Michael Evans

Cybersecurity threats targeting web applications have grown exponentially, with attackers exploiting HTTP requests through phishing URLs and spoofed User-Agent strings. Traditional detection systems often rely on single-feature analysis, limiting their ability to identify sophisticated attacks. Using machine learning techniques, this project aims to improve detection accuracy and provide actionable insights for web security.

Insider threats are a persistent challenge for organizations because Human Threat Actors (HTAs) activity resembles legitimate access, since they find ways to resemble normal activity. Traditional rule- and signature-based detections struggle to detect this nuanced behavior. Cyber Threat Operations Centers (CTOCs) and Security Operations Centers (SOCs) are increasingly tasked with identifying User and Entity Behavior Analytics (UEBA) to differentiate normal behavior and from HTAs flagging deviations. Many organizations struggle with UEBA because they lack practical, data-driven methods and expertise to build these complex behavioral baselines and translate anomalies into operationally useful CTOC cases with risk scores. Approaches that are statistically sound, interpretable, Model Risk validated, and aligned with SOC workflows are needed, rather than opaque black-box models. This practicum addresses a user-based UEBA modeling methodology to risk score the public CERT Insider Threat Dataset from Carnegie Mellon University’s Software Engineering Institute (SEI). The dataset contains realistic synthetic logs, including user logon/logoff events and web/HTTP activity, along with user and department metadata. Building individual user-based models using these or any real world logs is well suited to find anomalous UEBA events using statistically significant deviations that could reflect a more accurate insider threat risk.