ANOMALERT: INSIDER THREAT MONITORING SUITE

Abstract

One of the most important security issues of the current enterprises is the insider threats, followed by the big data breaches and financial loss. Conventional security solutions that involve perimeter barriers cannot identify malicious activities that are caused by internal trusted networks. In this paper, the presented system named Anomalert is a distributed Security Operations Center-based system, which has connected ongoing endpoint monitoring with machine learning-driven anomaly detection and an AI-based platform of threat validation to detect insider threats and respond to them automatically in real-time. The architecture of the system consists of three layers: endpoint data collection that executes four classes of specialized monitoring agents, SOC analysis engine with central analysis which uses hybrid detection algorithms like random forest, isolation forest, and rule-based detection, and threat management through visualization dashboard. Anomalert incorporates the concept of contextual validation, based on the Gemini AI engine, and offers its opportunities for automated response. The endpoint collector is a windows-installable application developed by us, as well as the analysis engine being run on the EC2 infrastructure of AWS. Anomalert was successfully used in the experimental evaluation to identify the anomalous patterns of authentication, unauthorized access to files, suspicious processes of execution, and abnormal network behavior with close to real time response ability. The system balances the performance of the insider threat detection system, and operational efficiency.