research-article

Data-driven Model-based Detection of Malicious Insiders via Physical Access Logs

Authors:
Carmen Cheh

Department of Computer Science, University of Illinois, Urbana, Illinois

Department of Computer Science, University of Illinois, Urbana, Illinois
View Profile

,
Uttam Thakore

Department of Computer Science, University of Illinois, Urbana, Illinois

Department of Computer Science, University of Illinois, Urbana, Illinois
View Profile

,
Ahmed Fawaz

Information Trust Institute, University of Illinois, Urbana, Illinois

Information Trust Institute, University of Illinois, Urbana, Illinois
View Profile

,
Binbin Chen

Advanced Digital Sciences Center, Singapore

Advanced Digital Sciences Center, Singapore
View Profile

,
William G. Temple

Advanced Digital Sciences Center, Singapore

Advanced Digital Sciences Center, Singapore
View Profile

,
William H. Sanders

Department of Electrical and Computer Engineering, University of Illinois, Urbana, Illinois

Department of Electrical and Computer Engineering, University of Illinois, Urbana, Illinois
View Profile

ACM Transactions on Modeling and Computer Simulation Volume 29 Issue 4Article No.: 26pp 1–25https://doi.org/10.1145/3309540

Published:18 November 2019Publication History

ACM Transactions on Modeling and Computer Simulation

Abstract

The risk posed by insider threats has usually been approached by analyzing the behavior of users solely in the cyber domain. In this article, we show the viability of using physical movement logs, collected via a building access control system, together with an understanding of the layout of the building housing the system’s assets, to detect malicious insider behavior that manifests itself in the physical domain. In particular, we propose a systematic framework that uses contextual knowledge about the system and its users, learned from historical data gathered from a building access control system, to select suitable models for representing movement behavior. We suggest two different models of movement behavior in this article and evaluate their ability to represent normal user movement. We then explore the online usage of the learned models, together with knowledge about the layout of the building being monitored, to detect malicious insider behavior. Finally, we show the effectiveness of the developed framework using real-life data traces of user movement in railway transit stations.

References

Alien Vault. 2016. Insider Threat Detection Software. Retrieved from https://www.alienvault.com/.Google Scholar
Graeme Baker. 2008. Schoolboy hacks into city’s tram system. The Telegraph (January 11 2008). Retrieved from http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html.Google Scholar
Lujo Bauer, Lorrie Faith Cranor, Robert W. Reeder, Michael K. Reiter, and Kami Vaniea. 2009. Real-life challenges in access-control management. In Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 899--908.Google ScholarDigital Library
Patrick Billingsley. 1961. Statistical methods in Markov chains. Ann. Math. Stat. 32, 1 (1961), 12--40.Google ScholarCross Ref
Robert P. Biuk-Aghai, Yain-Whar Si, Simon Fong, and Peng-Fan Yan. 2012. Individual movement behaviour in secure physical environments: Modeling and detection of suspicious activity. In Behavior Computing, Longbing Cao and Philip S. Yu (Eds.). Springer, 241--253.Google Scholar
CERT Insider Threat Center. 2011. Insider Threat and Physical Security of Organizations. Retrieved from https://insights.sei.cmu.edu/insider-threat/2011/05/insider-threat-and-physical-security-of-organizations.html.Google Scholar
Carmen Cheh, Binbin Chen, William G. Temple, and William H. Sanders. 2017a. Data-driven model-based detection of malicious insiders via physical access logs. In Quantitative Evaluation of Systems, Nathalie Bertrand and Luca Bortolussi (Eds.). Springer International Publishing, Cham, 275--291.Google Scholar
Carmen Cheh, Ken Keefe, Brett Feddersen, Binbin Chen, William G. Temple, and William H. Sanders. 2017b. Developing models for physical attacks in cyber-physical systems. In Proceedings of the Workshop on Cyber-Physical Systems Security and PrivaCy (CPS’17). ACM, New York, NY, 49--55.Google Scholar
M. Dash, K. K. Koo, J. B. Gomes, S. P. Krishnaswamy, D. Rugeles, and A. Shi-Nash. 2015. Next place prediction by understanding mobility patterns. In Proceedings of the IEEE International Conference on Pervasive Computing and Communication Workshops. 469--474.Google Scholar
Michael Davis, Weiru Liu, Paul Miller, and George Redpath. 2011. Detecting anomalies in graphs with numeric labels. In Proceedings of the 29th ACM Conf. on Information and Knowledge Management. 1197--1202.Google ScholarDigital Library
William Eberle and Lawrence Holder. 2007. Anomaly detection in data represented as graphs. Intell. Data Anal.: Int. J. 11, 6 (2007), 663--689.Google ScholarDigital Library
William Eberle, Lawrence Holder, and Jeffrey Graves. 2009. Detecting employee leaks using badge and network IP traffic. In Proceedings of the IEEE Symposium on Visual Analytics Science and Technology.Google Scholar
Arpad Gellert and Lucian Vintan. 2006. Person movement prediction using hidden Markov models. Studies Info. Control 15, 1 (2006), 17--30.Google Scholar
Shelby Grad. 2009. Engineers who hacked into L.A. traffic signal computer, jamming streets, sentenced. Los Angeles Times (December 1 2009). Retrieved from http://latimesblogs.latimes.com/lanow/2009/12/engineers-who-hacked-in-la-traffic-signal-computers-jamming-traffic-sentenced.html.Google Scholar
Mark J. Hoesl. 2014. Integrated Physical Access Control and Information Technology Security. U.S. Patent No. 6641090 B2, granted on June 17, 2014.Google Scholar
Alexander D. Kent, Lorie M. Liebrock, and Joshua C. Neil. 2015. Authentication graphs: Analyzing user behavior within an enterprise network. Comput. Secur. 48 (2015), 150--166.Google ScholarDigital Library
Himanshu Khurana, Valerie Guralnik, and Robert Shanley. 2014. System and Method for Insider Threat Detection. U.S. Patent No. 8793790 B2, granted on July 29, 2014.Google Scholar
Christian Koehler, Nikola Banovic, Ian Oakley, Jennifer Mankoff, and Anind K. Dey. 2014. Indoor-ALPS: An adaptive indoor location prediction system. In Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing. 171--181.Google Scholar
Xun Li. 2014. Using complexity measures of movement for automatically detecting movement types of unknown GPS trajectories. Amer. J. Geogr. Info. Syst. 3, 2 (2014), 63--74.Google Scholar
Miao Lin, Hong Cao, Vincent Zheng, Kevin Chen-Chuan Chang, and Shonali Krishnaswamy. 2015. Mobility profiling for user verification with anonymized location data. In Proceedings of the 24th International Conference on Artificial Intelligence (IJCAI’15). AAAI Press, 960--966.Google ScholarDigital Library
Chuanren Liu, Hui Xiong, Yong Ge, Wei Geng, and Matt Perkins. 2012. A stochastic model for context-aware anomaly detection in indoor location traces. In Proceedings of the IEEE 12th International Conference on Data Mining. 449--458.Google ScholarDigital Library
Matthew E. Luallen. 2011. Managing Insiders in Utility Control Environments. Technical Report. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/managing-insiders-utility-control-environments-34960.Google Scholar
G. Pallotta and A. L. Jousselme. 2015. Data-driven detection and context-based classification of maritime anomalies. In Proceedings of the 18th International Conference on Information Fusion. 1152--1159.Google Scholar
Steven M. Pincus. 1991. Approximate entropy as a measure of system complexity. Proc. Natl. Acad. Sci. U.S.A. 88, 6 (1991), 2297--2301.Google ScholarCross Ref
A. N. Radon, K. Wang, U. Glasser, H. Wehn, and A. Westwell-Roper. 2015. Contextual verification for false alarm reduction in maritime anomaly detection. In Proceedings of the IEEE International Conference on Big Data. 1123--1133.Google Scholar
M. B. Salem, S. Hershkop, and S. J. Stolfo. 2008. A survey of insider attack detection research. In Insider Attack and Cyber Security: Beyond the Hacker, Salvatore J. Stolfo, Steven M. Bellovin, Angelos D. Keromytis, Shlomo Hershkop, Sean W. Smith, and Sara Sinclair (Eds.). Springer, 69--90.Google Scholar
Chaoming Song, Zehui Qu, Nicholas Blumm, and Albert-László Barabási. 2010. Limits of predictability in human mobility. Science 327, 5968 (2010), 1018--1021.Google Scholar
Tripwire. 2016. Insider Threat Security 8 Detection. Retrieved from http://www.tripwire.com/.Google Scholar

Index Terms

Data-driven Model-based Detection of Malicious Insiders via Physical Access Logs
1. Computer systems organization
  1. Embedded and cyber-physical systems
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation

Recommendations

Modeling Adversarial Physical Movement in a Railway Station: Classification and Metrics
Special Issue on Transportation CPS

Many real-world attacks on cyber-physical systems involve physical intrusions that directly cause damage or facilitate cyber attacks. Hence, in this work, we investigate the security risk of organizations with respect to different adversarial models of ...
Read More
Data Integrity Threats and Countermeasures in Railway Spot Transmission Systems
Special Issue on Transportation CPS

Modern trains rely on balises (communication beacons) located on the track to provide location information as they traverse a rail network. Balises, such as those conforming to the Eurobalise standard, were not designed with security in mind and are ...
Read More
Power attack: An imminent security threat in real-time system for detecting missing rail blocks in developing countries
Abstract
Exploration of potential security threats and vulnerabilities of a real-time system specifically designed for detecting missing rail blocks in the context of developing countries is yet to be explored. Therefore, in this paper, we ...
Read More

Reviews

Reviewer: Amos O Olagunju

Employees with security clearance will perhaps continue to pose the ultimate security threat to businesses, organizations, and security researchers. What kinds of data and algorithms should be effectively used to monitor and thwart risky employees Cheh et al. offer some insights for identifying malicious insiders based on recorded physical access logs. The authors present a framework for portraying user actions, to identify different models for delving into user behavior via historical data. Two distinct Markov models are used to identify the physical pathways in use at railway transit stations. The security threat model identifies users with legal or illegal physical access to the station rooms. The malicious insider detection framework consists of components for discovering the spatial and temporal properties of user movement behavior, and then ascertaining and applying an appropriate model to guesstimate the likelihood of anomalous access in the railway system blueprint. The framework includes offline and online phases. In the offline phase, characterization of users based on their past movement behavior, and construction of models based on users' characteristics and past movement. The online phase computes the magnitude of uncharacteristic accesses by users. To evaluate the effectiveness of the advocated framework, the authors use data on the physical card accesses of 590 users to a railway station with 62 rooms. The information on several thousand physical accesses includes date and time, door code, user credential, and access type. The results of the data analysis reveal that the Markov model is effective in forecasting subsequent user movements based on historical physical accesses, and the unique pathways of users are appropriate for discovering regular and irregular movement behavior. The simulation results show the framework's reliability and competency. The authors present accurate and efficient algorithms for detecting normal and abnormal access to physical computer rooms and resources. System administrators and cybersecurity experts should read this insightful paper.

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Modeling and Computer Simulation Volume 29, Issue 4
Special Issue On Qest 2017
October 2019
188 pages
ISSN:1049-3301
EISSN:1558-1195
DOI:10.1145/3372492
Editor:
Francesco Quaglia
University of Rome Tor Vergata, Italy
Issue’s Table of Contents
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 18 November 2019
- Accepted: 1 January 2019
- Revised: 1 November 2018
- Received: 1 January 2018
Published in tomacs Volume 29, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Railway transportation system
intrusion detection
physical movement
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 6
  Total Citations
  View Citations
- 284
  Total Downloads
- Downloads (Last 12 months)45
- Downloads (Last 6 weeks)6
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Data-driven Model-based Detection of Malicious Insiders via Physical Access Logs

ACM Transactions on Modeling and Computer Simulation

Abstract

References

Cited By

Index Terms

Recommendations

Modeling Adversarial Physical Movement in a Railway Station: Classification and Metrics

Data Integrity Threats and Countermeasures in Railway Spot Transmission Systems

Power attack: An imminent security threat in real-time system for detecting missing rail blocks in developing countries

Reviews

Access critical reviews of Computing literature here