APPLICATION OF SELF-ORGANIZING FEATURE MAPS AND MARKOV CHAINS TO RECOGNITION OF DANGEROUS BEHAVIOR OF COMPUTER USERS

http://www.iaeme.com/IJCIET/index.asp 199 editor@iaeme.com
International Journal of Civil Engineering and Technology (IJCIET)
Volume 9, Issue 11, November 2018, pp. 199–207, Article ID: IJCIET_09_11_020
Available online at http://www.iaeme.com/ijciet/issues.asp?JType=IJCIET&VType=9&IType=11
ISSN Print: 0976-6308 and ISSN Online: 0976-6316
© IAEME Publication Scopus Indexed
APPLICATION OF SELF-ORGANIZING
FEATURE MAPS AND MARKOV CHAINS TO
RECOGNITION OF DANGEROUS BEHAVIOR
OF COMPUTER USERS
L. S. Kuravsky and G. A. Yuryev
Computer Science Faculty, Moscow State University of Psychology and Education, Moscow,
Russia
P. V. Scribtsov and M. A. Chervonenkis
"Pavlin Techno” company, Moscow Region, Dubna, Russia
A. A. Konstantinovsky, A. A. Shevchenko and S. S. Isakov
Computer Science Faculty, Moscow State University of Psychology and Education, Moscow,
Russia
ABSTRACT
The number of studies in the field of behavior analysis is currently experiencing a
significant upsurge. This study presents two cancarantly approaches to identifying
anomalous activity within users’ behavior in cloud infrastructures, each of which
allows researchers to learn from the empirical data collected. The main purpose of
these approaches is the ongoing scoring of users’ actions in cloud infrastructures to
reveal anomalies in their activity. The first approach is based on the technique of
statistical hypothesis testing and uses Kohonen self-organizing maps to generate the
target statistics. The second approach is based on revealing strange activity in the
dynamics of user’s behavior and uses Markov chains to describe their typical actions.
Keywords: Machine Learning, Information Security, User Behavior Analytics, Self-
Organizing Maps, Markov Chains.
Cite this Article: L. S. Kuravsky, G. A. Yuryev, P. V. Scribtsov, M. A.
Chervonenkis, A. A. Konstantinovsky, A. A. Shevchenko and S. S. Isakov,
Application of Self-Organizing Feature Maps and Markov Chains to Recognition of
Dangerous Behavior of Computer Users, International Journal of Civil Engineering
and Technology, 9(11), 2018, pp. 199–207.
http://www.iaeme.com/IJCIET/issues.asp?JType=IJCIET&VType=9&IType=11

Application of Self-Organizing Feature Maps and Markov Chains to Recognition of Dangerous
Behavior of Computer Users
1. INTRODUCTION
The need to study big data grows more significant every year. These days, systems based on
machine learning algorithms are almost everywhere, from simple systems that filter spam
emails all the way to robots that can surpass humans in complex games. Machine learning has
also had a profound influence within the field of information security. At present, the
standard tools to support machine learning in the cloud environment are inefficient. However,
the practical experience of computer network support has revealed the potential to identify
possible threats based on the real-time analysis of user behavior. The most popular solutions
in this class of problems are cloud access security brokers (CASBs); security information and
event management (SIEM); identity and access management (IAM); and user and entity
behavior analytics (UEBA).
Of these solutions, UEBA has emerged as the most progressive and modern method. User
behavior analysis is the process of detecting cyber threats of different kinds, based on the
assumption that the actions of users in information infrastructures have unique signatures that
can be identified and described through a set of parameters. This assumption may imply the
use of a wide range of features, starting with patterns associated with network activity and
ending with the analysis of keyboard handwriting, which has significant individual and group
variations. However, one of the most urgent scientific problems facing such systems is the
development of a modern mathematical apparatus for recognizing the incorrect behavior of
computer network users. Such an apparatus must be adapted to analyze data that characterize
network activity and are suitable for use within intelligent systems for forecasting and
detecting threats.
A certain amount of experience has been accumulated that can be used to solve this
problem. For example, experts have used many well-known methods of classification,
including the following:
 recognition using binary decision diagrams [1];
 dynamic and multi-entity Bayesian networks [2, 3];
 artificial neural networks [4];
 time series analysis [5, 6];
 use of the simplest statistical characteristics [7];
 graph analysis methods [8];
 support vector machines [9];
 hidden Markov models [10];
 genetic algorithms [11];
 restricted Boltzmann machines [12]; and
 methods of multidimensional statistical analysis, including cluster analysis [13].
All these solutions, with the exception of the classical methods of multidimensional
statistical analysis and various options for using the simplest statistical characteristics, have
demonstrated their effectiveness to a greater or lesser extent, but the absence of non-heuristic
quantitative criteria for the reasonable assignment of users to the problematic category
remains a general weakness. The above statistical methods, as a rule, give unacceptable
results in this subject area (see illustration of their application in section 2.1). To overcome
this problem, two approaches are suggested to recognize the incorrect behavior of computer
network users, which are based on the following:

L. S. Kuravsky, G. A. Yuryev, P. V. Scribtsov, M. A. Chervonenkis, A. A. Konstantinovsky, A.
A. Shevchenko and S. S. Isakov
 a criterion for catching deviations in the behavior of users by characteristics
averaged over time intervals, without taking into account the content-related
dynamics of behavior, and
 a criterion for determining the categories of users according to the executed
sequences of typical actions (that is, taking into account the content-related
dynamics of behavior).
2. QUANTITATIVE CRITERION FOR DETECTING DEVIATIONS IN
USER BEHAVIOR WITH KOHONEN SELF-ORGANIZING MAPS
2.1. Identifying Deviations in User Behavior
The criterion for detecting deviations in user behavior in network threats diagnostics is based
on the use of self-organizing functional maps, or Kohonen networks [14]. The network input
layer performs distribution functions, while the output layer (i.e., topological map) forms a
rectangular matrix consisting of elements of radial basis functions. When each training
example is processed sequentially, the nearest neuron (i.e., the “winning” neuron) is selected.
Then, taking the weighted sum of the former center of the corresponding radial element and
the training example, the parameters of the winning neuron and neurons from its
neighborhood are adjusted so that they become more similar to the input example. The
neighborhood in the learning process is then compressed to zero deviation from the
“winning” neuron.
For certain categories of users (primarily those whose activities do not pose a threat to the
system), sample distributions of distances to a winning neuron are calculated. It is assumed
that users with deviations in behavior are present in the training sample in a certain small
proportion, without having a significant impact on the learning outcome. Users with
relatively rare behavior are considered potentially dangerous, and this assumption allows us
not to perform a preliminary recognition of users with behavioral abnormal deviations in the
initial empirical data.
The resulting sample distributions are then used to test statistical hypotheses about user
membership in the specified classes. In this case, the distance to the winning neuron is used
as a statistic, according to which the probabilities are compared with the level of statistical
significance. The level of statistical significance is a problem-setting parameter. Its standard
value is 0.05, but depending on the content of the problem in use, this indicator can vary from
0.01 to 0.1.
The presented technology of recognition of user types is presented in Figure 1 where the
following notations are used in the p<p* condition: p* – significance level for the hypothesis
testing, p=1F(X), X= – Euclidean distance from the set of
characteristics of the activity of the evaluated user to the neuron Ni of Kohonen network,
– the neuron index, – the set of neuron indices, F(X) – the sample distribution function
of the random variable X.
If the hypotheses of belonging to the "safe" classes are rejected at the accepted level of
significance (p<p*), or, with the same level of significance, if there are relevant empirical
data that hypotheses about belonging to "dangerous" classes (pp*) are not rejected, the user
is identified as representing a hazard.

Figure 1 The technology of user type recognition
The novelty of this approach is that:
 to generate the statistics to test the hypotheses of belonging to the identified user’s
classes, the Kohonen self-learning neural networks are applied and
 sample distributions calculated with the aid of these networks are applied to
estimate probabilities, which are compared with the significance level.
2.2. Experimental Results
To construct a criterion a learning sample of 323 users, 318 of which belonged to 3 classes
with "safe" behavior ("programmer", "surfer" and "lazyman"), was formed by means of an

experiment and 5 belonged to a class of users with behavioral deviations – "violator"). The
indicators of user activity on which the estimates were based are presented in the report [15].
A topological map of the network labeled according to this sample is shown in Figure 2.
The sample probability density and the sample distribution function of the distances to the
winning neurons are presented, respectively, in Figures 3 and 4.
Figure 2 A topological map of the Kohonen network, marked by a learning sample
Figure 3 Sample probability density of distances to the winning neurons

Figure 4 Sample function of distribution of distances to the winning neurons
To assess the reliability of recognition a control sample consisting of 55 users with
behavioral deviations was used, the parameters of which were revealed during the
experiments. Estimating the distances to the winning neuron for the elements of this sample
made it possible to calculate the sample distribution density shown in Figure 5. In this case
the minimum distance to the winning neuron was 0.34, the maximum one being 1.88. The
sample distribution function for the learning sample shown in Figure 3 allows us to state that
the probability of distances to the winning neuron exceeding the minimum distance equal to
0.34, in the case of users without deviations in behavior, does not exceed 0.015.
Figure 5 Sample probability density of distances to the winning neurons for the elements of the
control sample, consisting of users with deviations in behavior
Therefore, testing the null hypotheses that users from the control sample (with behavioral
abnormalities) belong to the “safe” classes led to the fact that these null hypotheses were
rejected with a high level of significance (p <0.015), and all users with deviations were
correctly identified as not belonging to the "safe" classes.
The available experimental data indicate a high reliability of recognition due to the high
level of significance in the rejection of hypotheses and due to the complete absence of errors
in the recognition of users with deviations for the control sample. Thus, the proposed
criterion of recognition of users with deviations demonstrated high efficiency on the available
empirical data.

3. QUANTITATIVE CRITERIA FOR DETERMINING CATEGORIES
OF USERS TO PERFORM THE SEQUENCE MODEL OF ACTION,
GIVEN THE SUBSTANTIAL DYNAMICS OF BEHAVIOR
Markov discrete-time processes (Markov chains) are used to represent the dynamics of user
behavior. In these models, certain states correspond to typical user actions (such as opening,
copying, deleting, transferring files with specified formats and size ranges, launching certain
types of applications, and so on), and the probabilities of state transitions are model
parameters and the user type is defined. Each user category l ∈{0,..., z}, including users with
correct and incorrect behavior, has its own model with a unique set of transition probabilities
between the states.
User behavior is characterized by sequences of their typical actions, which are interpreted
as a sequence of states within the framework of this model.
The dynamics of the probabilities of being in the states of the model as a function of
discrete time is determined by the following matrix equation:
where is the discrete time; ; is the finite point of time; is the set
of natural numbers; represents the probability of being in the
states of model at the time t; n – the number of states; – a stochastic square
matrix of transition probabilities between the states of the Markov chain of order , where
is the probability of transition from state to state for a user of category l.
The identification of the considered Markov models is carried out using empirical data on
the frequencies of transition from one typical action to another for each category of users.
Each category of users has its own identified matrix .
Users are assigned one of the specified categories l ∈ {0, ..., z} based on the typical
actions performed by them, given by the sequence of transmitted states . A
corresponding Bayesian estimate is calculated for each of these categories:
where is the fact of the user's belonging to category l, – the event representing the
passing of the sequence of states , – the priori probability of a user belonging to
category l, – the probability of passing the sequence of states Sr under the condition
of belonging to category l, – the probability of belonging to category l, provided
that the user has passed the sequence of states .
To calculate the probabilities matrix elements are used:
The category of users for which the maximum conditional probability
is reached provides the required choice. Probability
distribution enables to evaluate its reliability.

Examples of practical application of criteria of this type are presented in [13, 16, 17, 18,
19, 20].
4. CONCLUSION
1. A criterion was developed to identify deviations in user behavior in the diagnosis of
network threats based on the methodology of testing statistical hypotheses and the use
of Kohonen networks as a tool for the formation of target statistics, which is one of
the types of self-learning neural networks.
2. A preliminary assessment using the available experimental data showed the high
efficiency of the proposed approach: for potentially dangerous users, the hypothesis of
their belonging to "safe" classes was rejected with a significance level of not more
than 0.015; all 100% of potentially dangerous users were recognized.
3. A method was developed to determine the categories of users, including users with
behavioral deviations from the performed sequences of typical actions, using discrete
quantum discrete time processes (Markov chain) to represent the dynamics of user
behavior.
ACKNOWLEDGEMENT
The work was financially supported by the Ministry of Education and Science of the Russian
Federation within the framework of the grant agreement dated September 26, 2017 No.
14.579.21.0155 (Unique identifier of the agreement RFMEFI57917X0155) for the
implementation of applied research and experimental development on the topic:
"Development of intelligent algorithms detection of network threats in the cloud computing
environment and methods of protection against them, based on the analysis of traffic
dynamics and determination of deviations in user behavior”.
REFERENCES
[1] Fatkieva, R. R. and Levonevskiy, D. K. Application of binary trees for the IDS events
aggregation task. SPIIRAS Proceedings, 40, 2015, pp. 110-121.
http://proceedings.spiiras.nw.ru/ojs/index.php/sp/article/view/3127
[2] Daineko, V. Yu. Development of a Model and Algorithms for Intrusion Detection Based
on Dynamic Bayesian Networks. Ph.D. Dissertation, Saint-Petersburg: Saint Petersburg
National Research University of Information Technologies, Mechanics and Optics, 2013.
[3] Al Ghamdi, G. A., Laskey, K. B., Wright, E. J., Barbara, D. and Chang, K. Modeling
insider user behavior using multi-entity Bayesian network. 10th International Command
and Control Research and Technology Symposium, McLean, 4444(703), 2008.
[4] Bolshev, A. K. Algorithms for Converting and Classifying Traffic for Intrusion Detection
into Computer Networks. Ph.D. Dissertation, Saint-Petersburg: Saint-Petersburg
Electrotechnical University (LETI), 2011.
[5] Fatkieva, R. R. Model of attack detection on the basis of time series analysis. SPIIRAS
Proceedings, 21(2), 2012, pp. 71-80.
[6] Fatkieva, R. R. and Levonevskiy, D. K. Attack detection by means of singular spectrum
analysis. SPIIRAS Proceedings, 25(2), 2013, pp. 135-147.
[7] Fatkieva, R. R. Correlation analysis of abnormal network traffic. SPIIRAS Proceedings,
23(4), 2012, pp. 93-99.

[8] Jiang, M., Cui, P., Beutel, A., Faloutsos, C. and Yang, S. CatchSync: Catching
Synchronized Behavior in Large Directed Graphs. http://www.meng-
jiang.com/pubs/catchsync-kdd14/catchsync-kdd14-paper.pdf
[9] Yu, M., Huang, S., Yu, Q., Wang, Y. and Gao, J. A Density-based binary SVM algorithm
in the cloud security. International Journal of Security and Its Applications, 9(7), 2015,
pp. 153-162. http://www.sersc.org/journals/IJSIA/vol9_no7_2015/14.pdf
[10] Banafar, H. and Sharma, S. Intrusion Detection and Prevention System for Cloud
Simulation Environment using Hidden Markov Model and MD5. International Journal of
Computer Applications, 90(19), 2014, pp. 6-11.
https://www.ijcaonline.org/archives/volume90/number19/15826-4490
[11] Hameed, U., Naseem, S., Ahamd, F., Alyas, T. and Khan, W.-A. Intrusion Detection and
Prevention in Cloud Computing using Genetic Algorithm. International Journal of
Scientific and Engineering Research, 5(12), 2014, pp. 1271-1275.
https://www.ijser.org/onlineResearchPaperViewer.aspx?Intrusion-Detection-and-
Prevention-in-Cloud-Computing-using-Genetic-Algorithm.pdf
[12] Zhang, H., Zhu, S., Ma, X., Zhao, J. and Shou, Z. A Novel RNN-GBRBM Based Feature
Decoder for Anomaly Detection Technology in Industrial Control Network. IEICE
Transactions on Information and Systems, E100.D(8), 2017, pp. 1780-1789.
https://www.jstage.jst.go.jp/article/transinf/E100.D/8/E100.D_2016ICP0005/_article
[13] Kuravsky, L. S. Markov Models in the Diagnostics and Prediction Problems, 2nd Edition.
Moscow: MSUPE Edition, 2017, pp. 203.
[14] Kuravsky, L. S., Yuryev, G. A., Ushakov, D. V., Yuryeva, N. E., Valueva, E. A. and
Lapteva, E. M. Diagnostics basing on testing paths: the method of patterns. Experimental
Psychology, 11(2), 2018, pp. 77–94.
http://psyjournals.ru/en/exp/2018/n2/Kuravsky_Yuryev_et_al.shtml
[15] Kohonen, T. Self-Organizing Maps, 3th Edition. Berlin, Heidelberg: Springer, 2001, pp.
501.
[16] Report on applied research and experimental development on the topic "Development of
intelligent algorithms for detecting network threats in the cloud computing environment
and methods of protection against them, based on the analysis of traffic dynamics and
determining deviations in user behavior". State registration no. AAAA-A17-
117122890077-5. Stage 1. FTP "Research and development in priority areas of
development of the scientific and technical complex of Russia for 2014-2020 years.”
[17] Kuravsky, L. S. and Yuriev, G. A. Probabilistic method of filtering artifacts in adaptive
testing. Experimental Psychology, 5(1), 2012, pp. 119-131.
http://psyjournals.ru/en/exp/2012/n1/52346.shtml
[18] Kuravsky, L. S. and Yuriev, G. A. Use of Markov models when processing test results.
Voprosy Psychologii, 2, 2011, pp. 98-107.
[19] Kuravsky, L. S., Margolis, A. A., Marmalyuk, P. A., Panfilova, A. S. and Yuriev, G. A.
Mathematical Aspects of the Concept of Adaptive Training Device. Psychological
Science and Education, 21(2), 2016, pp. 84-95.
http://psyjournals.ru/en/psyedu/2016/n2/kuravsky_margolis_et_al.shtml
[20] Kuravsky, L. S., Marmalyuk, P. A., Yuryev, G. A., Belyaeva, O. B. and Prokopieva, O.
Yu. Mathematical Foundations of Flight Crew Diagnostics Based on Videooculography
Data. Applied Mathematical Sciences, 10(30), 2016, pp. 1449–1466.
http://dx.doi.org/10.12988/ams.2016.6122

APPLICATION OF SELF-ORGANIZING FEATURE MAPS AND MARKOV CHAINS TO RECOGNITION OF DANGEROUS BEHAVIOR OF COMPUTER USERS

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to APPLICATION OF SELF-ORGANIZING FEATURE MAPS AND MARKOV CHAINS TO RECOGNITION OF DANGEROUS BEHAVIOR OF COMPUTER USERS

Similar to APPLICATION OF SELF-ORGANIZING FEATURE MAPS AND MARKOV CHAINS TO RECOGNITION OF DANGEROUS BEHAVIOR OF COMPUTER USERS (20)

More from IAEME Publication

More from IAEME Publication (20)

Recently uploaded

Recently uploaded (20)

APPLICATION OF SELF-ORGANIZING FEATURE MAPS AND MARKOV CHAINS TO RECOGNITION OF DANGEROUS BEHAVIOR OF COMPUTER USERS