Detecting malicious activity inside of the network

Abstract

In today's world with the global development and digitalization, applications and services used in banking and finance sectors, as in all sectors, have started to adapt to the online world quickly. The increase in the rate of transition to the Internet environment shows that the issue of security is becoming more and more important and serious for banks and customers. Companies serving in the financial and banking sectors are an attractive target for cyber attackers in terms of damage to the target system and data obtained by attackers. The protection of information systems containing important and sensitive business and customer information, such as databases, servers, computers, networks used, is of high importance. In the same way, providing a secure and robust online communication environment in the services provided to customers and ensuring that data is transmitted in reliable environments is one of the most important elements in the banking sector Banks are also making major investments in security systems to ensure secure communication and the protection of personal and business information and documents as a precaution against this increasing number of cyber attacks. With these systems, they have the potential to prevent such attacks by detecting and responding to abnormal and unauthorized activities. However, research shows that the majority of cyber attacks are carried out by insiders. Most security products in use focus on external threats. However, if the attacker is a person working within the organization, these systems may be insufficient to detect such activities. The inside attacker has legitimate access privileges to sensitive data, systems, networks that outsiders do not have. It is difficult to predict and prevent as the malicious user inside follows legitimate paths and methods. Since the systems have detailed information about the internal organization such as the corporate network, they can misuse sensitive and confidential data and cause irreversible damage to the organizations by creating great losses. Therefore, it can be said that the cost of damage caused by internal threat is much higher than external threat. This study focuses on detecting insider threats by monitoring users with a behavioural focus. By examining normal user behaviour and malicious user behaviour with SVM, KNN and Random Forest algorithms, it is aimed to detect internal threats and help minimize the damage that can be done to the institution with preventive controls that will come with it.