ABSTRACT
Insider threat is a significant security risk for organizations. In this paper, we attempt to discover insider threat by identifying abnormal behavior in enterprise social and online activity data of employees. To this end, we process and extract relevant features that are possibly indicative of insider threat behavior. This includes features extracted from social data including email communication patterns and content, and online activity data such as web browsing patterns, email frequency, and file and machine access patterns. Subsequently, we detect statistically abnormal behavior with respect to these features using state-of-the-art anomaly detection methods, and declare this abnormal behavior as a proxy for insider threat activity. We test our approach on a real world data set with artificially injected insider threat events. We obtain a ROC score of 0.77, which shows that our proposed approach is fairly successful in identifying insider threat events. Finally, we build a visualization dashboard that enables managers and HR personnel to quickly identify employees with high threat risk scores which will enable them to take suitable preventive measures and limit security risk.
- William Eberle, Jeffrey Graves, and Lawrence Holder. Insider threat detection using a graph-based approach. Journal of Applied Security Research, 6(1):32--81, 2010.Google ScholarCross Ref
- Frank L Greitzer, Lars J Kangas, Christine F Noonan, and Angela C Dalton. Identifying at-risk employees: A behavioral model for predicting potential insider threats. Pacific Northwest National Laboratory Richland, WA, 2010.Google Scholar
- Miltiadis Kandias, Alexios Mylonas, Nikos Virvilis, Marianthi Theoharidou, and Dimitris Gritzalis. An insider threat prediction model. In Trust, privacy and security in digital business, pages 26--37. Springer, 2010. Google ScholarDigital Library
- Fei Tony Liu, Kai Ming Ting, and Zhi-Hua Zhou. Isolation forest. In Data Mining, 2008. ICDM'08. Eighth IEEE International Conference on, pages 413--422. IEEE, 2008.Google ScholarDigital Library
- Teresa F Lunt. A survey of intrusion detection techniques. Computers & Security, 12(4):405--418, 1993. Google ScholarDigital Library
- GB Magklaras and SM Furnell. Insider threat prediction tool: Evaluating the probability of it misuse. Computers & Security, 21(1):62--73, 2001. Google ScholarDigital Library
- Sunu Mathew, Michalis Petropoulos, Hung Q Ngo, and Shambhu Upadhyaya. A data-centric approach to insider attack detection in database systems. In Recent Advances in Intrusion Detection, pages 382--401. Springer, 2010. Google ScholarDigital Library
- Alex Memory, Henry G Goldberg, and E Ted. Context-aware insider threat detection. In Workshops at the Twenty-Seventh AAAI Conference on Artificial Intelligence, 2013.Google Scholar
- Robert F Mills, Michael R Grimaila, Gilbert L Peterson, and Jonathan W Butts. A scenario-based approach to mitigating the insider threat. Technical report, DTIC Document, 2011.Google Scholar
Index Terms
- Detecting Insider Threat from Enterprise Social and Online Activity Data
Recommendations
Towards Insider Threat Detection Using Psychophysiological Signals
MIST '15: Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security ThreatsInsider threat is one of the greatest concerns for the information security system that could cause greater financial losses and damages than any other attacks. Recently many studies have been proposed to monitor and detect the insider attacks. However, ...
Classification of Insider Threat Detection Techniques
CISRC '16: Proceedings of the 11th Annual Cyber and Information Security Research ConferenceMost insider attacks done by people who have the knowledge and technical know-how of launching such attacks. This topic has long been studied and many detection techniques were proposed to deal with insider threats. This short paper summarized and ...
Multi-Domain Information Fusion for Insider Threat Detection
SPW '13: Proceedings of the 2013 IEEE Security and Privacy WorkshopsMalicious insiders pose significant threats to information security, and yet the capability of detecting malicious insiders is very limited. Insider threat detection is known to be a difficult problem, presenting many research challenges. In this paper ...
Comments