Insider Threats (original) (raw)
Related papers
2015
The insider threat problem is a significant and ever present issue faced by any organisation. While security mechanisms can be put in place to reduce the chances of external agents gaining access to a system, either to steal assets or alter records, the issue is more complex in tackling insider threat. If an employee already has legitimate access rights to a system, it is much more difficult to prevent them from carrying out inappropriate acts, as it is hard to determine whether the acts are part of their official work or indeed malicious. We present in this paper the concept of “Ben-ware”: a beneficial software system that uses low-level data collection from employees’ computers, along with Artificial Intelligence, to identify anomalous behaviour of an employee. By comparing each employee’s activities against their own ‘normal’ profile, as well as against the organisational’s norm, we can detect those that are significantly divergent, which might indicate malicious activities. Deal...
J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl., 2015
The insider threat problem is a significant and ever present issue faced by any organisation. While security mechanisms can be put in place to reduce the chances of external agents gaining access to a system, either to steal assets or alter records, the issue is more complex in tackling insider threat. If an employee already has legitimate access rights to a system, it is much more difficult to prevent them from carrying out inappropriate acts, as it is hard to determine whether the acts are part of their official work or indeed malicious. We present in this paper the concept of "Ben-ware": a beneficial software system that uses low-level data collection from employees' computers, along with Artificial Intelligence, to identify anomalous behaviour of an employee. By comparing each employee's activities against their own 'normal' profile, as well as against the organisational's norm, we can detect those that are significantly divergent, which might indicate malicious activities. Dealing with false positives is one of the main challenges here. Anomalous behaviour could indicate malicious activities (such as an employee trying to steal confidential information), but they could also be benign (for example, an employee is carrying out a workaround or taking a shortcut to complete their job). Therefore it is important to minimise the risk of false positives, and we do this by combining techniques from human factors, artificial intelligence, and risk analysis in our approach. Developed as a distributed system, Ben-ware has a three-tier architecture composed of (i) probes for data collection, (ii) intermediate nodes for data routing, and (iii) high level nodes for data analysis. The distributed nature of Ben-ware allows for near-real-time analysis of employees without the need for dedicated hardware or a significant impact on the existing infrastructure. This will enable Ben-ware to be deployed in situations where there are restrictions due to legacy and low-power resources, or in cases where the network connection may be intermittent or has a low bandwidth. We demonstrate the appropriateness of Ben-ware, both in its ability to detect potentially malicious acts and its lowimpact on the resources of the organisation, through a proof-of-concept system and a scenario based on synthetically generated user data.
DTB Project: A Behavioral Model for Detecting Insider Threats
2005
This paper describes the Detection of Threat Behavior (DTB) project, a joint effort being conducted by George Mason University (GMU) and Information Extraction and Transport, Inc. (IET). DTB uses novel approaches for detecting insiders in tightly controlled computing environments. Innovations include a distributed system of dynamically generated document-centric intelligent agents for document control, objectoriented hybrid logic-based and probabilistic modeling to characterize and detect illicit insider behaviors, and automated data collection and data mining of the operational environment to continually learn and update the underlying statistical and probabilistic nature of characteristic behaviors. To evaluate the DTB concept, we are conducting a human subjects experiment, which we will also include in our discussion.
An Integrated System for Insider Threat Detection
IFIP — The International Federation for Information Processing, 2007
This paper discusses the development of an integrated automatic digital insider threat detection system using the Web Based Enterprise Management (WBEM) initiative. Our system facilitates the selection and storage of digital evidence with minimal administrative input and eventually may also implement advanced proactive digital forensics techniques. First this paper presents WBEM basics that can be used for dynamically gathering data on insiders. This can include information from and about any of the systems on the local user machine and can include information such as the number of processes and threads currently running, information about user mode versus kernel mode time, network interface statistics, etcetera. Next, we introduce Microsoft's implementation of the WBEM initiative for Windows called Windows Management Instrumentation (WMI). Given these systems, the primary objective of this paper is to present the specifics of how to build a digital forensics application with C# .NET that interfaces with WMI. Special attention is paid to the suitability of these tools for the needs of the proposed system.
The Application of Artificial Intelligence in the Detection of Malicious Insider Threats: A Review
Corpus Intellectual, 2024
Insider threats are a growing threat to organizations' security, resulting in a significant increase in cyberattacks. As organizations continue to rely on digital systems and data, the potential for malicious insider threats has heightened the need for advanced detection methods using Artificial Intelligence (AI) technology. A malicious insider is an individual granted legitimate access to an organization and exploits this privilege for personal or other reasons to compromise information assets' confidentiality, integrity, or availability. A simple review of forty-seven (47) articles identified from various academic databases was conducted. In this review paper, we explore the current state of research on the application of AI techniques for the detection of malicious insider threats in the cybersecurity space by examining the different AI-based approaches and techniques that have been employed for the detection of malicious insider threats, types of data source and how effective the AI models are through the evaluation metrics utilized. The academic literature reveals a wide range of advancements in artificial intelligence related to the detection of insider threats. The Computer Emergency Response Team (CERT) dataset has the highest usage of 68%, while accuracy and precision have the highest usage of 26% and 21%, respectively, in terms of performance metrics, with Machine learning as the most used AI technique compared to others. Additionally, the paper outlines future research directions. It serves as a starting point for young researchers and a yardstick for experienced researchers in proposing new methodologies to enhance the effectiveness of insider threat detection.
Detecting insider threats in a real corporate database of computer usage activity
Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining - KDD '13, 2013
This paper reports on methods and results of an applied research project by a team consisting of SAIC and four universities to develop, integrate, and evaluate new approaches to detect the weak signals characteristic of insider threats on organizations' information systems. Our system combines structural and semantic information from a real corporate database of monitored activity on their users' computers to detect independently developed red team inserts of malicious insider activities. We have developed and applied multiple algorithms for anomaly detection based on suspected scenarios of malicious insider behavior, indicators of unusual activities, high-dimensional statistical patterns, temporal sequences, and normal graph evolution. Algorithms and representations for dynamic graph processing provide the ability to scale as needed for enterpriselevel deployments on real-time data streams. We have also developed a visual language for specifying combinations of features, baselines, peer groups, time periods, and algorithms to detect anomalies suggestive of instances of insider threat behavior. We defined over 100 data features in seven categories based on approximately 5.5 million actions per day from approximately 5,500 users. We have achieved area under the ROC curve values of up to 0.979 and lift values of 65 on the top 50 user-days identified on two months of real data.
Analysis and detection of malicious insiders
2005
insiders (an analyst, application administrator, and system administrator), measuring timeliness This paper summarizes a collaborative, six and accuracy of detection. month ARDA NRRC 1 challenge workshop to characterize and create analysis methods to counter sophisticated malicious insiders in the 1 This effort was performed at The MITRE Corporation at the Northeast Regional Research Center (NRRC) which is spon-2. Fusing information from heterogeneous information sored by the Advanced Research and Development Activity in sources (e.g., logs from printers, authentication, card Information Technology (ARDA), a U.S. Government entity readers, telephone calls) and various levels of the IP which sponsors and promotes research of import to the Intelstack (e.g., application vs. network traffic) allows more ligence Community which includes but is not limited to the accurate and timely indications and warning of malicious CIA, DIA, NSA, NGA, and NRO.
Towards a User and Role-based Sequential Behavioural Analysis Tool for Insider Threat Detection
Insider threat is recognised to be a significant problem and of great concern to both corporations and governments alike. Traditional intrusion detection systems are known to be ineffective due to the extensive knowledge and capability that insiders typically have regarding the organisational setup. Instead, more sophisticated measures are required to analyse the actions performed by those within the organisation, to assess whether their actions suggest that they pose a threat. In this paper, we propose a proof-of-concept that focuses on the use of activity trees to establish sequential-based analysis of employee behaviour. This concept combines the notions of previously-proposed techniques such as attack trees and behaviour trees. For a given employee, we define a tree that can represent all sequences of their observed behaviours. Over time, branches are either appended or created to reflect the new observations that are made on how the employee acts. We also incorporate a similarity measure to establish how different branches compare against each other. Attacks can be defined as where the similarity measure between a newly-observed branch and all existing branches is below a given acceptance criteria. The approach would allow an analyst to observe chains of events that result in low probability activities that could be deemed as unusual and therefore may be malicious. We demonstrate our proof-of-concept using third-party synthetic employee activity logs, to illustrate the practicalities of delivering this form of protective monitoring.