Using alternate reality games to find a needle in a haystack: An approach for testing insider threat detection methods

Current intrusion detection systems are mostly for detecting external attacks, but the “Prism Door” and other similar events indicate that internal staff may bring greater harm to organizations in information security. Traditional insider threat detection methods only consider the audit records of personal behavior and failed to combine it with business activities, which may miss the insider threat happened during a business process. The authors consider operators' behavior and correctness and performance of the business activities, propose a business process mining based insider threat detection system. The system firstly establishes the normal profiles of business activities and the operators by mining the business log, and then detects specific anomalies by comparing the content of real-time log with the corresponding normal profile in order to find out the insiders and the threats they have brought. The relating anomalies are defined and the corresponding detection algorithms are presented. The authors have performed experimentation using the ProM framework and Java programming, with five synthetic business cases, and found that the system can effectively identify anomalies of both operators and business activities that may be indicative of potential insider threat.

Download Full-text

Insider Threat Detection Based on User Behavior Modeling and Anomaly Detection Algorithms

Applied Sciences ◽

10.3390/app9194018 ◽

2019 ◽

Vol 9 (19) ◽

pp. 4018 ◽

Cited By ~ 6

Author(s):

Kim ◽

Park ◽

Kim ◽

Cho ◽

Kang

Keyword(s):

Anomaly Detection ◽

User Behavior ◽

Behavior Modeling ◽

Detection Methods ◽

Insider Threat ◽

Threat Detection ◽

Insider Threats ◽

Domain Experts ◽

User Behavior Modeling ◽

Detection Algorithms

Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization’s system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user’s daily activity summary, e-mail contents topic distribution, and user’s weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts’ knowledge is provided.

Download Full-text

Detecting Insider Threat from Behavioral Logs Based on Ensemble and Self-Supervised Learning

Security and Communication Networks ◽

10.1155/2021/4148441 ◽

2021 ◽

Vol 2021 ◽

pp. 1-11

Author(s):

Chunrui Zhang ◽

Shen Wang ◽

Dechen Zhan ◽

Tingyue Yu ◽

Tiangang Wang ◽

...

Keyword(s):

Machine Learning ◽

Spatial Heterogeneity ◽

Supervised Learning ◽

Detection Method ◽

Detection Methods ◽

Insider Threat ◽

Threat Detection ◽

Insider Threats ◽

Representation Method ◽

Detection Effect

Recent studies have highlighted that insider threats are more destructive than external network threats. Despite many research studies on this, the spatial heterogeneity and sample imbalance of input features still limit the effectiveness of existing machine learning-based detection methods. To solve this problem, we proposed a supervised insider threat detection method based on ensemble learning and self-supervised learning. Moreover, we propose an entity representation method based on TF-IDF to improve the detection effect. Experimental results show that the proposed method can effectively detect malicious sessions in CERT4.2 and CERT6.2 datasets, where the AUCs are 99.2% and 95.3% in the best case.

Download Full-text

Insider-Threat Detection in Corporate Espionage and Cyber-Espionage

Advances in Digital Crime, Forensics, and Cyber Terrorism - National Security and Counterintelligence in the Era of Cyber Espionage ◽

10.4018/978-1-4666-9661-7.ch004 ◽

2016 ◽

pp. 62-77

Author(s):

Kirk Y Williams

Keyword(s):

Detection Methods ◽

Insider Threat ◽

Threat Detection ◽

Governmental Agency ◽

Education Access ◽

Governmental Agencies ◽

Data Analyst ◽

External Threat ◽

Cyber Espionage ◽

Data Scientist

National Security will always be threatened by individuals internal to the organization in the form of an insider-threat and external to the organization in the form of corporate espionage or cyber-espionage. Therefore, insider-threat detection methods, security precautions, authentication processes, and standard operating procedures for employees should be in place to try to reduce the instances of an insider-threat and/or an external threat breaching the security of an organization, institution, company, or governmental agency. Espionage and cyber-espionage can and does occur; however, it is not usually made public knowledge and when it does, it can have grave effects on the organization, institution, company, or governmental agency in which it occurred. Within this chapter the author explores how an insider-threat in the form of a Data Scientist, Penetration Tester, or Data Analyst can use their education, access, and background to gain access to systems and information that can be of value to external organizations, institutions, companies, and/or governmental agencies.

Download Full-text