University of Twente Student Theses


Detecting deviant behaviour in information systems by using outlier detection on logs

Groot, R.J.M. de (2018) Detecting deviant behaviour in information systems by using outlier detection on logs.

This is the latest version of this item.

[img] PDF
Abstract:Issues of IT-security remain prevalent in the world. While companies are starting to take information security more seriously, there is still a lot of potential left untapped that could support improvement of information security. This master thesis proposes a methodology that taps into a readily available source of data, namely system-logs. Logs can be generated by a system whenever an user performs an action. These logs might yield interesting discoveries when analysed with techniques from certain field such as data-mining and machine-learning. This thesis proposes a methodology that guides the creation of a system that analyses logs to discover deviant behaviour of users. This system will analyse the logs in two steps. First, clustering algorithms will be used to group users with similar behaviour together. The second step consists of using these groups of similar as input for outlier-detection algorithms. The outliers that are discovered can then be evaluated and used to improve information security. The methodology has been evaluated by using a prototype. This prototype has been used to analyse data supplied by Nedap Healthcare. This data was generated by caretakers while performing their jobs during the months Augusts, September and October of 2017. As such this data is representative of actual and relevant real-world circumstances. This means that problems that arise from using real-world data have been encountered during the creation of this methodology. The organizational relevance of the methodology should have been improved by using this data. The results of the prototype show that grouping users based on logs is feasible. However, the outliers detected by the outlier-detection algorithms were found the be of limited use to improve information security. It has been concluded that while the proposed methodology could be a step in the right detection, more research is needed in finding and enhancing the process to be truly useful in an organizational context. Presently the methodology shows a practical approach to analysing logs which can be enhanced easily.
Item Type:Essay (Master)
Nedap Healthcare, Groenlo, Netherlands
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Business Information Technology MSc (60025)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page