can predict whether they will be exposed to malicious content on the web seconds before the moment of exposure, thus opening a window of opportunity for proactive defences.
What is a User Behaviour?
The behaviour of an actor is simply a pattern of actions performed by the actor in order to achieve certain goals. Sometimes, according to the problem or objective concerned, its behaviour may also include environments through which the actor has been performing actions. As an instance, time, place, environment, a chronology of page visits, etc. of a user can make for a behaviour.
As shown in the below figure, a machine learning algorithm generally requires a sophisticated & refined user behaviour that is derived or refined from raw information about a particular or batch of user activities.
Raw transactional data is modelled to behaviour feature-oriented space ready to be ingested by ML algorithms. The process that creates behaviour to be devoured by algorithms is called behavioural modelling. Behavioural Modelling develops modelling and representation methods to capture behaviour characteristics and dynamics of a user. Once a behaviour is modelled, it could be further devoured by an algorithm, typically an ML one, to provide us with security decisions — whether a user is rogue/bad or not?
Following is a general diagram succinctly describing the aforementioned dynamics of behaviour with its analysis & modelling to achieve behaviour-oriented decision-making as insecurity.
Graph-Based User Behaviour Modelling:
Graph-Based user behaviour modelling is a common way to model the behaviour of an actor. Although the theory & background to understand it in light of behaviour modelling extends way deeper & complex, it could be intuitively understood by a simple state machine, specifically nondeterministic finite automaton.
A state machine is a graph where nodes describe states & edges describe the transition from one state to another. The transition edges can be further modelled to describe behaviour as shown in the following figure. In the following simple illustration, user profiling has been brought about by modelling the page-visit behaviour of a user based on its past data. Nodes are the web pages & probabilities labelled on transition edges depicting the probability with which the user will move from a particular page to another.
Now, this model can be used to detect the possibility of abnormal behaviour in page visits of a particular user using a simple statistical inference.
Conclusion:
User profiling with its behaviour is a promising approach or tool through which proactive defences backed by sophisticated machine learning algorithms can be given to users to avoid & mitigate ever-alarming breaches and incidents costing colossal monetary losses. In this approach, the relevant entities make for user behaviour that becomes instrumental in isolating a rogue user with its behaviour before it breaks into the system.
To isolate a bad actor with its behaviour, its real-time behaviour is assessed against a baseline behaviour that is concluded in prior from the good actor(s) with its/their usual behaviour.
Credits:
- https://www.verizon.com/business/solutions/enterprise/ for their data.
- http://www.behaviorinformatics.org/ for their diagrams.
