Peer-group Behaviour Analytics of Windows Authentications Events Using Hierarchical Bayesian Modelling

by   Iwona Hawryluk, et al.

Cyber-security analysts face an increasingly large number of alerts received on any given day. This is mainly due to the low precision of many existing methods to detect threats, producing a substantial number of false positives. Usually, several signature-based and statistical anomaly detectors are implemented within a computer network to detect threats. Recent efforts in User and Entity Behaviour Analytics modelling shed a light on how to reduce the burden on Security Operations Centre analysts through a better understanding of peer-group behaviour. Statistically, the challenge consists of accurately grouping users with similar behaviour, and then identifying those who deviate from their peers. This work proposes a new approach for peer-group behaviour modelling of Windows authentication events, using principles from hierarchical Bayesian models. This is a two-stage approach where in the first stage, peer-groups are formed based on a data-driven method, given the user's individual authentication pattern. In the second stage, the counts of users authenticating to different entities are aggregated by an hour and modelled by a Poisson distribution, taking into account seasonality components and hierarchical principles. Finally, we compare grouping users based on their human resources records against the data-driven methods and provide empirical evidence about alert reduction on a real-world authentication data set from a large enterprise network.


page 1

page 3

page 5


Data-driven behavioural biometrics for continuous and adaptive user verification using Smartphone and Smartwatch

Recent studies have shown how motion-based biometrics can be used as a f...

Statistical Modelling of Computer Network Traffic Event Times

This paper introduces a statistical model for the arrival times of conne...

A Personalised User Authentication System based on EEG Signals

Conventional biometrics have been employed in high security user authent...

Peer groups for organisational learning: clustering with practical constraints

Peer-grouping is used in many sectors for organisational learning, polic...

BubbleMap: Privilege Mapping for Behavior-based Implicit Authentication Systems

Implicit authentication (IA) is gaining popularity over recent years due...

Motion ID: Human Authentication Approach

We introduce a novel approach to user authentication called Motion ID. T...

The Ecological Fallacy in Annotation: Modelling Human Label Variation goes beyond Sociodemographics

Many NLP tasks exhibit human label variation, where different annotators...

Please sign up or login with your details

Forgot password? Click here to reset