2025_EML Capstone Projects

vulnerabilities. NIST guidelines (SP 800-53, 800-61) and research into machine learning-based anomaly detection provide best practices. Most existing systems either lack transparency or are hard to audit, which this project addresses through explainability and phased implementation. Peer-reviewed literature supports the effectiveness of hybrid detection systems in government IT and healthcare cybersecurity domains.

4. Project Plan and Timeline The capstone project strategically involves three implementation phases. More significantly, technical innovation, operational practicality and transparency were applied through phases to ensure change management principles’ implications. Phase 1: Rule-based scoring system for baseline detection: Rule-based behavior scoring system has been deployed to establish a baseline for threat detection. A simple and auditable system established by using if-then logic to be able to detect certain activities that would raise red flags. Some of the rules include logins outside typical work hours, unusual excessive downloads, and admin privilege escalations not associated with administrative roles. Key accomplishments: Behavior scoring algorithm and machine learning model have been successfully deployed using python for data handling. The compliance process was enabled for audits and review detections. Phase 2: Isolation Forest ML model trained on synthetic data: Machine learning model was integrated by using synthetic datasets. The Isolation Forest algorithm was introduced as a machine learning layer and the model was trained in this phase on synthetic user activity data and flagged deviations from normal behavior based on following criteria: Download size, time of login activity, and admin privilege usage. Key accomplishments: Synthetic datasets of 1000 records were created with realistic user behavior and 20 injected anomalies. The machine learning model flagged ~20 outliers, which reflect ~95% detection accuracy. Results were integrated into a data pipeline for streamlining visualization. Phase 3: Flask-based dashboard for real-time visualization: A flask-based dashboard prototype was developed to visualize flagged users, risk scores, and behavioral deviations in real-time. Prototype provides real-time updates, displays clear user-level threat detection indications and provides technical support for human-error to resolve issues.

Back to Table of Contents