Abstract—Insider threat is a serious and increasing concern for many organizations. The group of individuals who operate within the organization have access to highly confidential and sensitive information, however, if they choose to act against the organization, with their privileged access authority and their extensive knowledge, they are well positioned to cause serious damage. Compared with vast amounts of normal daily operations, malicious behaviors are indeed small probability events, and are easily ignored. Thus, there is a desperate need to explore an effective approach to detect such suspicious behaviors. In order to solve this problem, we propose a two-stage algorithm to detect anomaly through analyzing user behavior based on activity log data collected in a real office automation system. In the first stage, we compare users’ behavioral activities with activities of his/her belonging role, and in the second stage, we compare individual behavioral activities with his/her activities in a window period. By adopting several effective features to describe users’ regular behavioral patterns, the analyst is capable of refining underlying abnormal users and abnormal periods to better support the network security administration.

Index Terms—Cyber security, behavior analysis, anomaly detection.

The authors are with Science and Technology on Information Systems Engineering Laboratory, National University of Defense Technology, Changsha, China.

Cite:Yilin Wang, Yun Zhou, Cheng Zhu, Xianqiang Zhu, Weiming Zhang, "Abnormal Behavior Analysis in Office Automation System within Organizations," International Journal of Computer and Communication Engineering vol. 6, no. 3, pp. 212-220, 2017.