research-article

Physical Access Log Analysis: An Unsupervised Clustering Approach for Anomaly Detection

Authors:

Jun Yu Charles Lee,

Eric TanAuthors Info & Claims

DSIT 2020: Proceedings of the 3rd International Conference on Data Science and Information Technology

Pages 12 - 18

https://doi.org/10.1145/3414274.3414285

Published: 26 August 2020 Publication History

Abstract

There are ample of research work on the detection of anomalies in the area of cyber security. However, only a few of them focus on physical access security. Physical access control, including employee and guest access and management system, supervised doors or location, surveillance camera, are critical checkpoints of a premise in terms of security monitoring. Breaches of these checkpoints can cause serious damage, where an insider or an outsider (e.g. through social engineering) may gain access to sensitive areas of the premise and may further result in data leakage or disruptions of services. In this paper, we characterise users based on their physical movement behavior and job profile in order to identify users with anomalous physical access behaviour using an unsupervised machine learning algorithm known as the Two Step clustering method. We further evaluate the type of risk posed by these users by comparing the user's behaviour with its peer group and observing a set of rule-based metrics. The framework is then being compared with other recent approaches for anomaly detection of physical access logs. Lastly, this framework is deployed in a real-world environment and successfully assisted in the detection of anomalous physical access behaviour.

References

[1]

Louisa Tang. "Changi Airport technician illegally enters transit area to buy duty-free items, re-sell for profit," TODAYonline. [Online]. Available: https://www.todayonline.com/singapore/changi-airport-technician-illegally-enters-transit-area-buy-duty-free-items-re-sell-profit. [Accessed: 13-Dec- 2019].

[2]

Varieto Insider Threat Report 2018 https://www.veriato.com/ resources/whitepapers/ insider-threat-report-2018 [Accessed: 3-Jan-2020].

[3]

A Frei and M. Rennhard. Histogram matrix: Log file visualization for anomaly detection. In Availability, Reliability and Security, 2008. ARES 08. Third International Conference on, pages 610--617, March 2008.

Digital Library

[4]

Q. Fu, J.-G. Lou, Y. Wang, and J. Li. Execution anomaly detection in distributed systems through unstructured log analysis. In Proceedings of the 2009 Ninth IEEE International Conference on Data Mining, ICDM '09, pages 149--158, Washington, DC, USA, 2009. IEEE Computer Society.

Digital Library

[5]

Juvonen A, Sipola T, Hamalainen T. Online anomaly detection using dimensionality reduction techniques for http log analysis. Comput Netw 2015; 91; 46--56

[6]

Krugel C, Vigna G. Anomaly detection of web-based attacks. In: Proceedings of the 10th ACM conference on computer and communications security; CSS '03. New York, NY, USA: ACM; 2003. p. 251--61.

Digital Library

[7]

Amor NB, Benferhat S, Elouedi Z. Naïve bayes vs decision trees in intrusion detection systems. In: Proceedings of the 2004 ACM symposium on applied computing, SAC '04. New York, NY, USA; ACM; 2004. P. 420--4.

Digital Library

[8]

Yassin A, Cao F, Qian W, Jin C. Tracking clusters in evolving data streams over sliding windows. Knwl Inf Syst 2008;15(2):181--214

[9]

Wurzenberger M, Skopik F, Landauer M, Greitbauer P, Fiedler R, Kastner W. Incremental clustering for semi-supervised anomaly detection applied on log data. In: Proceedings of the 12th international conference on availability, reliability and security. ACM; 2017. P. 31.

Digital Library

[10]

Eberle, W., Holder, L.: Anomaly detection in data represented as graphs. Intelligent Data Analysis: An International Journal 11(6) (2007) 663--689

Digital Library

[11]

Davis, M., Liu, W., Miller, P., Redpath, G.: Detecting anomalies in graphs with numeric labels. In: Proc. 29th ACM Conf. on Information and Knowledge Management. (2011) 1197--1202

[12]

C. Cheh, B. Chen, W. G. Temple, and W. H. Sanders, "Data-Driven Model- Based Detection of Malicious Insiders via Physical Access Logs," p. 16.

[13]

David Hutter. Physical Security and Why It Is Important. SANS Institute Information Security Reading Room Available: https://www.sans.org/reading-room/whitepapers/physical/physical-security-important -37120

[14]

Harris, S. Physical and Environmental Security. In CISSP Exam Guide (6th ed., pp. 427--502). (2013). USA McGraw-Hill;

[15]

Fitzgerald, Turkmen, Foley, O'Sullivan, Anomaly Analysis for Physical Access Control Security Configuration, Crisis 2012, V9

[16]

IBM Knowledge Center. [Online]. Available: https://www.ibm.com/support/knowledge center/SSLVMB_23.0.0 /spss/product_landing.html. [Accessed: 17-Dec-2019].

[17]

IBM Support. [Online]. Available: https://www.ibm.com/support/pages/how-log-likelihood-distance-method-applied-twostep-cluster-analysis. [Accessed: 17-Dec-2019].

Cited By

Shevchenko SZhdanovа YSpasiteleva SMazur NSkladannyi PNehodenko V(2024)MATHEMATICAL METHODS IN CYBER SECURITY: CLUSTER ANALYSIS AND ITS APPLICATION IN INFORMATION AND CYBERNETIC SECURITYCybersecurity: Education, Science, Technique10.28925/2663-4023.2024.23.2582733:23(258-273)Online publication date: 2024
https://doi.org/10.28925/2663-4023.2024.23.258273
Levonevskiy DMotienko AVinogradov M(2022)Approach to Physical Access Management, Control and Analytics Using Multimodal and Heterogeneous Data2022 15th International Conference on Security of Information and Networks (SIN)10.1109/SIN56466.2022.9970498(01-04)Online publication date: 11-Nov-2022
https://doi.org/10.1109/SIN56466.2022.9970498
Wang JLiu JXia ZChen PLi XChen X(2022)Semi-supervised Labeling Model Based on Gaussian Mixture in the Context of E-commerce Price Fraud2022 4th International Conference on Robotics and Computer Vision (ICRCV)10.1109/ICRCV55858.2022.9953227(300-304)Online publication date: 25-Sep-2022
https://doi.org/10.1109/ICRCV55858.2022.9953227
Show More Cited By

Index Terms

Physical Access Log Analysis: An Unsupervised Clustering Approach for Anomaly Detection
1. Information systems
  1. Information systems applications
    1. Data mining
      1. Clustering
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

Automated Anomaly Detection in CPS Log Files: A Time Series Clustering Approach
Computer Safety, Reliability, and Security
Abstract
When Cyber-Physical Systems (CPS) work incorrectly we would like to know the reason for this behavior. Experts inspect log files of CPS to get an idea about what went wrong. The large amount of information, which is stored in those log files, and ...
A hybrid behavior- and Bayesian network-based framework for cyber–physical anomaly detection
Abstract
In recent years, the increasing Internet connectivity and heterogeneity of industrial protocols have been raising the number and nature of cyber-attacks against Industrial Control Systems (ICS). Such cyber-attacks may lead to cyber anomalies and ...
Highlights
- Hybrid behavior- and Bayesian network-based cyber–physical anomaly detection.
- Hybrid anomaly detection framework based on both cyber and physical data from ICS.
- Identification of cyber, physical and cyber–physical anomalies in ICS.
Anomaly intrusion detection based on dynamic cluster updating
PAKDD'07: Proceedings of the 11th Pacific-Asia conference on Advances in knowledge discovery and data mining

For the effective detection of various intrusion methods into a computer, most of previous studies have been focused on the development of misuse-based intrusion detection methods. Recently, the works related to anomaly-based intrusion detection have ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

DSIT 2020: Proceedings of the 3rd International Conference on Data Science and Information Technology

July 2020

261 pages

ISBN:9781450376044

DOI:10.1145/3414274

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Natl University of Singapore: National University of Singapore
SKKU: SUNGKYUNKWAN UNIVERSITY

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 August 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

DSIT 2020

DSIT 2020: 2020 3rd International Conference on Data Science and Information Technology

July 24 - 26, 2020

Xiamen, China

Acceptance Rates

DSIT 2020 Paper Acceptance Rate 40 of 97 submissions, 41%;

Overall Acceptance Rate 114 of 277 submissions, 41%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
160
Total Downloads

Downloads (Last 12 months)39
Downloads (Last 6 weeks)3

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Shevchenko SZhdanovа YSpasiteleva SMazur NSkladannyi PNehodenko V(2024)MATHEMATICAL METHODS IN CYBER SECURITY: CLUSTER ANALYSIS AND ITS APPLICATION IN INFORMATION AND CYBERNETIC SECURITYCybersecurity: Education, Science, Technique10.28925/2663-4023.2024.23.2582733:23(258-273)Online publication date: 2024
https://doi.org/10.28925/2663-4023.2024.23.258273
Levonevskiy DMotienko AVinogradov M(2022)Approach to Physical Access Management, Control and Analytics Using Multimodal and Heterogeneous Data2022 15th International Conference on Security of Information and Networks (SIN)10.1109/SIN56466.2022.9970498(01-04)Online publication date: 11-Nov-2022
https://doi.org/10.1109/SIN56466.2022.9970498
Wang JLiu JXia ZChen PLi XChen X(2022)Semi-supervised Labeling Model Based on Gaussian Mixture in the Context of E-commerce Price Fraud2022 4th International Conference on Robotics and Computer Vision (ICRCV)10.1109/ICRCV55858.2022.9953227(300-304)Online publication date: 25-Sep-2022
https://doi.org/10.1109/ICRCV55858.2022.9953227
Yu GYang QZhu YZhang SWu BLiu SJi Y(2022)Unsupervised Optimal Anomaly Detection Model Selection in Power Data2022 China Automation Congress (CAC)10.1109/CAC57257.2022.10054730(5661-5666)Online publication date: 25-Nov-2022
https://doi.org/10.1109/CAC57257.2022.10054730
Korzeniowski LGoczyla K(2022)Landscape of Automated Log Analysis: A Systematic Literature Review and Mapping StudyIEEE Access10.1109/ACCESS.2022.315254910(21892-21913)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3152549
Majib YBarhamgi MHeravi BKariyawasam SPerera C(2022)Detecting anomalies within smart buildings using do-it-yourself internet of thingsJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-022-04376-w14:5(4727-4743)Online publication date: 24-Sep-2022
https://doi.org/10.1007/s12652-022-04376-w
Levonevskiy DMotienko AVinogradov M(2022)Complex User Identification and Behavior Anomaly Detection in Corporate Smart SpacesInteractive Collaborative Robotics10.1007/978-3-031-23609-9_18(199-209)Online publication date: 18-Dec-2022
https://doi.org/10.1007/978-3-031-23609-9_18
Sun YJing SGao RDong BChen WXu X(2021)Research on the Detection and Analysis Technology in Web Application Attacks Logs2021 2nd International Symposium on Computer Engineering and Intelligent Communications (ISCEIC)10.1109/ISCEIC53685.2021.00034(132-135)Online publication date: Aug-2021
https://doi.org/10.1109/ISCEIC53685.2021.00034

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents