06181ntm a22005537i 4500 000699097 CZ-PrVSE 20230625093744.0 m d cr n|||||||||| 230625s2023 xr fsbm 000 0 eng d NEZPRACOVANÝ IMPORT ABA006 cze ABA006 ABA006 rda Strnad, Pavel ISIS:85982 dis Unsupervised Machine Learning Methods for Behaviour Analysis and Anomaly Detection in University Environment eng Unsupervised Machine Learning Methods for Behaviour Analysis and Anomaly Detection in University Environment / Pavel Strnad 2023 ?? stran : digital, PDF soubor Vedoucí práce: Petr Berka Disertační práce (Ph.D.)—Vysoká škola ekonomická v Praze. Fakulta informatiky a statistiky, 2023 Obsahuje bibliografii Textový (vysokoškolská kvalifikační práce) Rok obhajoby 2023 The security of university information systems is currently mostly handled at the perimeter of the data network. It is not assumed that an attacker is able to penetrate the perimeter and cause damage inside the infrastructure. However, the continuous development in the cyber-attack field proves that it is necessary to prepare for situations when an attacker misuses the login credentials of one of the users and starts to cause damage to the information system undetected. Such incidents have also been observed in the past in the environment of the integrated information study system InSIS of the Prague University of Economics and Business. The detection of these incidents was mostly completely random or dependent on feedback from users who found something wrong with the system. In all the identified cases, the changes in the system were so significant that the attacker himself alerted to the ongoing cyber-attack by his actions. This demonstrates that information system administrators rely solely on the vigilance of their users to defend against these types of system intrusions. Therefor there is currently no automated form of defence against these attacks and no way of detecting these intrusions. It is only a question of how many user accounts can be abused without their owners’ knowledge even now. To address this problem, I founded the Hellhound AI project, where my colleagues and I are dedicated to detecting anomalous user behaviour in university information systems environments. This dissertation describes the part of the problem at hand that deals with cyber-attack detection using unsupervised machine learning algorithms, which is the primary focus of my work. This thesis was written in parallel with the dissertation being prepared by my colleague Ing. Lukáš Švarc, which focuses on solving the same problems using supervised machine learning algorithms for comparison. Due to this project’s scope, close collaboration with my colleague was required, which was reflected in our dissertations. Partial experiments reported in this thesis have already been successfully published in internationally recognised conferences and scientific journals. The whole dissertation can be divided into four related parts. The first part is devoted to analysing the current knowledge in this field, where the primary output is a survey of the currently most used unsupervised machine learning algorithms for anomaly detection. This overview serves as the theoretical basis from which the stress tests of the selected algorithms are subsequently based. The second section is devoted to generalising the problem of detecting an ongoing cyber-attack in a university environment. Based on the result from the structured interview and questionnaire survey, the hypothesis that distinguishes the university information systems environment from information systems used in the private sector or the military is confirmed, which means that it is not possible to apply the same procedures for anomaly detection in the university environment as in the private sector or in military. At the same time, the possibility of global an application of the outputs of this dissertation is confirmed here with respect to the similarities exhibited by university information systems both in the Czech Republic and abroad. An important outcome of the questionnaire survey is the definition of the habits of different groups of users who work with the InSIS system. These results are reflected in the experiments described in the third part of this dissertation. The experiments discussed to describe the progress of deploying algorithms K-means and Isolation Forest to detect anomalous user behaviour in specified scenarios. The first experiment is devoted to a stress test of the selected algorithms on known data from the KDDCUP'99 dataset. The following experiment involves using a method in which Způsob přístupu: Internet aplikovaná informatika [obor disert. práce] disertace fd132024 czenas dissertations eczenas User behavioural analysis Anomaly detection Unsupervised machine learning University information learning systems Cyber security Berka, Petr, 1959- jn20001103427 ths Kléma, Jiří opn Vysoká škola ekonomická v Praze. Fakulta informatiky a statistiky kn20010709399 dgg https://insis.vse.cz/zp/70436/podrobnosti VŠKP v InSIS https://insis.vse.cz/zp/70436 Hlavní práce https://insis.vse.cz/zp/70436/posudek/vedouci Hodnocení vedoucího https://insis.vse.cz/zp/70436/posudek/oponent/79414 Oponentura https://insis.vse.cz/zp/70436/posudek/oponent/79415 Oponentura https://insis.vse.cz/zp/70436/posudek/oponent/79416 Oponentura https://insis.vse.cz/zp/70436/podrobnosti dc:identifier NEPOSILAT VSKP vse70436 230617 70436