|
|
 Darya Novikova, Vasiliy Podvigin
Gubkin Russian State University of Oil and Gas (National Research University),
Moscow, 119991, Russian Federation
DOI 10.31854/2307-1303-2026-14-1-22-34
EDN DIUDHK
|
|
 Full text
 XML JATS
Abstract
Problem statement. A significant share of information security incidents on workstations is associated with process execution that deviates from typical user behavior. Traditional protection tools focused on signatures and network events do not provide behavioral context at the endpoint level, which limits the detection of rare processes and atypical parent – child process chains. The aim of the study is to improve the effectiveness of detecting deviations in user process activity by developing an agent-based monitoring system that accumulates process execution history and evaluates its typicality on workstations. Methods. The solution is based on an agent – server architecture including periodic collection of process state snapshots, process session construction, accumulative storage, and rule-based server-side analysis. Detection relies on process rarity assessment based on occurrence frequency, analysis of parent–child process chains, and rule-based identification of combined deviations without using machine learning methods. The novelty lies in a rule-based approach to behavioral analysis of processes on workstations based on the combination of a cumulative session storage, catalogs of allowed processes and process chains, and centralized server-side deviation detection logic. In contrast to existing approaches, the analysis focuses on assessing activity typicality rather than classifying maliciousness. Results. A prototype system for the Windows operating system has been developed, including a lightweight client agent and a server application based on FastAPI and SQLite. The system collects and stores process execution history, detects rare and atypical process launches, and generates alerts. Functional validation confirmed the correctness of the implemented analytical rules and the ability to generate informative signals of atypical activity. Practical significance. The proposed approach enables the formation of behavioral context of process activity on workstations and can be used as an additional data source for security monitoring and analysis systems, including SIEM and SOC, improving the detection of new and atypical user activity scenarios.
Keywords
process monitoring, information security, behavioral analysis, agent-based system, application classification, user activity, anomalous processes
Reference for citation
Novikova D., Podvigin V. Agent-Based System for Process Monitoring, Behavioral Analysis, and Anomalous Activity Detection on Workstations // Telecom IT. 2026. Vol. 14. Iss. 1. PP. 22‒34. (in Russian). DOI: 10.31854/2307-1303-2026-14-1-22-34. EDN: DIUDHK
|
|
References
1. Nikolaenko V., Vasenyova V., Zubareva E., Rudikova M. Monitoring System of the OS's Events // National Association of Scientists. PP. 63--65. (in Russian) EDN: YFTQFP
2. Al-Tameemi M., Hassan M. B., Paznikov A. A., Al-Khaykanee M. N., Albadrawi E. B. Review of Intrusion Detection Systems // LETI Transactions on Electrical Engineering & Computer Science. 2024. Vol. 17. Iss. 4. PP. 30--41. DOI: 10.32603/2071-8985-2024-17-4-30-41
3. Denysiuk D., Sochor T., Kapustian M., Kashtalian A., Savenko O. Methods for Detecting Software Implants in Corporate Networks // Proceedings of the 5th International Workshop on Intelligent Information Technologies and Systems of Information Security (IntelITSIS'2024, March 28, 2024, Khmelnytskyi, Ukraine). CEUR Workshop Proceedings. 2024. Vol. 3675. PP. 270-284.
4. Kostikov E. V. Sysmon Log Analysis Methods for Cyber Threat Detection // International Journal of Open Information Technologies. 2024. Vol. 12. Iss. 11. PP. 25-34. (in Russian) EDN: BPEPSL
5. Portase R. M., Muntea A. M., Mermeze A., Colesa A., Sebestyen G. Detection Strategies for COM, WMI, and ALPC-Based Multi-Process Malware // Sensors. 2024. Vol. 24. Iss. 16. P. 5118. DOI: 10.3390/s24165118
|
|
|
Archive 
Статья
Метаданные статьи распространяются по лицензии