A method of detecting information security incidents based on anomalies in the user’s biometric behavioral characteristics

Nowadays a significant amount of attacks on information systems are multi-stage attacks. In many cases the key subjects of attacks are insiders. The actions of an insider differ from the activity of a legitimate user, so it is possible for the latter to form a model of his behavior. Then the differences from the specified model can be classified as information security events or incidents. Existing approaches to anomaly detection in user activity use separate characteristics of user behavior, without taking into account their interdependencies and dependencies on various factors. The task of the study is to form a comprehensive characteristic of the user`s behavior when using a computer — a “digital pattern” for detecting information security events and incidents. The essence of the method is in the formation of a digital pattern of the user's activity by analyzing his behavioral characteristics and their dependencies selected as predictors. The developed method involves the formation of a model through unsupervised machine learning. The following algorithms were considered: one-class support vector machine, isolating forest and elliptic envelope. The Matthews correlation coefficient was chosen as the main metric for the quality of the models, but other indicators were also taken into consideration. According to the selected quality metrics, a comparative analysis of algorithms with different parameters was conducted. An experiment was carried out to evaluate the developed method and compare its effectiveness with the closest analogue. Real data on the behavior of 138 users was used to train and evaluate models within the studied methods. According to the results of the comparative analysis, the proposed method showed great performance for all the considered metrics, including an increase in the Matthews correlation coefficient by 0.6125 compared to the anomaly detection method by keystroke dynamics. The proposed method can be used for continuous user authentication from unauthorized access and identifying information security incidents related to the actions of insiders.