Безопасность информационных технологий (Mar 2024)
Exploring feature set for building a digital user profile of remote connections (based on firewall data)
Abstract
At the current stage of information technology development, a key trend is the use of machine learning algorithms in the information security field. The relevance of our research is determined by the importance of identifying vulnerabilities and the potential of machine learning to enhance modern cybersecurity management software. Moreover, there is an evident demand for security mechanisms for critical infrastructure organizations, including in the context of import substitution needs. Our study focuses on examining a dataset formed from data obtained from the firewall about the remote connection between a remote user and an organization's VPN server. Thus, it seems reasonable to explore the possibilities of expanding the functionality with a User and Entity Behavior Analytics (UEBA) module when working with firewalls. The research goal is to analyze methods of detecting atypical user behavior, with the prospect of using the developed model in a behavioral analysis module integrated into the firewall. The primary material for the study is information collected from the firewall about the start and end events of user remote sessions to the organization's VPN server. The main research methods include the analysis of existing theoretical sources and practical recommendations, preprocessing of data, dimensionality reduction exploration, the use of the Isolation Forest model as an anomaly detection method, and the tuning of hyperparameters for this model. Particular attention is given to promising features for use in the proposed model. The theoretical significance of the research lies in the potential development of the employee profiling idea for building an organizational information security management system. From a practical standpoint, the article is relevant for professionals in the information security and machine learning fields.
Keywords