Indirect monitoring of suspicious activity on computer systems

This study conspires the drawbacks of the existing fraud detection tools and offers a solution: indirect monitoring of suspicious activity on computer systems. We applied the expected value, variance, and standard deviation concepts to estimate the thresholds of indirect indicators of compromise and derived a solution based on the selective mean, selective variance, and selective standard deviation. The paper also describes a sample size estimation procedure from the computer system's indirect indicator sampling rate and runtime. The thresholds of the indirect indicators, the estimated sample size, and other proposed indicators describe the normal operation of the computer system. With this set of indicators, we can define a piecewise function used to check the indirect indicators against the normal operation conditions. Consequently, the computer system can be represented as a predicate. The predicate and the set of indicators are a template describing the computer system. The resulting template and its application scenarios provide a foundation for developing the architecture of an indirect suspicious activity monitoring tool.