Distance Measurement Methods for Improved Insider Threat Detection

Insider threat has become a widely accepted issue and one of the major challenges in cybersecurity. This phenomenon indicates that threats require special detection systems, methods, and tools, which entail the ability to facilitate accurate and fast detection of a malicious insider. Several studies on insider threat detection and related areas in dealing with this issue have been proposed. Various studies aimed to deepen the conceptual understanding of insider threats. However, there are many limitations, such as a lack of real cases, biases in making conclusions, which are a major concern and remain unclear, and the lack of a study that surveys insider threats from many different perspectives and focuses on the theoretical, technical, and statistical aspects of insider threats. The survey aims to present a taxonomy of contemporary insider types, access, level, motivation, insider profiling, effect security property, and methods used by attackers to conduct attacks and a review of notable recent works on insider threat detection, which covers the analyzed behaviors, machine-learning techniques, dataset, detection methodology, and evaluation metrics. Several real cases of insider threats have been analyzed to provide statistical information about insiders. In addition, this survey highlights the challenges faced by other researchers and provides recommendations to minimize obstacles.

Download Full-text

Impact and Key Challenges of Insider Threats on Organizations and Critical Businesses

Electronics ◽

10.3390/electronics9091460 ◽

2020 ◽

Vol 9 (9) ◽

pp. 1460

Author(s):

Neetesh Saxena ◽

Emma Hayes ◽

Elisa Bertino ◽

Patrick Ojo ◽

Kim-Kwang Raymond Choo ◽

...

Keyword(s):

Cyber Security ◽

Critical Infrastructure ◽

Mitigation Strategies ◽

Security Requirements ◽

Future Research ◽

Insider Threat ◽

Open Problems ◽

Insider Threats ◽

Private Sector Organizations ◽

Public And Private Sector

The insider threat has consistently been identified as a key threat to organizations and governments. Understanding the nature of insider threats and the related threat landscape can help in forming mitigation strategies, including non-technical means. In this paper, we survey and highlight challenges associated with the identification and detection of insider threats in both public and private sector organizations, especially those part of a nation’s critical infrastructure. We explore the utility of the cyber kill chain to understand insider threats, as well as understanding the underpinning human behavior and psychological factors. The existing defense techniques are discussed and critically analyzed, and improvements are suggested, in line with the current state-of-the-art cyber security requirements. Finally, open problems related to the insider threat are identified and future research directions are discussed.

Download Full-text

Insider Attack Analysis in Building Effective Cyber Security for an Organization

Cyber Law, Privacy, and Security ◽

10.4018/978-1-5225-8897-9.ch070 ◽

2019 ◽

pp. 1408-1425

Author(s):

Sunita Vikrant Dhavale

Keyword(s):

Cyber Security ◽

Cyber Attacks ◽

Recent Survey ◽

Insider Threat ◽

Confidential Information ◽

Insider Threats ◽

Insider Attack ◽

Organizational Information ◽

Future Challenges ◽

Information Assets

Recent studies have shown that, despite being equipped with highly secure technical controls, a broad range of cyber security attacks were carried out successfully on many organizations to reveal confidential information. This shows that the technical advancements of cyber defence controls do not always guarantee organizational security. According to a recent survey carried out by IBM, 55% of these cyber-attacks involved insider threat. Controlling an insider who already has access to the company's highly protected data is a very challenging task. Insider attacks have great potential to severely damage the organization's finances as well as their social credibility. Hence, there is a need for reliable security frameworks that ensure confidentiality, integrity, authenticity, and availability of organizational information assets by including the comprehensive study of employee behaviour. This chapter provides a detailed study of insider behaviours that may hinder organization security. The chapter also analyzes the existing physical, technical, and administrative controls, their objectives, their limitations, insider behaviour analysis, and future challenges in handling insider threats.

Download Full-text

Eye Tracking Metrics for Insider Threat Detection in a Simulated Work Environment

Proceedings of the Human Factors and Ergonomics Society Annual Meeting ◽

10.1177/1541931213601535 ◽

2017 ◽

Vol 61 (1) ◽

pp. 202-206 ◽

Cited By ~ 2

Author(s):

Gerald Matthews ◽

Lauren Reinerman-Jones ◽

Ryan Wohleber ◽

Eric Ortiz

Keyword(s):

Eye Tracking ◽

Work Environment ◽

Emotional Stress ◽

Cognitive Engineering ◽

Insider Threat ◽

Threat Detection ◽

Insider Threats ◽

Characteristic Response ◽

Engineering Approach ◽

And Control

Insider Threats (ITs) are hard to identify because of their knowledge of the organization and motivation to avoid detection. One approach to detecting ITs utilizes Active Indicators (AI), stimuli that elicit a characteristic response from the insider. The present research implemented this approach within a simulation of financial investigative work. A sequence of AIs associated with accessing a locked file was introduced into an ongoing workflow. Participants allocated to an insider role accessed the file illicitly. Eye tracking metrics were used to differentiate insiders and control participants performing legitimate role. Data suggested that ITs may show responses suggestive of strategic concealment of interest and emotional stress. Such findings may provide the basis for a cognitive engineering approach to IT detection.

Download Full-text

Insider Threats

International Handbook of Threat Assessment ◽

10.1093/med-psych/9780190940164.003.0016 ◽

2021 ◽

pp. 301-320

Author(s):

Deanna D. Caputo

Keyword(s):

Threat Assessment ◽

Assessment Process ◽

Insider Threat ◽

Multidisciplinary Teams ◽

Threat Detection ◽

Insider Threats ◽

Proprietary Information ◽

Work Style ◽

Data Points ◽

Malicious Behaviors

Violence threat and insider threat assessment rely on successfully identifying, interpreting, and responding to concerning or malicious behaviors before egregious harm is done. Both types of threats benefit from multidisciplinary teams of experts skillfully putting together data points before physical, emotional, financial, reputational, or informational harm occurs. Usually the identified character (e.g., decision-making, interpersonal style, work style), stressors, and concerning behaviors demonstrated do not clearly indicate whether a person will assault coworkers, steal classified/proprietary information, sabotage systems, or proceed normally as a responsible employee. Empirically based risk factors and threat indicators provide opportunities to evaluate potential threats more appropriately earlier in the assessment process. This chapter is an overview of insider threat definitions and programs, what it takes to become an insider threat, and how research psychologists bring rigorous science to insider threat detection, providing a solid understanding of what is known and not known about nonviolent insider threats.

Download Full-text

Insider Threat Detection Based on User Behavior Modeling and Anomaly Detection Algorithms

Applied Sciences ◽

10.3390/app9194018 ◽

2019 ◽

Vol 9 (19) ◽

pp. 4018 ◽

Cited By ~ 6

Author(s):

Kim ◽

Park ◽

Kim ◽

Cho ◽

Kang

Keyword(s):

Anomaly Detection ◽

User Behavior ◽

Behavior Modeling ◽

Detection Methods ◽

Insider Threat ◽

Threat Detection ◽

Insider Threats ◽

Domain Experts ◽

User Behavior Modeling ◽

Detection Algorithms

Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization’s system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user’s daily activity summary, e-mail contents topic distribution, and user’s weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts’ knowledge is provided.

Download Full-text

EVOLVING INSIDER THREAT DETECTION STREAM MINING PERSPECTIVE

International Journal of Artificial Intelligence Tools ◽

10.1142/s0218213013600130 ◽

2013 ◽

Vol 22 (05) ◽

pp. 1360013 ◽

Cited By ~ 6

Author(s):

PALLABI PARVEEN ◽

NATHAN MCDANIEL ◽

ZACKARY WEGER ◽

JONATHAN EVANS ◽

BHAVANI THURAISINGHAM ◽

...

Keyword(s):

Anomaly Detection ◽

Unsupervised Learning ◽

Large Data ◽

Insider Threat ◽

Threat Detection ◽

Stream Mining ◽

Insider Threats ◽

System Logs ◽

The Cost ◽

Future Work

Evidence of malicious insider activity is often buried within large data streams, such as system logs accumulated over months or years. Ensemble-based stream mining leverages multiple classification models to achieve highly accurate anomaly detection in such streams, even when the stream is unbounded, evolving, and unlabeled. This makes the approach effective for identifying insider threats who attempt to conceal their activities by varying their behaviors over time. This paper applies ensemble-based stream mining, supervised and unsupervised learning, and graph-based anomaly detection to the problem of insider threat detection. It demonstrates that the ensemble-based approach is significantly more effective than traditional single-model methods, supervised learning outperforms unsupervised learning, and increasing the cost of false negatives correlates to higher accuracy. Future work will consider a wider range of tunable parameters in an effort to further reduce false positives, include a more sophisticated polling algorithm for weighting better models, and implement parallelization to lower runtimes to more rapidly detect emerging insider threats.

Download Full-text

How workplace satisfaction affects insider threat detection as a vital variable for the mitigation of malicious cyber insiders

Online Journal of Applied Knowledge Management ◽

10.36965/ojakm.2019.7(1)40-52 ◽

2019 ◽

Vol 7 (1) ◽

pp. 40-52

Author(s):

Karla Clarke ◽

Yair Levy ◽

Laurie Dringus ◽

Shonda Brown

Keyword(s):

Data Collection ◽

Delphi Method ◽

Vital Signs ◽

Insider Threat ◽

Threat Detection ◽

Subject Matter Experts ◽

Insider Threats ◽

Workplace Satisfaction ◽

Data Collection Process ◽

Threat Mitigation

Insider threat mitigation is a growing challenge within organizations. The development of a novel alert visualization dashboard for the identification of potentially malicious cyber insider threats was identified as necessary to alleviate this challenge. This research developed a cyber insider threat dashboard visualization prototype for detecting potentially malicious cyber insider activities QUICK.v™. This study utilized Subject Matter Experts (SMEs) by applying the Delphi Method to identify the most critical cyber visualization variables and ranking. This paper contains the detailed results of a survey based experimental research study that identified the critical cybersecurity variables also referred to as cybersecurity vital signs. The identified vital signs will aid cybersecurity analysts with triage for potentially malicious insider threats. From a total of 45 analytic variables assessed by 42 cybersecurity SMEs, the top six variables were identified using a comprehensive data collection process. The results indicated that workplace satisfaction is one of the top critical cyber visualization variables that should be measured and visualized to aid cybersecurity analysts in the detection of potentially malicious cyber insider threat activities. The process of the data collection to identify and rank critical cyber visualization variables are described.

Download Full-text

Detecting Insider Threat from Behavioral Logs Based on Ensemble and Self-Supervised Learning

Security and Communication Networks ◽

10.1155/2021/4148441 ◽

2021 ◽

Vol 2021 ◽

pp. 1-11

Author(s):

Chunrui Zhang ◽

Shen Wang ◽

Dechen Zhan ◽

Tingyue Yu ◽

Tiangang Wang ◽

...

Keyword(s):

Machine Learning ◽

Spatial Heterogeneity ◽

Supervised Learning ◽

Detection Method ◽

Detection Methods ◽

Insider Threat ◽

Threat Detection ◽

Insider Threats ◽

Representation Method ◽

Detection Effect

Recent studies have highlighted that insider threats are more destructive than external network threats. Despite many research studies on this, the spatial heterogeneity and sample imbalance of input features still limit the effectiveness of existing machine learning-based detection methods. To solve this problem, we proposed a supervised insider threat detection method based on ensemble learning and self-supervised learning. Moreover, we propose an entity representation method based on TF-IDF to improve the detection effect. Experimental results show that the proposed method can effectively detect malicious sessions in CERT4.2 and CERT6.2 datasets, where the AUCs are 99.2% and 95.3% in the best case.

Download Full-text

Insider Attack Analysis in Building Effective Cyber Security for an Organization

Advances in Digital Crime, Forensics, and Cyber Terrorism - Psychological and Behavioral Examinations in Cyber Security ◽

10.4018/978-1-5225-4053-3.ch013 ◽

2018 ◽

pp. 222-238

Author(s):

Sunita Vikrant Dhavale

Keyword(s):

Cyber Security ◽

Cyber Attacks ◽

Recent Survey ◽

Insider Threat ◽

Confidential Information ◽

Insider Threats ◽

Insider Attack ◽

Organizational Information ◽

Future Challenges ◽

Information Assets

Recent studies have shown that, despite being equipped with highly secure technical controls, a broad range of cyber security attacks were carried out successfully on many organizations to reveal confidential information. This shows that the technical advancements of cyber defence controls do not always guarantee organizational security. According to a recent survey carried out by IBM, 55% of these cyber-attacks involved insider threat. Controlling an insider who already has access to the company's highly protected data is a very challenging task. Insider attacks have great potential to severely damage the organization's finances as well as their social credibility. Hence, there is a need for reliable security frameworks that ensure confidentiality, integrity, authenticity, and availability of organizational information assets by including the comprehensive study of employee behaviour. This chapter provides a detailed study of insider behaviours that may hinder organization security. The chapter also analyzes the existing physical, technical, and administrative controls, their objectives, their limitations, insider behaviour analysis, and future challenges in handling insider threats.

Download Full-text