Print Email Facebook Twitter SAD: State machine-based Anomaly Detection in User Behavior Title SAD: State machine-based Anomaly Detection in User Behavior Author Nguyen, Charlie (TU Delft Electrical Engineering, Mathematics and Computer Science) Contributor Verwer, S.E. (mentor) de Weerdt, M.M. (mentor) Degree granting institution Delft University of Technology Programme Computer Science | Cyber Security Date 2022-10-13 Abstract Over the past centuries, cybercrime has constantly grown. Among the most popular attacks against companies are phishing emails that especially gained popularity for threat actors to use as a tool during the COVID-19 pandemic. By changing the working environment, most communication channels between employees shifted from personal conversations and meetings to emails, opening opportunities for attackers to strengthen their attack vectors and target victims through emails to retrieve user credentials. When threat actors are successful, they can log in to legitimate user accounts and cause more damage by, e.g., stealing private information or committing fraud under the compromised account. Most anomaly detection systems utilize artificial intelligence and meta information of user activities to detect attacks. However, current solutions do not give enough insights into why an activity is classified as malicious, resulting in Security Operations Center (SOC) Analysts spending much time understanding alerts. In addition, using meta information such as time and location is easily manipulable and adaptable by the threat actor.This thesis presents a state machine-based anomaly detection approach to detect anomalies in user behavior datasets. By processing user actions, we create state machine-based user behavior profiles with FlexFringe. With state machine models, it is easier to visualize user behavior and provide more context to SOC analysts. Moreover, incorporating actual user actions make it harder for attackers to manipulate or imitate the exact user behavior. We introduce three different methods that test sequences of actions against the state machine to classify whether they are benign or malicious. This thesis is done in collaboration with Eye Security, a dutch cybersecurity company that provides a real user behavior dataset containing several attacks. We conduct an empirical study by applying our methods to the dataset. We are able to detect four out of five attacks but also raise 154 false positive alerts. To our knowledge, no study has yet applied state machine-based anomaly detection techniques on user behavior datasets. With this thesis, we show the potential and the chances of using state machine methods in the field of anomaly detection in user behavior datasets. Subject Anomaly DetectionState MachineUser BehaviorEmpirical ResearchFlexFringe To reference this document use: http://resolver.tudelft.nl/uuid:b66ecd0e-ab93-47f6-8e6e-b4a4311dffcc Part of collection Student theses Document type master thesis Rights © 2022 Charlie Nguyen Files PDF Charlie_Nguyen_Thesis.pdf 5.4 MB Close viewer /islandora/object/uuid:b66ecd0e-ab93-47f6-8e6e-b4a4311dffcc/datastream/OBJ/view