This document describes a proposed user-centric machine learning framework for a cyber security operations center. It discusses the typical data sources in a SOC like security logs and alerts from various systems. It explains how this data can be processed and used to create an effective machine learning system to evaluate user risks. This would help security analysts prioritize investigations and improve efficiency. The proposed framework integrates alert information, security logs, and analyst notes to generate features and labels for machine learning models. It aims to reduce manual analysis workload while enhancing security. The document also provides an example implementation using real industry data to demonstrate the full process from data collection and labeling to model training and evaluation.

1. USER CENTRIC MACHINE LEARNING FRAMEWORK FOR
CYBER SECURITY OPERATION CENTER
Major Project Report submitted to
Jawaharlal Nehru Technological University Hyderabad
in partial fulfillment for the award of degree of
Bachelor of Technology
in
Computer Science & Engineering
by
CHITTULURI SAI CHANDRA
Roll No: 16X31A0531
Under the Guidance of
Mr. VEERA KISHORE KADAM
ASSOCIATE PROFESSOR
DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING
SRI INDU INSTITUTE OF ENGINEERING &TECHNOLOGY
(Affiliated to JNTUH, Hyderabad, Approved by AICTE, New Delhi)
Sheriguda (V), Ibrahimpatnam (M), R.R.Dist., Telangana- 501510.
2019-2020

2. SRI INDU INSTITUTE OF ENGINEERING AND TECHNOLOGY
(Affiliated to JNTUH, Kukatpally, Hyderabad)
Sheriguda (V), Ibrahimpatnam (M), R.R.Dist. 501510.
DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING
This is to certify that the report entitled “USER CENTRIC MACHINE
LEARNING FRAMEWORK FOR CYBER SECURITY OPERATION
CENTER”, being submitted by CHITTULURI SAI CHANDRA, bearing Roll No:
16X31A0531, to Jawaharlal Nehru Technological University Hyderabad in partial
fulfillment of the requirements for the award of the degree of Bachelor of Technology
in Computer Science & Engineering, is a record of bonafide work carried out by
him. The results of investigations enclosed in this report have been verified and found
satisfactory. The results embodied in this report have not been submitted to any other
University or Institute for the award of any other degree.
INTERNAL GUIDE HEAD OF THE DEPARTMENT
PRINCIPAL EXTERNAL EXAMINER

3. SRI INDU INSTITUTE OF ENGINEERING &TECHNOLOGY
(Affiliated to JNTUH, Hyderabad, Approved by AICTE, New Delhi)
Sheriguda (V), Ibrahimpatnam (M), R.R.Dist., Telangana- 501510.
DECLARATION
I, CHITTULURI SAI CHANDRA, bearing Roll No 16X31A0531, hereby
certify that the dissertation entitled “USER CENTRIC MACHINE LEARNING
FRAMEWORK FOR CYBER SECURITY OPERATION CENTER”, carried out
under the guidance of Mr. VEERA KISHORE KADAM, ASSOCIATE
PROFESSOR is submitted to Jawaharlal Nehru Technological University
Hyderabad in partial fulfillment of the requirements for the award of the degree of
Bachelor of Technology in Computer Science & Engineering. This is a record of
bonafide work carried out by me and the results embodied in this dissertation have not
been reproduced or copied from any source. The results embodied in this dissertation
have not been submitted to any other University or Institute for the award of any other
degree.
Date:
CHITTULURI SAI CHANDRA
Roll No: 16X31A0531
Department of CSE, SIIET

4. CERTIFICATE
This is to certify that Mr. CHITTULURI SAI CHANDRA,
student of “SRI INDU INSTITUTE OF ENGINEERING &
TECHNOLOGY” with H.T.NO: 16X31A0531 had successfully
completed major project entitled “USER CENTRIC MACHINE
LEARNING FRAMEWORK FOR CYBER SECURITY
OPERATION CENTER” as part of his academic project.
He has completed the assigned project well within time frame. He
is sincere, hardworking and his conduct during project is commendable.
We wish him all the best in future endeavors.
Conscience Technologies
Project Manager

5. i
ACKNOWLEDGEMENT
With great pleasure I take this opportunity to express my heartfelt gratitude to
all the persons who helped me in making this project work a success.
First of all I am highly indebted to Principal, Dr. I. SATYANARAYANA for
giving me the permission to carry out this project.
I would like to thank Dr. C. THIRUMALAI SELVAN Professor & Head of
the Department (CSE), for giving support throughout the period of my study in SIIET.
I am grateful for his valuable suggestions and guidance during the execution of this
project work.
My sincere thanks to project guide Mr. VEERA KISHORE KADAM for
potentially explaining the entire system and clarifying the queries at every stage of the
project.
My whole hearted thanks to the staff of SIIET who co-operated us for the
completion of the project in time.
Last but not the least, I express my sincere thanks to Mr. R. VENKAT RAO,
Chairman, Sri Indu Group of Institutions, for his continuous encouragement.
I also thank my parents and friends who aided me in completion of the project.
CHITTULURI SAI CHANDRA
16X31A0531

6. ii
ABSTRACT
In order to ensure a company's Internet security, SIEM (Security Information
and Event Management) system is in place to simplify the various preventive
technologies and flag alerts for security events. Inspectors (SOC) investigate warnings
to determine if this is true or not. However, the number of warnings in general is
wrong with the majority and is more than the ability of SCO to handle all awareness.
Because of this, malicious possibility, Attacks and compromised hosts may be wrong.
Machine learning is a possible approach to improving the wrong positive rate and
improving the productivity of SOC analysts. In this article, we create a user-centric
engineer learning framework for the Internet Safety Functional Center in the real
organizational context. We discuss regular data sources in SOC, their work flow, and
how to process this data and create an effective machine learning system. This article
is aimed at two groups of readers. The first group is intelligent researchers who have
no knowledge of data scientists or computer safety fields but who engineer should
develop machine learning systems for machine safety. The second groups of visitors
are Internet security practitioners that have deep knowledge and expertise in Cyber
Security, but do Machine learning experiences do not exist and I'd like to create one
by them. At the end of the paper, we use the account as an example to demonstrate
full steps from data collection, label creation, feature engineering, machine learning
algorithm and sample performance evaluations using the computer built in the SOC
production of Seyondike.

7. iii
CONTENTS
Page No
Acknowledgement i
Abstract ii
Contents iii
List of Figures v
List of Screens vi
1. INTRODUCTION 1
1.1 Motivation 2
1.2 Objective 3
1.3 Limitations 3
1.4 Problem Definition 3
2. LITERATURE SURVEY 4
2.1 Introduction 4
2.2 Existing System 4
2.2.1 Drawbacks in Existing System 5
2.3 Proposed System 5
2.3.1 Advantages of Proposed System 6
2.4 Feasibility Study 6
2.4.1 Technical Feasibility 6
2.4.2 Operational Feasibility 7
2.4.3 Economic Feasibility 7
3. ANALYSIS 8
3.1 Introduction 8
3.2 User Requirements 8
3.2.1 Study of the System 8
3.2.2 Input & Output Representation 9
3.2.3 Process Model Used With Justification 11
3.2.4 System Requirement Specification 18
3.3 Functional Requirements 19
3.3.1 Software Requirements 19
3.3.2 Hardware Requirements 19

8. iv
3.4 Non Functional Requirements 20
4. DESIGN 22
4.1 Introduction 22
4.2 System Architecture 22
4.3 Module Design and Organization 24
4.4 UML Diagrams 25
4.4.1 Class Diagram 26
4.4.2 Usecase Diagram 27
4.4.3 Sequence Diagram 28
4.4.4 Collaboration Diagram 29
4.4.5 Activity Diagram 29
4.4.6 Deployment Diagram 31
5. IMPLEMENTATION 32
5.1 Introduction 32
5.2 Technologies Required 32
5.2.1 Overview of Python 32
5.2.2 Overview of Django 34
5.3 Algorithm 36
5.4 Sample Code 38
5.5 Output Screens 50
6. TESTING, VALIDATIONS & RESULT 54
6.1 Introduction 54
6.2 Testing in Strategies 54
6.3 Design of Test Case & Scenario 56
6.4 Validations 58
7. CONCLUSION 60
7.1 Conclusion 60
7.2 Future Enhancement 60
8. BIBLIOGRAPHY 61
8.1 References 61
8.2 Website References 61

9. v
LIST OF FIGURES
Following are the list of figures used in this project documentation at various
locations.
Diagrams Page No
Fig: 1.1 SIEM Architecture 02
Fig: 1.2 Security Event View 03
Fig: 3.1 SDLC 11
Fig: 3.2 Requirement Gathering Stage 12
Fig: 3.3 Analysis Stage 13
Fig: 3.4 Designing Stage 14
Fig: 3.5 Development Stage 15
Fig: 3.6 Integration & Testing Stage 16
Fig: 3.7 Installation & Acceptance 17
Fig: 4.1 System Architecture 22
Fig: 4.2 ER Diagram of User 23
Fig: 4.3 ER Diagram of Admin 23
Fig: 4.4 Class Diagram 26
Fig: 4.5 User Usecase Diagram 27
Fig: 4.6 Admin Usecase Diagram 27
Fig: 4.7 Sequence Diagram 28
Fig: 4.8 Collaboration Diagram 29
Fig: 4.9 User Activity Diagram 30
Fig: 4.10 Admin Activity Diagram 30
Fig: 4.11 Deployment Diagram 31
Fig: 5.1 Internal working of Python 33
Fig: 5.2 Django Architecture 34
Fig: 5.3 Basic Architecture View 35
Fig: 5.4 SVM Algorithm Block Diagram 36

10. vi
LIST OF SCREENS
Following are the list of Screens developed in this project at various stages.
Screens Page No
Screen: 5.5.1 User Login Page 50
Screen: 5.5.2 User Transaction Page 50
Screen: 5.5.3 User Analyze Page 51
Screen: 5.5.4 User Receive Alerts Page 51
Screen: 5.5.5 Admin Analyze Page 52
Screen: 5.5.6 Admin Risk User Page 52
Screen: 5.5.7 Admin Send Query Page 53
Screen: 5.5.8 Admin Charts Page 53

11. 1
1. INTRODUCTION
Cyber security incidents will cause significant financial and reputation impacts
on enterprise. In order to detect malicious activities, the SIEM (Security Information
and Event Management) system is built in companies or government. The system
correlates event logs from endpoint, firewalls, IDS/IPS (Intrusion
Detection/Prevention System), DLP (Data Loss Protection), DNS (Domain Name
System), DHCP (Dynamic Host Configuration Protocol), Windows/Unix security
events, VPN logs etc. The security events can be grouped into different categories.
The logs have terabytes of data each day.
If any pre-defined use case is triggered, SIEM system will generate an alert in
real time. SOC analysts will then investigate the alerts to decide whether the user
related to the alert is risky (a true positive) or not (false positive). If they find the
alerts to be suspicious from the analysis, SOC analysts will create OTRS (Open Source
Ticket Request System) tickets. After initial investigation, certain OTRS tickets will
be escalated to tier 2 investigation system (e.g., Co3 System) as severe security
incidents for further investigation and remediation by Incident Response Team.
However, SIEM typically generates a lot of the alerts, but with a very high false
positive rate. The machine learning system sits in the middle of SOC work flow,
incorporates different event logs, SIEM alerts and SOC analysis results and generates
comprehensive user risk score for security operation center. Instead of directly digging
into large amount of SIEM alerts and trying to find needle in a haystack, SOC analysts
can use the risk scores from machine learning system to prioritize their investigations,
starting from the users with highest risks. This will greatly improve their efficiency
optimize their job queue management, and ultimately enhance the enterprise’s
security. Specifically, our approach constructs a framework of user- centric machine
learning system to evaluate user risk based on alert information.
To the best of our knowledge, there is no previous research on building a
complete systematic solution for this application. The main contribution of this paper
is as follows:
 An advanced user-centric machine learning system is proposed and evaluated
by real industry data to evaluate user risks. The system can effectively reduce the

12. 2
resources to analyze alerts manually while at the same time enhance enterprise
security.
 A novel data engineering process is offered which integrates alert
information, security logs, and SOC analysts’ investigation notes to generate features
and propagate labels for machine learning models.
Fig: 1.1SIEM Architecture
1.1 MOTIVATION
Cyber security is the set of technologies and processes designed to protect
computers, networks, programs, and data from attack, unauthorized access, change, or
destruction. Cyber security systems are composed of network security systems and
computer (host) security systems. Each of these has, at a minimum, a firewall,
antivirus software, and an intrusion detection system (IDS). IDSs help discover,
determine, and identify unauthorized use, duplication, alteration, and destruction of
information systems. The security breaches include external intrusions (attacks from
outside the organization) and internal intrusions (attacks from within the organization).
Misuse-based techniques are designed to detect known attacks by using
signatures of those attacks. They are effective for detecting known type of attacks
without generating an overwhelming number of false alarms. They require frequent
manual updates of the database with rules and signatures.

13. 3
Fig: 1.2 Security Event View
1.2 OBJECTIVE
An advanced user-centric machine learning system is proposed and evaluated
by real industry data to evaluate user risks. The system can effectively reduce the
resources to analyze alerts manually while at the same time enhance enterprise
security.
This framework gives users an effortlessly explore through the application for
more data in a most secure way. This framework gives simple access. The users can
do transaction safe & secure manner. And to get complete information about the risk
of particular transactions respectively.
1.3 LIMITATIONS
1. Majority of the users without annotations are left out of model, but they may
have valuable information.
2. Many machine learning models do not work well for highly unbalanced
classification problem.
1.4 PROBLEM DEFINITION
Our approach constructs a framework of user centric machine learning system
to evaluate user risk based on alert information. This approach can provide security
analyst a comprehensive risk score of a user and security analyst can focus on those
users with high risk scores.

14. 4
2. LITERATURE SURVEY
2.1 INTRODUCTION
Literature survey is the most important step in software development process.
Before developing the tool it is necessary to determine the time factor, economy and
company strength. Once these things are satisfied, ten next steps are to determine
which operating system and language can be used for developing the tool. Once the
programmers start building the tool the programmers need lot of external support. This
support can be obtained from senior programmers, from book or from websites.
Before building the system the above consideration are taken into account for
developing the proposed system.
2.2 EXISTING SYSTEM
Most approaches to security in the enterprise have focused on protecting the
network infrastructure with no or little attention to end users. As a result, traditional
security functions and associated devices, such as firewalls and intrusion detection
and prevention devices, deal mainly with network level protection. Although still part
of the overall security story, such an approach has limitations in light of the new
security challenges described in the previous section.
Data Analysis for Network Cyber-Security focuses on monitoring and
analyzing network traffic data, with the intention of preventing, or quickly
identifying, malicious activity. Risk values were introduced in an Information
Security Management System (ISMS) and quantitative evaluation was conducted for
detailed risk assessment. The quantitative evaluation showed that the proposed
countermeasures could reduce risk to some extent. Investigation into the cost-
effectiveness of the proposed countermeasures is an important future work. It
provides users with attack information such as the type of attack, frequency, and
target host ID and source host ID. Ten et al. proposed a cyber-security framework of
the SCADA system as a critical infrastructure using real-time monitoring, anomaly
detection, and impact analysis with an attack tree-based methodology, and mitigation
strategies.

15. 5
2.2.1 Drawbacks of Existing system:
1. Firewalls can be difficult to configure correctly.
2. Incorrectly configured firewalls may block users from performing
actions on the Internet, until the firewall configured correctly.
3. Makes the system slower than before.
4. Need to keep updating the new software in order to keep security up to
date.
5. Could be costly for average user.
6. The user is only the constant.
2.3 PROPOSED SYSTEM
User-centric cyber security helps enterprises reduce the risk associated with
fast-evolving end-user realities by reinforcing security closer to end users. User-
centric cyber security is not the same as user security. User-centric cyber security is
about answering peoples’ needs in ways that preserve the integrity of the enterprise
network and its assets. User security can almost seem like a matter of protecting the
network from the user — securing it against vulnerabilities that user needs introduce.
User-centric security has the greater value for enterprises.
Cyber-security systems are real-time and robust independent systems with high
performances requirements. They are used in many application domains, including
critical infrastructures, such as the national power grid, transportation, medical, and
defense. These applications require the attainment of stability, performance, reliability,
efficiency, and robustness, which require tight integration of computing,
communication, and control technological systems. Critical infrastructures have
always been the target of criminals and are affected by security threats because of their
complexity and cyber-security connectivity. These CPSs face security breaches when
people, processes, technology, or other components are being attacked or risk
management systems are missing, inadequate, or fail in any way. The attackers target
confidential data. Main scope of this project in reduce the unwanted data for the
dataset.

16. 6
2.3.1 Advantages of Proposed System
1. Gives privacy to users.
2. Managing user-centric security.
3. Protection against data from theft.
4. Securing the user-aware network edge.
5. Securing mobile users’ communications.
6. Minimizes computer freezing and crashes.
7. Protects the computer from being hacked.
8. Protects system against viruses, worms, spyware.
2.4 FEASIBILITY STUDY
Preliminary investigation examines project feasibility, the likelihood the
system will be useful to the organization. The main objective of the feasibility study is
to test the Technical, Operational and Economical feasibility for adding new modules
and debugging old running system. All systems are feasible if they are given
unlimited resources and infinite time. There are aspects in the feasibility study portion
of the preliminary investigation:
1. Technical Feasibility
2. Operation Feasibility
3. Economical Feasibility
2.4.1 Technical Feasibility
The technical issue usually raised during the feasibility stage of the
investigation includes the following:
1. Does the necessary technology exist to do what is suggested.
2. Do the proposed equipments have the technical capacity to hold the
data required to use the new system.
3. Will the proposed system provides adequate response to inquiries,
regardless of the nu mber or the location of the user.
4. Can the system be upgraded if developed.
5. Are the technical guarantees of accuracy, reliability, ease of access of
data security.

17. 7
2.4.2 Operational Feasibility
To determine the operational feasibility of the system we should take
into consideration the awareness level of the users. This system is operational
feasible since the user are familiar with the technologies and hence there is no
need of gear up the personal to use system. Also the system is very friendly
and to use.
2.4.3 Economic Feasibility
To describe whether a project is economically feasible, we have to
consider various factors like
1. Cost benefit analysis.
2. Long-term returns.
3. Maintenance cost.
2.5 FEATURES OF PROJECT
 We use “Support Vector Machine” (SVM) algorithm, it was supervised machine
learning algorithm which can be used for both classification and regression
challenges.
 Cyber threat analysis in which the knowledge of internal and external
information vulnerabilities pertinent to a particular organization is matched
against real-world cyber-attacks.
 Improve storage efficiency through data reduction techniques and capacity
optimization using data reduplication, compression.
 User can analyze the security for their cyber transactions.
 System Operation Center (SOC) will calculate the risk in the users transactions
that can help in reducing risk in cyber attacks.

18. 8
3. ANALYSIS
3.1 INTRODUCTION
In this chapter we discuss about the requirement needed in building up the
system. First we analyze the requirements needed for the system. The user
requirements are the most important aspect in analyzing the requirements.
These are the following requirements in the system:
 User requirements
 Functional requirements
 Non-functional Requirements
3.2 USER REQUIREMENTS
Depending on the user requirements the system is designed according to it. If
it is out of the box then the client will not satisfy with the product.
3.2.1 Study of the System
To provide flexibility to the users, the interfaces have been developed that
are accessible through a browser. The GUI’S at the top level have been
categorized as
1.Administrative user interface
2.The operational or generic user interface
The ‘administrative user interface’ concentrates on the consistent
information that is practically, part of the organizational activities and which
needs proper authentication for the data collection. These interfaces help the
administrators with all the transactional states like Data insertion, Data deletion
and Date updation along with the extensive data search capabilities.
The ‘operational or generic user interface’ helps the end users of the
system in transactions through the existing data and required services. The
operational user interface also helps the ordinary users in managing their own
information in a customized manner as per the included flexibilities.

19. 9
3.2.2 Input & Output Representation
INPUT DESIGN
The input design is the link between the information system and the user. It
comprises the developing specification and procedures for data preparation and those
steps are necessary to put transaction data in to a usable form for processing can be
achieved by inspecting the computer to read data from a written or printed document
or it can occur by having people keying the data directly into the system. The design
of input focuses on controlling the amount of input required, controlling the errors,
avoiding delay, avoiding extra steps and keeping the process simple. The input is
designed in such a way so that it provides security and ease of use with retaining the
privacy. Input Design considered the following things:
 What data should be given as input?
 How the data should be arranged or coded?
 The dialog to guide the operating personnel in providing input.
 Methods for preparing input validations and steps to follow when error
occur.
OBJECTIVES
1. Input Design is the process of converting a user-oriented description of the
input into a computer-based system. This design is important to avoid errors in
the data input process and show the correct direction to the management for
getting correct information from the computerized system.
2. It is achieved by creating user-friendly screens for the data entry to handle
large volume of data. The goal of designing input is to make data entry easier
and to be free from errors. The data entry screen is designed in such a way that
all the data manipulates can be performed. It also provides record viewing
facilities.
3. When the data is entered it will check for its validity. Data can be entered with
the help of screens. Appropriate messages are provided as when needed so that
the user will not be in maize of instant. Thus the objective of input design is to
create an input layout that is easy to follow

20. 10
OUTPUT DESIGN
A quality output is one, which meets the requirements of the end user and
presents the information clearly. In any system results of processing are
communicated to the users and to other system through outputs. In output design it is
determined how the information is to be displaced for immediate need and also the
hard copy output. It is the most important and direct source information to the user.
Efficient and intelligent output design improves the system’s relationship to help user
decision-making.
1. Designing computer output should proceed in an organized, well thought out
manner; the right output must be developed while ensuring that each output
element is designed so that people will find the system can use easily and
effectively. When analysis design computer output, they should Identify the
specific output that is needed to meet the requirements.
2. Select methods for presenting information.
3. Create document, report, or other formats that contain information produced
by the system.
The output form of an information system should accomplish one or more of the
following objectives.
1. Convey information about past activities, current status or projections of the
2. Future.
3. Signal important events, opportunities, problems, or warnings.
4. Trigger an action.
5. Confirm an action.

21. 11
3.2.3 Process Model Used With Justification
SDLC (Umbrella Model)
SDLC is nothing but Software Development Life Cycle. It is a standard which is used
by the software industry to develop good software.
Fig: 3.1 SDLC
Stages of SDLC:
 Requirement Gathering
 Analysis
 Designing
 Coding
 Testing
 Maintenance
Requirements Gathering stage:
The requirements gathering process takes as its input the goals identified in the
high-level requirements section of the project plan. Each goal will be refined into a set
of one or more requirements. These requirements define the major functions of the
intended application, define operational data areas and reference data areas, and
define the initial data entities. Major functions include critical processes to be

22. 12
managed, as well as mission critical inputs, outputs and reports. A user class hierarchy
is developed and associated with these major functions, data areas, and data entities.
Each of these definitions is termed a Requirement. Requirements are identified by
unique requirement identifiers and, at minimum, contain a requirement title and
textual description.
Fig: 3.2 Requirement Gathering Stage
These requirements are fully described in the primary deliverables for this
stage: the Requirements Document and the Requirements Traceability Matrix (RTM).
The requirements document contains complete descriptions of each requirement,
including diagrams and references to external documents as necessary. Note that
detailed listings of database tables and fields are not included in the requirements
document.
The title of each requirement is also placed into the first version of the RTM,
along with the title of each goal from the project plan. The purpose of the RTM is to
show that the product components developed during each stage of the software
development lifecycle are formally connected to the components developed in prior
stages. In the requirements stage, the RTM consists of a list of high-level
requirements, or goals, by title, with a listing of associated requirements for each goal,
listed by requirement title. In this hierarchical listing, the RTM shows that each

23. 13
requirement developed during this stage is formally linked to a specific product goal.
In this format, each requirement can be traced to a specific product goal, hence the
term requirements traceability.
Analysis Stage:
The planning stage establishes a bird's eye view of the intended software
product, and uses this to establish the basic project structure, evaluate feasibility and
risks associated with the project, and describe appropriate management and technical
approaches. The most critical section of the project plan is a listing of high-level
product requirements, also referred to as goals. All of the software product
requirements to be developed during the requirements definition stage flow from one
or more of these goals.
The minimum information for each goal consists of a title and textual
description, although additional information and references to external documents
may be included. The outputs of the project planning stage are the configuration
management plan, the quality assurance plan, and the project plan and schedule, with
a detailed listing of scheduled activities for the upcoming Requirements stage, and
high level estimates of effort for the out stages.
Fig: 3.3 Analysis Stage

24. 14
Designing Stage:
The design stage takes as its initial input the requirements identified in the
approved requirements document. For each requirement, a set of one or more design
elements will be produced as a result of interviews, workshops, and/or prototype
efforts. Design elements describe the desired software features in detail, and generally
include functional hierarchy diagrams, screen layout diagrams, tables of business
rules, business process diagrams, pseudo code, and a complete entity-relationship
diagram with a full data dictionary. These design elements are intended to describe
the software in sufficient detail that skilled programmers may develop the software
with minimal additional input.
Fig: 3.4 Designing Stage
When the design document is finalized and accepted, the RTM is updated to show
that each design element is formally associated with a specific requirement. The
outputs of the design stage are the design document, an updated RTM, and an updated
project plan.
Development (Coding) Stage:
The development stage takes as its primary input the design elements
described in the approved design document. For each design element, a set of one or
more software artifacts will be produced. Software artifacts include but are not limited

25. 15
to menus, dialogs, data management forms, data reporting formats, and specialized
procedures and functions. Appropriate test cases will be developed for each set of
functionally related software artifacts, and an online help system will be developed to
guide users in their interactions with the software.
The RTM will be updated to show that each developed artifact is linked to a
specific design element, and that each developed artifact has one or more
corresponding test case items. At this point, the RTM is in its final configuration.
Fig: 3.5 Development Stage
The outputs of the development stage include a fully functional set of software that
satisfies the requirements and design elements previously documented, an online help
system that describes the operation of the software, an implementation map that
identifies the primary code entry points for all major system functions, a test plan that
describes the test cases to be used to validate the correctness and completeness of the
software, an updated RTM, and an updated project plan.
Integration & Test Stage:
During the integration and test stage, the software artifacts, online help, and
test data are migrated from the development environment to a separate test
environment. At this point, all test cases are run to verify the correctness and
completeness of the software. Successful execution of the test suite confirms a robust

26. 16
and complete migration capability. During this stage, reference data is finalized for
production use and production users are identified and linked to their appropriate
roles. The final reference data (or links to reference data source files) and production
user list are compiled into the Production Initiation Plan.
Fig:3.6 Integration & Testing Stage
The outputs of the integration and test stage include an integrated set of software, an
online help system, an implementation map, a production initiation plan that describes
reference data and production users, an acceptance plan which contains the final suite
of test cases, and an updated project plan.
Installation & Acceptance Test:
During the installation and acceptance stage, the software artifacts, online
help, and initial production data are loaded onto the production server. At this point,
all test cases are run to verify the correctness and completeness of the software.
Successful execution of the test suite is a prerequisite to acceptance of the software by
the customer.

27. 17
After customer personnel have verified that the initial production data load is
correct and the test suite has been executed with satisfactory results, the customer
formally accepts the delivery of the software.
Fig:3.7 Installation & Acceptance
The primary outputs of the installation and acceptance stage include a production
application, a completed acceptance test suite, and a memorandum of customer
acceptance of the software. Finally, the PDR enters the last of the actual labor data
into the project schedule and locks the project as a permanent project record. At this
point the PDR "locks" the project by archiving all software items, the implementation
map, the source code, and the documentation for future reference.
Maintenance:
Outer rectangle represents maintenance of a project, Maintenance team will
start with requirement study, understanding of documentation later employees will be
assigned work and they will under go training on that particular assigned category.For
this life cycle there is no end, it will be continued so on like an umbrella (no ending
point to umbrella sticks).

28. 18
3.2.4 System Requirements Specification
A Software Requirements Specification (SRS) – a requirements specification for a
software system is a complete description of the behaviour of a system to be
developed. It includes a set of use cases that describe all the interactions the users will
have with the software. In addition to use cases, the SRS also contains non-functional
requirements. Non functional requirements are requirements which impose constraints
on the design or implementation (such as performance engineering requirements,
quality standards, or design constraints).
System requirements specification: A structured collection of information that
embodies the requirements of a system. A business analyst, sometimes titled system
analyst, is responsible for analyzing the business needs of their clients and
stakeholders to help identify business problems and propose solutions. Within the
systems development life cycle domain, typically performs a liaison function between
the business side of an enterprise and the information technology department or
external service providers. Projects are subject to three sorts of requirements:
 Business requirements describe in business terms what must be delivered or
accomplished to provide value.
 Product requirements describe properties of a system or product (which could
be one of several ways to accomplish a set of business requirements.)
 Process requirements describe activities performed by the developing
organization. For instance, process requirements could specify specific
methodologies that must be followed, and constraints that the organization must
obey.
Product and process requirements are closely linked. Process requirements often
specify the activities that will be performed to satisfy a product requirement. For
example, a maximum development cost requirement (a process requirement) may be
imposed to help achieve a maximum sales price requirement (a product requirement);
a requirement that the product be maintainable (a Product requirement) often is
addressed by imposing requirements to follow particular development styles.

29. 19
Role of SRS:
The purpose of the Software Requirement Specification is to reduce the
communication gap between the client and the developers. Software Requirement
Specification is the medium through which the client and the user needs are
accurately specified. It forms the basic of the software development. A good SRS
should satisfy all the parties involved in the system.
Scope:
This document is the only one that describes the requirements of the system. It
is meant for the user by the developers, and also be the basic for validating the final
delivery system. Any changes made to the requirements in the future will have to go
through a formula change approval process. The developer is responsible for asking
for clarification, where necessary, and will not make any alterations without the
permission of the client.
3.3 FUNCTIONAL REQUIREMENTS
3.3.1 Software Requirements:
Operating System : Windows XP/7/8/10
User Interface : HTML/CSS
Programming Language : Python
Web Framework : Django
Database : MYSQL
3.3.2 Hardware Requirements:
System : Pentium IV 2.4 GHz
Hard Disk : 40 Gb
Monitor : 14’ Colour Monitor
Ram : 512Mb

30. 20
3.4 NON FUNCTIONAL REQUIREMENTS:
Performance:
The performance of the developed applications can be calculated by using following
methods:
Measuring enables you to identify how the performance of your application
stands in relation to your defined performance goals and helps you to identity the
bottlenecks that affect your application performance. It helps you identify whether
your application is moving toward or away from your performance goals. Defining
what you will measure, that is, your metrics, and defining the objectives for each
metric is a critical part of your testing plan.
Performance objectives include the following:
 Response time or latency
 Throughput
 Resource utilization
Safety & Security:
The security design process is cyclical. The security of an application depends
upon the vigilance of the developers and administrators not just during the design
phase but also for the life of the application. Since new threats arise almost daily, an
application must be scrutinized constantly for potential security flaws. However, the
initial design of the application determines how often those flaws are likely to occur.
Security threats are any potential occurrence, malicious or otherwise, that can
have an undesirable effect of application. Vulnerabilities in the application or
operating system make a threat possible. The risk involved in the potential damage
that attack can inflict on the application or even the business.
Maintainability:
The increased complexity of modern software applications also increases the
difficulty of making the code reliable and maintainable. In recent years , many
software measures, known as code metrics, have been developed that can help the
developers understands where the code needs rework or increased testing.

31. 21
Developer can use Visual Studio Application Lifecycle Management to
generate code metrics data that measures the complexity and maintainability of their
managed code. Code metrics data can be generated from entire solution or a single
project.
Scalability:
The algorithm used in this project serves the purpose of analysing the
sentiments of large data sets and new data sets until the words in the datasets
constitute of the standard dictionary terms.
Availability:
All the resources which were used in the development of the application are
mostly open-source and widely available. Anyone with basic internet connectivity
canaccess these resources.
Reliability:
Though it falls short before the accuracy of analyzing sentiments when
compared to human beings. This algorithm makes sure that most of the
unambiguous sentences are analyzed very accurately.
Data integrity:
The reviews and the sentiments are stored in a CSV file such that each and
every entry has a unique field which henceforth is securely encapsulated and sent
after analysis.

32. 22
4. DESIGN
4.1 INTRODUCTION
Software design is the process by which an agent creates a specification of a
software artifact, intended to accomplish goals, using a set of primitive components
and subject to constraints. Software design may refer to either "all the activity
involved in conceptualizing, framing, implementing, commissioning, and ultimately
modifying complex systems" or "the activity following requirements specification
and before programming, as in a stylized software engineering process." Software
design usually involves problem solving and planning a software solution. This
includes both a low-level component design and a high-level, architecture design.
4.2 SYSTEM ARCHITECTURE
ARCHITECTURE:-
Fig: 4.1System Architecture

33. 23
ER DIAGRAMS:-
Fig:4.2 ER Diagram of User
Fig: 4.3 ER Diagram of Admin

34. 24
4.3 MODULE DESIGN & ORGANIZATION
1. Cyber Analysis
2. Dataset Modification
3. Data Reduction
4. Risky User Detection
CYBER ANALYSIS:-
Cyber threat analysis is a process in which the knowledge of internal and
external information vulnerabilities pertinent to a particular organization is matched
against real-world cyber-attacks. With respect to cyber security, this threat-oriented
approach to combating cyber-attacks represents a smooth transition from a state of
reactive security to a state of proactive one.
Moreover, the desired result of a threat assessment is to give best practices on
how to maximize the protective instruments with respect to availability,
confidentiality and integrity, without turning back to usability and functionality
conditions. A threat could be anything that leads to interruption, meddling or
destruction of any valuable service or item existing in the firm’s repertoire. Whether
of “human” or “nonhuman” origin, the analysis must scrutinize each element that may
bring about conceivable security risk.
DATASET MODIFICATION:-
If a dataset in your dashboard contains many dataset objects, you can hide
specific dataset objects from display in the Datasets panel. For example, if you decide
to import a large amount of data from a file, but do not remove every unwanted data
column before importing the data into Web, you can hide the unwanted attributes and
metrics.
To hide dataset objects in the Datasets panel, To show hidden objects in the
Datasets panel, To rename a dataset object, To create a metric based on an attribute,
To create an attribute based on a metric, To define the geo role for an attribute, To
create an attribute with additional time information, To replace a dataset object in the
dashboard.

35. 25
DATA REDUCTION:-
Improve storage efficiency through data reduction techniques and capacity
optimization using data reduplication, compression, snapshots and thin
provisioning. Data reduction via simply deleting unwanted or unneeded data is the
most effective way to reduce the storage of data.
RISKY USER DETECTION:-
False alarm immunity to prevent customer embarrassment, High detection rate
to protect all kinds of goods from theft, Wide-exit coverage offers greater flexibility
for entrance/exit layouts, Wide range of attractive designs complement any store
décor, Sophisticated digital controller technology for optimum system performance.
4.4 UML DIAGRAMS
We prepare UML diagrams to understand the system in a better and simple
way. A single diagram is not enough to cover all the aspects of the system. UML
defines various kinds of diagrams to cover most of the aspects of a system. You can
also create your own set of diagrams to meet your requirements. There are two broad
categories of diagrams and they are again divided into subcategories −
1. STRUCTURAL DIAGRAMS:-
These static parts are represented by classes, interfaces, objects,
components, and nodes. The four structural diagrams are −
 Class diagram
 Object diagram
 Component diagram
 Deployment diagram
2. BEHAVIORAL DIAGRAMS:-
Behavioural diagrams basically capture the dynamic aspect of a
system. Dynamic aspect can be further described as the changing/moving
parts of a system.
 Use case diagram
 Sequence diagram
 Collaboration diagram
 State chart diagram
 Activity diagram

36. 26
4.4.1 Class Diagram:-
Class diagram is a static diagram. It represents the static view of an
application. Class diagram is not only used for visualizing, describing, and
documenting different aspects of a system but also for constructing executable
code of the software application.
Class diagram describes the attributes and operations of a class and also
the constraints imposed on the system. The class diagrams are widely used in the
modelling of object-oriented systems because they are the only UML diagrams,
which can be mapped directly with object-oriented languages.
The purpose of class diagram is to model the static view of an application.
Class diagrams are the only diagrams which can be directly mapped with object-
oriented languages and thus widely used at the time of construction.
Fig: 4.4 Class Diagram

37. 27
4.4.2 Use Case Diagram:-
To model a system, the most important aspect is to capture the dynamic
behavior. Dynamic behavior means the behavior of the system when it is running
/operating. Only static behavior is not sufficient to model a system rather dynamic
behavior is more important than static behavior. In UML, there are five diagrams
available to model the dynamic nature and use case diagram is one of them. Now as
we have to discuss that the use case diagram is dynamic in nature, there should be
some internal or external factors for making the interaction.
USER:-
Fig: 4.5 User Use Case Diagram
ADMIN:-
Fig: 4.6 Admin Use Case Diagram

38. 28
4.4.3 Sequence Diagram:-
A sequence diagram simply depicts interaction between objects in a sequential
order i.e. the order in which these interactions take place. We can also use the terms
event diagrams or event scenarios to refer to a sequence diagram. Sequence diagrams
describe how and in what order the objects in a system function. These diagrams are
widely used by businessmen and software developers to document and understand
requirements for new and existing systems.
It represents the detail of a UML use case. Model the logic of a sophisticated
procedure, function, or operation. See how objects and components interact with each
other to complete a process. Plan and understand the detailed functionality of an
existing or future scenario.
Fig: 4.7 Sequence Diagram

39. 29
4.4.4 Collaboration Diagram:-
The second interaction diagram is the collaboration diagram. It shows the
object organization as seen in the following diagram. In the collaboration diagram, the
method call sequence is indicated by some numbering technique. The number
indicates how the methods are called one after another. We have taken the same order
management system to describe the collaboration diagram.
Method calls are similar to that of a sequence diagram. However, difference
being the sequence diagram does not describe the object organization, whereas the
collaboration diagram shows the object organization.
Fig: 4.8 Collaboration Diagram
4.4.5 Activity Diagram:-
Activity diagram is basically a flowchart to represent the flow from one
activity to another activity. The activity can be described as an o0peration of the
system. The control flow is drawn from one operation to another. This flow can be

40. 30
sequential, branched, or concurrent. Activity diagrams deal with all type of flow
control by using different elements such as fork, join, etc.
USER:-
Fig: 4.9 User Activity Diagram
ADMIN:-
Fig: 4.10 Admin Activity Diagram

41. 31
4.4.6 Deployment Diagram:-
Deployment diagrams are used to visualize the topology of the physical
components of a system, where the software components are deployed. Deployment
diagrams are used to describe the static deployment view of a system. Deployment
diagrams consist of nodes and their relationships.
The term Deployment itself describes the purpose of the diagram. Deployment
diagrams are used for describing the hardware components, where software
components are deployed. Component diagrams and deployment diagrams are
closely related. Component diagrams are used to describe the components and
deployment diagrams shows how they are deployed in hardware.
Fig: 4.11 Deployment Diagram

42. 32
5. IMPLEMENTATION
5.1 INTRODUCTION
This project is developed using Python as front end and MySQL as back end
in Windows environment. The web framework used for this project is Django. This
system provides optimized utilization of resources, improved productivity, and
efficient management of resources as it is completely computerized and has
centralized database maintenance.
Implementation is the most crucial stage in achieving a successful system and
giving the user’s confidence that the new system is workable and effective.
Implementation of the modified application to replace an existing one. This type of
conversation is relatively easy to handle, provide there are no major changes in the
system.
Each program is tested individually at the time of development using the data
and has verified that this program linked together in the way specified in the programs
specification, the computer system and its environment is tested to the satisfaction of
the user. The system that has been developed is accepted and proved to be satisfactory
for the user. And so the system is going to be implemented very soon. A simple
operating procedure is included so that the user can understand the different functions
clearly and quickly.
5.2 TECHNOLOGIES REQUIRED
5.2.1 Overview of Python
Python is an interpreter, object-oriented, high-level programming
language with dynamic semantics. Its high-level built in data structures, combined
with dynamic typing and dynamic binding, make it very attractive for Rapid
Application Development, as well as for use as a scripting or glue language to connect
existing components together. Python's simple, easy to learn syntax emphasizes
readability and therefore reduces the cost of program maintenance. Python supports
modules and packages, which encourages program modularity and code reuse. The
Python interpreter and the extensive standard library are available in source or binary
form without charge for all major platforms, and can be freely distributed.

43. 33
Fig: 5.1 Internal Working of Python
Features of Python:-
 Easy-to-learn: Python has few keywords, simple structure, and a clearly
defined syntax. This allows the student to pick up the language quickly.
 Easy-to-read: Python code is more clearly defined and visible to the eyes.
 Easy-to-maintain: Python's source code is fairly easy-to-maintain.
 A broad standard library: Python's bulk of the library is very portable and
cross-platform compatible on UNIX, Windows, and Macintosh.
 Interactive Mode: Python has support for an interactive mode which allows
interactive testing and debugging of snippets of code.
 Portable: Python can run on a wide variety of hardware platforms and has the
same interface on all platforms.
 Extendable: You can add low-level modules to the Python interpreter. These
modules enable programmers to add to or customize their tools to be more
efficient.
 Databases: Python provides interfaces to all major commercial databases.

44. 34
 GUI Programming: Python supports GUI applications that can be created
and ported to many system calls, libraries and windows systems, such as
Windows MFC, Macintosh, and the X Window system of Unix.
 Scalable: Python provides a better structure and support for large programs
than shell scripting.
5.2.2. Overview of Django
Django is a free and open source web application framework written in
Python. A framework is nothing more than a collection of modules that make
development easier. They are grouped together, and allow you to create applications
or websites from an existing source, instead of from scratch. Django offers a big
collection of modules which you can use in your own projects. Primarily, frameworks
exist to save developers a lot of wasted time and headaches and Django is no
different.
Fig: 5.2 Django Architecture
Django web applications typically group the code that handles each of these steps into
separate files:
 URLs: While it is possible to process requests from every single URL via a
single function, it is much more maintainable to write a separate view
function to handle each resource. A URL mapper is used to redirect HTTP
requests to the appropriate view based on the request URL. The URL
mapper can also match particular patterns of strings or digits that appear in
a URL and pass these to a view function as data.

45. 35
 View: A view is a request handler function, which receives HTTP requests
and returns HTTP responses. Views access the data needed to satisfy
requests via models, and delegate the formatting of the response
to templates.
 Models: Models are Python objects that define the structure of
an application's data, and provide mechanisms to manage (add, modify,
delete) and query records in the database.
 Templates: A template is a text file defining the structure or layout of a file
(such as an HTML page), with placeholders used to represent actual
content. A view can dynamically create an HTML page using an HTML
template, populating it with data from a model. A template can be used to
define the structure of any type of file; it doesn't have to be HTML
Fig: 5.3 Basic Architecture View

46. 36
5.3 ALGORITHM:
SUPPORT VECTOR MACHINE (SVM)
“Support Vector Machine” (SVM) is a supervised machine learning algorithm
which can be used for both classification and regression challenges. However, it is
mostly used in classification problems. In this algorithm, we plot each data item as a
point in n-dimensional space (where n is number of features you have) with the value
of each feature being the value of a particular coordinate. Then, we perform
classification by finding the hyper-plane that differentiate the two classes very well.
Fig: 5.4 SVM Algorithm Block Diagram
The SVM algorithm is implemented in practice using a kernel. The learning of
the hyper plane in linear SVM is done by transforming the problem using some linear
algebra, which is out of the scope of this introduction to SVM. A powerful insight is
that the linear SVM can be rephrased using the inner product of any two given
observations, rather than the observations themselves. The inner product between two
vectors is the sum of the multiplication of each pair of input values.
For example, the inner product of the vectors [2, 3] and [5, 6] is 2*5 + 3*6 or
28. The equation for making a prediction for a new input using the dot product
between the input (x) and each support vector (xi) is calculated as follows:
f(x) = B0 + sum(ai * (x,xi))

47. 37
This is an equation that involves calculating the inner products of a new input vector
(x) with all support vectors in training data. The coefficients B0 and ai (for each
input) must be estimated from the training data by the learning algorithm.

48. 38
5.4 SAMPLE CODE:
Url.py (cyber_security_alert)
"""cyber_security_alert URL Configuration
The `urlpatterns` list routes URLs to views. For more information please see:
https://docs.djangoproject.com/en/1.11/topics/http/urls/
Examples:
Function views
1. Add an import: from my_app import views
2. Add a URL to urlpatterns: url(r'^$', views.home, name='home')
Class-based views
1. Add an import: from other_app.views import Home
2. Add a URL to urlpatterns: url(r'^$', Home.as_view(), name='home')
Including another URLconf
1. Import the include() function: from django.conf.urls import url, include
2. Add a URL to urlpatterns: url(r'^blog/', include('blog.urls'))
"""
from django.conf.urls import url
from django.contrib import admin
from cyber_alert import views as alert_view
from admins import views as admin_view

49. 39
urlpatterns = [
url(r'^admin/', admin.site.urls),
url(r'^$', alert_view.admin_login, name="admin_login"),
url(r'^admin_register/$', alert_view.admin_register, name="admin_registe"),
url(r'^giver_transaction/$', alert_view.giver_transaction,
name="giver_transaction"),
url(r'^analyze_page/$', alert_view.analyze_page, name="analyze_page"),
url(r'^viewer/(?P<chart_type>w+)', alert_view.viewer, name="viewer"),
url(r'^update/$', alert_view.update, name="update"),
url(r'^logout_page/$', alert_view.logout_page, name="logout_page"),
url(r'^mydetails/$', alert_view.mydetails, name="mydetails"),
url(r'^show/$', alert_view.show, name="show"),
url(r'^receivealert/$', alert_view.receivealert, name="receivealert"),
url(r'^admins/admin_page/$', admin_view.admin_page, name="admin_page"),
url(r'^admins/analyze/$', admin_view.analyze, name="analyze"),
url(r'^admins/adlogout/$', admin_view.adlogout, name="adlogout"),
url(r'^admins/charts/(?P<chart_type>w+)', admin_view.charts,name="charts"),
url(r'^admins/riskuser/$',admin_view.riskuser, name="riskuser"),
url(r'^admins/riskalert/(?P<tuser>d+)$',admin_view.riskalert, name="riskalert"),
]

50. 40
Settings.py (cyber_security_alert)
"""
Django settings for cyber_security_alert project.
Generated by 'django-admin startproject' using Django 1.11.5.
For more information on this file, see
https://docs.djangoproject.com/en/1.11/topics/settings/
For the full list of settings and their values, see
https://docs.djangoproject.com/en/1.11/ref/settings/
"""
import os
# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/1.11/howto/deployment/checklist/
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'gn-jzi2u3%gw+olpxfrd%ye6210z3=$+(r@c5ly(%8j2$5)k77'
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True

51. 41
ALLOWED_HOSTS = []
# Application definition
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'cyber_alert',
'admins'
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

52. 42
ROOT_URLCONF = 'cyber_security_alert.urls'
TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [((os.path.join(BASE_DIR,'assests/templates')))],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
],
},
},
]
WSGI_APPLICATION = 'cyber_security_alert.wsgi.application'
# Database
# https://docs.djangoproject.com/en/1.11/ref/settings/#databases
DATABASES = {

53. 43
'default': {
'ENGINE': 'django.db.backends.mysql',
'NAME': 'alarm',
'USER': 'root',
'PASSWORD': '',
'HOST': '127.0.0.1',
'PORT': '3306',
}
}
# Password validation
# https://docs.djangoproject.com/en/1.11/ref/settings/#auth-password-validators
AUTH_PASSWORD_VALIDATORS = [
{
'NAME':
'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},

54. 44
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
]
# Internationalization
# https://docs.djangoproject.com/en/1.11/topics/i18n/
LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_L10N = True
USE_TZ = True
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/1.11/howto/static-files/
STATIC_URL = '/static/'
STATICFILES_DIRS= [os.path.join(BASE_DIR, 'assests/static')]
MEDIA_URL = '/media/'
MEDIA_ROOT = os.path.join(BASE_DIR, 'assests/media')
Recivealrets.html (User Page):
<!DOCTYPE html>
{% load staticfiles %}
<html lang="en">

55. 45
<head>
<meta charset="UTF-8">
<title>Title</title>
<style>
body{
background: url("{% static 'admin1.jpg' %}");
background-size: cover; }
.menu table{
width:100%;
text-align:center;
}
.menu table td:hover{
background:rgb(0,0,0);
}
.menu table td{
background: #584b4f;
}
.menu table,.menu table th,.menu table td {
border: ;
border-collapse: collapse;
}

56. 46
.menu table th,.menu table td {
padding: 15px;
}
.topic h1{
color:white;
padding:2px;
text-align:center;
border-style:none;
height:100px;
width:1330px;
float:left;
}
.giver
{
color: darkgrey;
font-family: cooper;
padding: 50px;
margin-right: 500px;
}

57. 47
input:not([type]), input[type="email" i], input[type="number" i],
input[type="password" i], input[type="tel" i], input[type="url" i], input[type="text" i]
{
padding: 5px 5px;
border-radius:10px;
margin-bottom:10px;
padding: 6px;
}
table1 {
border-collapse: collapse;
width: 100%;
}
th {
border: 1px solid #dddddd;
text-align: center;
padding: 8px;
}
.image1{
background: url("{% static 'warning4.png' %}");
background-size: 100% 100%;
width: 700px;
height: 442px;

58. 48
margin-top: -99px;
float: right;
}
</style>
</head>
<body style="background-color:#393e44">
<div class="topic"><h1 style="margin-top:10px;margin-left:60px;border-
style:none;width:1300px;height:40px;border-color:black;background:;">A User-
Centric Machine Learning Framework for
Cyber Security Operations Center</h1></div>
<div class="menu">
<table>
<tr>
<td><a style="color:violet; font-family:cooper; text-decoration:none;" href="{% url
'mydetails' %} "> MY DETAILS </a></td>
<td><a style="color:violet; font-family:cooper; text-decoration: none;"
href="{% url 'update' %} " > UPDATE DETAILS</a></td>
<td><a style="color:violet; font-family:cooper; text-decoration: none;"
href="{% url 'analyze_page' %}"> ANALYZE PAGE</a></td>
<td><a style="color:violet;font-family:cooper; text-decoration: none;"
href="{% url 'giver_transaction' %}">TRANSACTION</a></td>
<td><a style="color:violet; font-family:cooper; text-decoration: none;"
href="{% url 'receivealert' %}"> RECEIVE ALERT</a></td><td><a
style="color:violet; font-family:cooper; text-decoration: none; " href="{% url
'logout_page' %}">LOGOUT</a></td>

59. 49
</tr>
</table>
</div>
<div class="table1">
<table class="giver">
<tr style="border-style:groove">
<th>NAME</th>
<th>ALERT MESSAGE</th>
</tr>
{% for o in de %}
<tr>
<td class="td">{{o.name}}</td>
<td class="td">{{o.sendquery}}</td>
</tr>
{% endfor %}
</table>
</div>
<div class="image1">
</div>
</body>
</html>

60. 50
5.5 OUTPUT SCREENS:
USER SCREENS
Login Page:-
Fig: 5.5.1 User Login Page
Transaction Page:-
Fig: 5.5.2 User Transaction Page

61. 51
Analyze Page:-
Fig: 5.5.3 User Analyze Page
Receive Alerts Page:-
Fig: 5.5.4 User Receive Alerts Page

62. 52
ADMIN SCREENS
Analyze Page:-
Fig: 5.5.5 Admin Analyze Page
Risk User Page:-
Fig: 5.5.6 Admin Risk Users Page

63. 53
Send Query Page:
Fig: 5.5.7 Admin Send Query Page
Charts Page:-
Fig: 5.5.8 Admin Charts Page

64. 54
6. TESTING, VALIDATION AND RESULT
6.1 INTRODUCTION TO TESTING
Testing is a process, which reveals errors in the program. It is the major
quality measure employed during software development. During testing, the program
is executed with a set of test cases and the output of the program for the test cases is
evaluated to determine if the program is performing as it is expected to perform.
The purpose of testing is to discover errors. Testing is the process of trying to
discover every conceivable fault or weakness in a work product. It provides a way to
check the functionality of components, sub assemblies, assemblies and/or a finished
product It is the process of exercising software with the intent of ensuring that the
Software system meets its requirements and user expectations and does not fail in an
unacceptable manner. There are various types of test. Each test type addresses a
specific testing requirement.
6.2 TESTING IN STRATEGIES
Unit Testing
Unit testing involves the design of test cases that validate that the internal
program logic is functioning properly, and that program inputs produce valid outputs.
All decision branches and internal code flow should be validated. It is the testing of
individual software units of the application .it is done after the completion of an
individual unit before integration. This is a structural testing, that relies on knowledge
of its construction and is invasive. Unit tests perform basic tests at component level
and test a specific business process, application, and/or system configuration. Unit
tests ensure that each unique path of a business process performs accurately to the
documented specifications and contains clearly defined inputs and expected results.
Integration Testing
Integration tests are designed to test integrated software components to
determine if they actually run as one program. Testing is event driven and is more
concerned with the basic outcome of screens or fields. Integration tests demonstrate
that although the components were individually satisfaction, as shown by successfully

65. 55
unit testing, the combination of components is correct and consistent. Integration
testing is specifically aimed at exposing the problems that arise from the combination
of components.
Functional Test
Functional tests provide systematic demonstrations that functions tested are
available as specified by the business and technical requirements, system
documentation, and user manuals.
Functional testing is centred on the following items:
Valid Input : identified classes of valid input must be accepted.
Invalid Input : identified classes of invalid input must be rejected.
Functions : identified functions must be exercised.
Output : identified classes of application must be o/p exercised.
Procedures : interfacing systems or procedures must be invoked.
Organization and preparation of functional tests is focused on requirements,
key functions, or special test cases. In addition, systematic coverage pertaining to
identify Business process flows; data fields, predefined processes, and successive
processes must be considered for testing. Before functional testing is complete,
additional tests are identified and the effective value of current tests is determined.
System Test
System testing ensures that the entire integrated software system meets
requirements. It tests a configuration to ensure known and predictable results. An
example of system testing is the configuration oriented system integration test.
System testing is based on process descriptions and flows, emphasizing pre-driven
process links and integration points.

66. 56
White Box Testing
White Box Testing is a testing in which in which the software tester has
knowledge of the inner workings, structure and language of the software, or at least its
purpose. It is purpose. It is used to test areas that cannot be reached from a black box
level.
Black Box Testing
Black Box Testing is testing the software without any knowledge of the inner
workings, structure or language of the module being tested. Black box tests, as most
other kinds of tests, must be written from a definitive source document, such as
specification or requirements document, such as specification or requirements
document. It is a testing in which the software under test is treated, as a black box
.you cannot “see” into it. The test provides inputs and responds to outputs without
considering how the software works.
6.3 DESIGN OF TEST CASES AND SCENARIOS:
Quality Assurance:
The aim of this step is to maintain or to ensure the quality of the system
developed. The quality assurance goals in the system life cycle involves
1. Quality factors specification: - This was done to determine the factors that lead to
high quality of a system.
i. Correctness- The extent to which a program meets System specification.
ii. Reliability – The degree to which a program meets system specification.
iii. Efficiency - The amount of computer resources required by the entire program
perform a function.
iv. Usability – The effort required learning and operating the system.
v. Maintainability – The ease with which the program errors are located and
corrected.

67. 57
vi. Test-ability - The effort required to test a program to ensure its correct
performance.
vii. Portability – The ease of transporting a program from one hardware
configuration to another.
viii. Accuracy - The required precision in input editing, computation and output.
ix. Error Tolerance – Error detection and correction versus error avoidance.
x. Expand-ability - Ease of adding or expanding existing databases.
xi. Access Controls and Audit – Control of access to the system and the extent
to which that access can be audited.
2. Communication – How useful the input and output of the system are.
i. Software Requirements Specification: - This was done to generate the
required documents that provide the technical specification for the design and
development of the software.
ii. Software Design Specification: - This was done in order to provide the
functions and features described in the previous stage.
3. Software Testing and Implementation: - This was done to provide necessary
software adjustment for the system to continue to comply with the original
specifications.
Quality Assurance is the review of software and related documentation for
correctness, accuracy, maintainability, reliability, and expendable. This also includes
assurances that the system meets the specifications and requirements for its intended
use performance.

68. 58
6.4 VALIDATION:
6.4.1Unit Testing
Unit testing is usually conducted as part of a combined code and unit test phase of the
software lifecycle, although it is not uncommon for coding and unit testing to be
conducted as two distinct phases.
Test strategy and approach
Field testing will be performed manually and functional tests will be written in
detail.
Test objectives
 All field entries must work properly.
 Pages must be activated from the identified link.
 The entry screen, messages and responses must not be delayed.
Features to be tested
 Verify that the entries are of the correct format
 No duplicate entries should be allowed
 All links should take the user to the correct page.
6.4.2 Integration Testing
Software integration testing is the incremental integration testing of two or
more integrated software components on a single platform to produce failures caused
by interface defects.
The task of the integration test is to check that components or software applications,
e.g. components in a software system or – one step up – software applications at the
company level – interact without error.
Test Results: All the test cases mentioned above passed successfully. No defects
encountered.

69. 59
6.4.3 Acceptance Testing
User Acceptance Testing is a critical phase of any project and requires
significant participation by the end user. It also ensures that the system meets the
functional requirements.
Test Results: All the test cases mentioned above passed successfully. No defects
encountered.

70. 60
7. CONCLUSION
7.1 CONCLUSION
Machine learning is an effective tool that can be employed in many areas of
information security. There exist some robust anti-phishing algorithms and network
intrusion detection systems. Machine learning can be successfully used for
developing authentication systems, evaluating the protocol implementation,
assessing the security of human interaction proofs, smart meter data profiling, etc.
In this work, we present a user-centric machine learning system which
leverages big data of various security logs, alert information, and analyst insights to
the identification of risky user. This system provides a complete framework and
solution to risky user detection for enterprise security operation center. We describe
briefly how to generate labels from SOC investigation notes, to correlate IP, host,
and users to generate user-centric features, to select machine learning algorithms
and evaluate performances, as well as how to such a machine learning system in
SOC production environment.
We also demonstrate that the learning system is able to learn more insights
from the data with highly unbalanced and limited labels, even with simple machine
learning algorithms. The average lift on top 20% predictions for multi neural
network model is over 5 times better than current rule-based system. The whole
machine learning system is implemented in production environment and fully
automated from data acquisition, daily model refreshing, to real time scoring, which
greatly improve SOC analyst’s efficiency and enhance enterprise risk detection and
management.
7.2 FUTURE ENHANCEMENT
As to the future work, we will research other learning algorithms to further
improve the detection accuracy. We will increase the security with more new ways
for securing the users operations. In SOC analyst we keep our efforts to add more
new ways of finding the attack.

71. 61
8. BIBLIOGRAPHY
8.1 REFERENCES
1. SANS Technology Institute. “The 6 Categories of Critical Log
Information.” 2013.
2. X. Li and B. Liu. “Learning to classify text using positive and unlabeled
data”, Proceedings of the 18th international joint conference on Artificial
intelligence, 2003
3. A. L. Buczak and E. Guven. “A survey of data mining and machine
learning methods for cyber security intrusion detection”, IEEE
Communications Surveys & Tutorials 18.2 (2015): 1153-1176.
4. S. Choudhury and A. Bhowal. “Comparative analysis of machine learning
algorithms along with classifiers for network intrusion detection”, Smart
Technologies and Management for Computing, Communication,
Controls, Energy and Materials (ICSTM), 2015.
5. N. Chand et al. “A comparative analysis of SVM and its stacking with
other classification algorithm for intrusion detection”, Advances in
Computing, Communication, & Automation (ICACCA), 2016.
6. K. Goeschel. “Reducing false positives in intrusion detection systems
using data-mining techniques utilizing support vector machines, decision
trees, and naive Bayes for off-line analysis”, Southeast Con, 2016.
7. M. J. Kang and J. W. Kang. “A novel intrusion detection method using
deep neural network for in-vehicle network security”, Vehicular
Technology Conference, 2016.
8.2 WEBSITES REFFERED
1. https://www.w3schools.com/python/
2. https://www.tutorialspoint.com/python/
3. https://developer.mozilla.org/en-US/docs/Learn/Server-side/Django/Introduction
4. https://towardsdatascience.com/support-vector-machine-introduction-to-machine-
learning-algorithms-934a444fca47