User behavior pattern based security provisioning for distributed systems
Behaviors of authorized users must be monitored and controlled due to the rise of insider threats. Security analysts in large distributed systems are overwhelmed by the number of system users, the complexity and changing nature of user activities. Identifying user behavior patterns by analyzing audit logs is challenging. Lacking a general user behavior pattern model restricts the effective usage of data mining techniques. Limited access to real world audit logs due to privacy concerns also blocks user behavior leaning. The central problem addressed in this thesis is the need to assist security analysts obtain deep insight into user behavior patterns. To address the research problem, the thesis defines a user behavior pattern as consisting of four factors: actor, action sequence, context, and time interval. Based on this behavior pattern model, the thesis proposes a knowledge-driven user behavior pattern discovery approach, with step-by-step guidance for security analysts throughout the whole process. The user behavior pattern mining process are all uniformly represented using a formalism. A user/tool collaborative environment on top of data mining techniques is designed for constructing a baseline of common behavior patterns to individuals, peer groups, and specific contexts. A prototype toolkit that is developed as part of this thesis provides an environment for user behavior pattern mining and analysis. To evaluate the proposed approach, a behavior-based dataset generator is developed to simulate audit logs containing designed user behavior patterns. Moreover, two real world datasets collected from distributed medical imaging systems and public cloud services are respectively applied to test the proposed model.