Background. Security Information and Event Management (SIEM) systems today are sophisticated sets of software packages combined with hardware platforms, which can perform real-time analysis on security events and can respond to them before potential damage due to the actions of intruders. A huge number of systems rely on the continuous transmission of data through computer networks. Nowadays it is difficult to imagine a sphere of human activity that would not be affected by information technologies and would not use computer networks. Along with the means of protecting information, the technologies that are used by cybercriminals to achieve their goals are also improving. Moreover, the so-called insiders - information security perpetrators inside the protected perimeter, who can cause much more damage by their actions, as they are among the legitimate users and can have access to more confidential information - are becoming a growing threat.

Objectives. To identify insider activity within an acceptable time inside the network, we need to develop a methodology to detect abnormal activity within the network using advanced data processing techniques, based on machine learning. After recreating the data processing system, we will also need to determine the most efficient algorithm that can be applied to the task of insider detection.

Methods. The work analyzed research papers with similar objectives to investigate methods and technologies for securing against intruder intrusions, in conjunction with a study of machine learning techniques for detecting anomalies in the data. Experimental data were also collected containing information about network activity within the same network over two weeks. With this data, it is possible to conduct an experiment in network traffic processing using state-of-the-art technology.

Results. During the study of relevant works, several effective ways to detect anomalies in the data were identified, technologies for processing large amounts of data using NoSQL were studied, and work on creating an experimental bench was performed. As a result, the experimental data obtained was sufficient to verify the effectiveness of the obtained solution.

Conclusions. As a result, we analyzed existing approaches to detect insider activity within a computer system. Algorithms based on machine learning and big data processing methods were evaluated. In addition, a model for representing big data in NoSQL format was developed, which made it possible to create an architecture of a system for detecting insiders in computer networks using a graph database and machine learning methods.