An Insider Threat Detection Method Based on Business Process Mining

2017 ◽  
Vol 13 (2) ◽  
pp. 83-98 ◽  
Author(s):  
Taiming Zhu ◽  
Yuanbo Guo ◽  
Ankang Ju ◽  
Jun Ma ◽  
Xuan Wang
Keyword(s):  
Business Process ◽  
Process Mining ◽  
Detection System ◽  
Detection Methods ◽  
Insider Threat ◽  
Threat Detection ◽  
Detection Algorithms ◽  
Business Cases ◽  
Business Process Mining ◽  
And Performance

Current intrusion detection systems are mostly for detecting external attacks, but the “Prism Door” and other similar events indicate that internal staff may bring greater harm to organizations in information security. Traditional insider threat detection methods only consider the audit records of personal behavior and failed to combine it with business activities, which may miss the insider threat happened during a business process. The authors consider operators' behavior and correctness and performance of the business activities, propose a business process mining based insider threat detection system. The system firstly establishes the normal profiles of business activities and the operators by mining the business log, and then detects specific anomalies by comparing the content of real-time log with the corresponding normal profile in order to find out the insiders and the threats they have brought. The relating anomalies are defined and the corresponding detection algorithms are presented. The authors have performed experimentation using the ProM framework and Java programming, with five synthetic business cases, and found that the system can effectively identify anomalies of both operators and business activities that may be indicative of potential insider threat.

scholarly journals Insider Threat Detection Based on User Behavior Modeling and Anomaly Detection Algorithms

2019 ◽  
Vol 9 (19) ◽  
pp. 4018 ◽  
Author(s):  
Kim ◽  
Park ◽  
Kim ◽  
Cho ◽  
Kang
Keyword(s):  
Anomaly Detection ◽  
User Behavior ◽  
Behavior Modeling ◽  
Detection Methods ◽  
Insider Threat ◽  
Threat Detection ◽  
Insider Threats ◽  
Domain Experts ◽  
User Behavior Modeling ◽  
Detection Algorithms

Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization’s system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user’s daily activity summary, e-mail contents topic distribution, and user’s weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts’ knowledge is provided.

An email content-based insider threat detection model using anomaly detection algorithms

2021 ◽  
Author(s):  
NaanKang Garba ◽  
Sandip Rakshit ◽  
Chai Dakun Maa ◽  
Narasimha Rao Vajjhala
Keyword(s):  
Anomaly Detection ◽  
Insider Threat ◽  
Threat Detection ◽  
Detection Model ◽  
Detection Algorithms

Generalized Evidential Processing in Multiple Simultaneous Threat Detection in UNIX

2012 ◽  
pp. 104-120
Author(s):  
Zafar Sultan ◽  
Paul Kwan
Keyword(s):  
Data Fusion ◽  
Detection System ◽  
Set Cover ◽  
Threat Detection ◽  
Fusion Model ◽  
Detection Systems ◽  
Size Groups ◽  
On Line ◽  
And Performance ◽  
Statistical Data Fusion

In this paper, a hybrid identity fusion model at decision level is proposed for Simultaneous Threat Detection Systems. The hybrid model is comprised of mathematical and statistical data fusion engines; Dempster Shafer, Extended Dempster and Generalized Evidential Processing (GEP). Simultaneous Threat Detection Systems improve threat detection rate by 39%. In terms of efficiency and performance, the comparison of 3 inference engines of the Simultaneous Threat Detection Systems showed that GEP is the better data fusion model. GEP increased precision of threat detection from 56% to 95%. Furthermore, set cover packing was used as a middle tier data fusion tool to discover the reduced size groups of threat data. Set cover provided significant improvement and reduced threat population from 2272 to 295, which helped in minimizing the processing complexity of evidential processing cost and time in determining the combined probability mass of proposed Multiple Simultaneous Threat Detection System. This technique is particularly relevant to on-line and Internet dependent applications including portals.

Generalized Evidential Processing in Multiple Simultaneous Threat Detection in UNIX

2010 ◽  
Vol 2 (2) ◽  
pp. 51-67
Author(s):  
Zafar Sultan ◽  
Paul Kwan
Keyword(s):  
Data Fusion ◽  
Detection System ◽  
Set Cover ◽  
Threat Detection ◽  
Fusion Model ◽  
Data Set ◽  
Detection Systems ◽  
Processing Cost ◽  
Size Groups ◽  
And Performance

In this paper, a hybrid identity fusion model at decision level is proposed for Simultaneous Threat Detection Systems. The hybrid model is comprised of mathematical and statistical data fusion engines; Dempster Shafer, Extended Dempster and Generalized Evidential Processing (GEP). Simultaneous Threat Detection Systems improve threat detection rate by 39%. In terms of efficiency and performance, the comparison of 3 inference engines of the Simultaneous Threat Detection Systems showed that GEP is the better data fusion model. GEP increased precision of threat detection from 56% to 95%. Furthermore, set cover packing was used as a middle tier data fusion tool to discover the reduced size groups of threat data. Set cover provided significant improvement and reduced threat population from 2272 to 295, which helped in minimizing the processing complexity of evidential processing cost and time in determining the combined probability mass of proposed Multiple Simultaneous Threat Detection System. This technique is particularly relevant to on-line and Internet dependent applications including portals.

Sign in / Sign up

Export Citation Format

Share Document