Abstract
The risk posed by insider threats has usually been approached by analyzing the behavior of users solely in the cyber domain. In this article, we show the viability of using physical movement logs, collected via a building access control system, together with an understanding of the layout of the building housing the system’s assets, to detect malicious insider behavior that manifests itself in the physical domain. In particular, we propose a systematic framework that uses contextual knowledge about the system and its users, learned from historical data gathered from a building access control system, to select suitable models for representing movement behavior. We suggest two different models of movement behavior in this article and evaluate their ability to represent normal user movement. We then explore the online usage of the learned models, together with knowledge about the layout of the building being monitored, to detect malicious insider behavior. Finally, we show the effectiveness of the developed framework using real-life data traces of user movement in railway transit stations.
- Alien Vault. 2016. Insider Threat Detection Software. Retrieved from https://www.alienvault.com/.Google Scholar
- Graeme Baker. 2008. Schoolboy hacks into city’s tram system. The Telegraph (January 11 2008). Retrieved from http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html.Google Scholar
- Lujo Bauer, Lorrie Faith Cranor, Robert W. Reeder, Michael K. Reiter, and Kami Vaniea. 2009. Real-life challenges in access-control management. In Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 899--908.Google ScholarDigital Library
- Patrick Billingsley. 1961. Statistical methods in Markov chains. Ann. Math. Stat. 32, 1 (1961), 12--40.Google ScholarCross Ref
- Robert P. Biuk-Aghai, Yain-Whar Si, Simon Fong, and Peng-Fan Yan. 2012. Individual movement behaviour in secure physical environments: Modeling and detection of suspicious activity. In Behavior Computing, Longbing Cao and Philip S. Yu (Eds.). Springer, 241--253.Google Scholar
- CERT Insider Threat Center. 2011. Insider Threat and Physical Security of Organizations. Retrieved from https://insights.sei.cmu.edu/insider-threat/2011/05/insider-threat-and-physical-security-of-organizations.html.Google Scholar
- Carmen Cheh, Binbin Chen, William G. Temple, and William H. Sanders. 2017a. Data-driven model-based detection of malicious insiders via physical access logs. In Quantitative Evaluation of Systems, Nathalie Bertrand and Luca Bortolussi (Eds.). Springer International Publishing, Cham, 275--291.Google Scholar
- Carmen Cheh, Ken Keefe, Brett Feddersen, Binbin Chen, William G. Temple, and William H. Sanders. 2017b. Developing models for physical attacks in cyber-physical systems. In Proceedings of the Workshop on Cyber-Physical Systems Security and PrivaCy (CPS’17). ACM, New York, NY, 49--55.Google Scholar
- M. Dash, K. K. Koo, J. B. Gomes, S. P. Krishnaswamy, D. Rugeles, and A. Shi-Nash. 2015. Next place prediction by understanding mobility patterns. In Proceedings of the IEEE International Conference on Pervasive Computing and Communication Workshops. 469--474.Google Scholar
- Michael Davis, Weiru Liu, Paul Miller, and George Redpath. 2011. Detecting anomalies in graphs with numeric labels. In Proceedings of the 29th ACM Conf. on Information and Knowledge Management. 1197--1202.Google ScholarDigital Library
- William Eberle and Lawrence Holder. 2007. Anomaly detection in data represented as graphs. Intell. Data Anal.: Int. J. 11, 6 (2007), 663--689.Google ScholarDigital Library
- William Eberle, Lawrence Holder, and Jeffrey Graves. 2009. Detecting employee leaks using badge and network IP traffic. In Proceedings of the IEEE Symposium on Visual Analytics Science and Technology.Google Scholar
- Arpad Gellert and Lucian Vintan. 2006. Person movement prediction using hidden Markov models. Studies Info. Control 15, 1 (2006), 17--30.Google Scholar
- Shelby Grad. 2009. Engineers who hacked into L.A. traffic signal computer, jamming streets, sentenced. Los Angeles Times (December 1 2009). Retrieved from http://latimesblogs.latimes.com/lanow/2009/12/engineers-who-hacked-in-la-traffic-signal-computers-jamming-traffic-sentenced.html.Google Scholar
- Mark J. Hoesl. 2014. Integrated Physical Access Control and Information Technology Security. U.S. Patent No. 6641090 B2, granted on June 17, 2014.Google Scholar
- Alexander D. Kent, Lorie M. Liebrock, and Joshua C. Neil. 2015. Authentication graphs: Analyzing user behavior within an enterprise network. Comput. Secur. 48 (2015), 150--166.Google ScholarDigital Library
- Himanshu Khurana, Valerie Guralnik, and Robert Shanley. 2014. System and Method for Insider Threat Detection. U.S. Patent No. 8793790 B2, granted on July 29, 2014.Google Scholar
- Christian Koehler, Nikola Banovic, Ian Oakley, Jennifer Mankoff, and Anind K. Dey. 2014. Indoor-ALPS: An adaptive indoor location prediction system. In Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing. 171--181.Google Scholar
- Xun Li. 2014. Using complexity measures of movement for automatically detecting movement types of unknown GPS trajectories. Amer. J. Geogr. Info. Syst. 3, 2 (2014), 63--74.Google Scholar
- Miao Lin, Hong Cao, Vincent Zheng, Kevin Chen-Chuan Chang, and Shonali Krishnaswamy. 2015. Mobility profiling for user verification with anonymized location data. In Proceedings of the 24th International Conference on Artificial Intelligence (IJCAI’15). AAAI Press, 960--966.Google ScholarDigital Library
- Chuanren Liu, Hui Xiong, Yong Ge, Wei Geng, and Matt Perkins. 2012. A stochastic model for context-aware anomaly detection in indoor location traces. In Proceedings of the IEEE 12th International Conference on Data Mining. 449--458.Google ScholarDigital Library
- Matthew E. Luallen. 2011. Managing Insiders in Utility Control Environments. Technical Report. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/managing-insiders-utility-control-environments-34960.Google Scholar
- G. Pallotta and A. L. Jousselme. 2015. Data-driven detection and context-based classification of maritime anomalies. In Proceedings of the 18th International Conference on Information Fusion. 1152--1159.Google Scholar
- Steven M. Pincus. 1991. Approximate entropy as a measure of system complexity. Proc. Natl. Acad. Sci. U.S.A. 88, 6 (1991), 2297--2301.Google ScholarCross Ref
- A. N. Radon, K. Wang, U. Glasser, H. Wehn, and A. Westwell-Roper. 2015. Contextual verification for false alarm reduction in maritime anomaly detection. In Proceedings of the IEEE International Conference on Big Data. 1123--1133.Google Scholar
- M. B. Salem, S. Hershkop, and S. J. Stolfo. 2008. A survey of insider attack detection research. In Insider Attack and Cyber Security: Beyond the Hacker, Salvatore J. Stolfo, Steven M. Bellovin, Angelos D. Keromytis, Shlomo Hershkop, Sean W. Smith, and Sara Sinclair (Eds.). Springer, 69--90.Google Scholar
- Chaoming Song, Zehui Qu, Nicholas Blumm, and Albert-László Barabási. 2010. Limits of predictability in human mobility. Science 327, 5968 (2010), 1018--1021.Google Scholar
- Tripwire. 2016. Insider Threat Security 8 Detection. Retrieved from http://www.tripwire.com/.Google Scholar
Index Terms
- Data-driven Model-based Detection of Malicious Insiders via Physical Access Logs
Recommendations
Modeling Adversarial Physical Movement in a Railway Station: Classification and Metrics
Special Issue on Transportation CPSMany real-world attacks on cyber-physical systems involve physical intrusions that directly cause damage or facilitate cyber attacks. Hence, in this work, we investigate the security risk of organizations with respect to different adversarial models of ...
Data Integrity Threats and Countermeasures in Railway Spot Transmission Systems
Special Issue on Transportation CPSModern trains rely on balises (communication beacons) located on the track to provide location information as they traverse a rail network. Balises, such as those conforming to the Eurobalise standard, were not designed with security in mind and are ...
Power attack: An imminent security threat in real-time system for detecting missing rail blocks in developing countries
AbstractExploration of potential security threats and vulnerabilities of a real-time system specifically designed for detecting missing rail blocks in the context of developing countries is yet to be explored. Therefore, in this paper, we ...
Comments