A Scalable Cybersecurity Framework for Anomaly Detection in User Behaviour

Abstract Nowadays, the speed of the user and application logs is so quick that it is almost impossible to analyse them in real-time without using scalable systems and platforms. In cybersecurity, human behaviour is responsible directly or indirectly for the most common attacks (i.e., ransomware and phishing). To monitor user behaviour, it is necessary to process fast user logs coming from different and heterogeneous sources, having part of the data or some entire sources missing. A scalable framework based on the Elastic Stack (ELK) to process and store log data from different users and applications is proposed for this aim. This system generates an ensemble of models to classify user behaviour and detect anomalies in real-time. The scalability of the system is guaranteed by the ELK-based software architecture, running on top of a Kubernetes platform. In addition, a distributed evolutionary algorithm is used to classify the users by exploiting their digital footprints derived from many data sources. Experiments conducted on two real-life datasets verify the approach's goodness in detecting anomalies in the user behaviour, coping with missing data and lowering the number of false alarms.