Auditing of User Behavior: Identification, Analysis and Understanding of Deviations

Mahdi Alizadeh

first promotor: prof.dr. Milan Petkovic (TU/e)
second promotor: Wil van der Aalst (TU/e and RWTH)
co-promotor: dr. Nicola Zannone (TU/e)
Eindhoven University of Technology
Date: 19 November 2018
Thesis: PDF


Organizations may collect a large amount of data and use them for various purposes such as improving the quality of their services. The collected data must be processed only for purposes for which it was initially collected and should be protected against possible misuses. The misuse of data can cause serious financial and legal implications such as fines, lawsuits and reputation loss for organizations. Thus, organizations should put security mechanisms in place to contain the risks of these incidents.

The underlying problem of traditional security mechanisms is that they are rigid and preventive. The basic notion of enforcement relies on the idea that deviations from specifications are violations and as such should not be permitted. Since preventive access control is too inflexible to be used in dynamic environments like healthcare, in practice, most healthcare systems include “break-the-glass” mechanisms which allow users to bypass access control rules in unprecedented circumstances such as emergency situations. However, this flexibility in the system might be misused by users. In this situation, organizations should record user behavior and employ auditing mechanisms to identify and investigate possible deviations from specifications.

A drawback of existing auditing mechanisms is that they typically do not account for the process perspective in the analysis, resulting into limited detection and diagnosis capabilities. This problem could be addressed by using process mining techniques for auditing since these techniques analyze the observed behavior by linking it to process models. However, existing process mining techniques are not tailored to the security analysis of user behavior. Therefore, to support analysts in the process-aware analysis and understanding of user behavior, in this thesis, we propose four approaches:

• A history-based approach for relating recorded behavior to process models. This approach analyzes the historical logging data of each process and learns from it how process executions behave when reach a certain process state. Based on the insights obtained from this analysis, it provides deviation diagnostics (Chapter 3).
• An approach that links the data and process perspectives together and analyzes observed behavior with respect to both perspectives, thus enabling the identification of deviations that otherwise would remain undetected. In addition, the approach is able to provide accurate diagnostics of those deviations, which can assist analysts in under-standing them (Chapter 4).
• An approach to extract frequent anomalous patterns from the logs that may exhibit parallel behaviors and correlate recurrent deviations that have occurred in different portions of the process (Chapter 5).
• An histogram-based approach for analyzing user behavior, which is able to measure to what extent users behave differently from their peers (Chapter 6). The techniques presented in this thesis have been evaluated using both synthetic and real-life datasets. The results of experiments show that our techniques are able to identify various types of deviations, provide deviation diagnostics and support analysts in understanding them.