Automated Insider Threat Detection System Using User and Role-Based Profile Assessment (original) (raw)
Related papers
Detecting insider threats in a real corporate database of computer usage activity
Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining - KDD '13, 2013
This paper reports on methods and results of an applied research project by a team consisting of SAIC and four universities to develop, integrate, and evaluate new approaches to detect the weak signals characteristic of insider threats on organizations' information systems. Our system combines structural and semantic information from a real corporate database of monitored activity on their users' computers to detect independently developed red team inserts of malicious insider activities. We have developed and applied multiple algorithms for anomaly detection based on suspected scenarios of malicious insider behavior, indicators of unusual activities, high-dimensional statistical patterns, temporal sequences, and normal graph evolution. Algorithms and representations for dynamic graph processing provide the ability to scale as needed for enterpriselevel deployments on real-time data streams. We have also developed a visual language for specifying combinations of features, baselines, peer groups, time periods, and algorithms to detect anomalies suggestive of instances of insider threat behavior. We defined over 100 data features in seven categories based on approximately 5.5 million actions per day from approximately 5,500 users. We have achieved area under the ROC curve values of up to 0.979 and lift values of 65 on the top 50 user-days identified on two months of real data.
Towards a User and Role-based Sequential Behavioural Analysis Tool for Insider Threat Detection
Insider threat is recognised to be a significant problem and of great concern to both corporations and governments alike. Traditional intrusion detection systems are known to be ineffective due to the extensive knowledge and capability that insiders typically have regarding the organisational setup. Instead, more sophisticated measures are required to analyse the actions performed by those within the organisation, to assess whether their actions suggest that they pose a threat. In this paper, we propose a proof-of-concept that focuses on the use of activity trees to establish sequential-based analysis of employee behaviour. This concept combines the notions of previously-proposed techniques such as attack trees and behaviour trees. For a given employee, we define a tree that can represent all sequences of their observed behaviours. Over time, branches are either appended or created to reflect the new observations that are made on how the employee acts. We also incorporate a similarity measure to establish how different branches compare against each other. Attacks can be defined as where the similarity measure between a newly-observed branch and all existing branches is below a given acceptance criteria. The approach would allow an analyst to observe chains of events that result in low probability activities that could be deemed as unusual and therefore may be malicious. We demonstrate our proof-of-concept using third-party synthetic employee activity logs, to illustrate the practicalities of delivering this form of protective monitoring.
Insider Threat Detection Techniques: Review of User Behavior Analytics Approach
International Journal of Research in Engineering and Science, Vol. 12, Issue 09, 2024
Insider threats pose serious danger to cybersecurity. Insiders possess greater privileges and authorized access to information and resources compared to external attackers, which can result in significant harm to a business if compromised. However, for every malfeasance or benign behavior on a network, digital footprints are often left behind in the user logs. Each abnormal user behavior could be viewed as a potential precursor to a subsequent malicious activity. Detecting insider threats requires thorough analysis of user activity. Authorized users are frequently the primary constituents of the computer network. They frequently perform tremendous activities and tasks on a daily basis. This, in turn, comprises of frequent patterns of regular consumption of diverse resources on the network. Thus, the regular activities and workflow tasks can underline an insightful pattern to map and distinguish user behavior. Researchers are of the opinion that, in order to accurately recognize, detect, and respond to insider threats, a comprehensive analytical approach that incorporates a variety of data sources is preferable. These sources include technological monitoring, behavioral and psychological observations, and profiling. This paper presents a literature review of previous works on insider threat detection based on user behavior analytics.
Detecting and Identifying Insider Threats Based on Advanced Clustering Methods
IEEE access, 2024
This paper explores the analysis of user behavior in information systems through audit records, creating a behavior model represented as a graph. The model captures actions over a specified period, facilitating real-time comparison to identify insider threats exploring anomalies detected in behavior models. "e-StepControl," developed by "ABC software" Ltd., incorporates this approach for monitoring user behavior in different business environments. The study proposes enhancing this solution with automatic user clustering, achieved by grouping individuals exhibiting similar behavior patterns using AI/ML algorithms. The research evaluates various clustering methods, discussing their suitability for grouping users based on their behavior. The subsequent step involves leveraging user class behavior models to identify anomalies by comparing an individual's actions with the behavior model expected in their specific user group. This extension aims to enhance the system's ability to detect potentially malicious activities, providing data security administrators with timely alerts in case of deviations from typical behavior.
DTB Project: A Behavioral Model for Detecting Insider Threats
2005
This paper describes the Detection of Threat Behavior (DTB) project, a joint effort being conducted by George Mason University (GMU) and Information Extraction and Transport, Inc. (IET). DTB uses novel approaches for detecting insiders in tightly controlled computing environments. Innovations include a distributed system of dynamically generated document-centric intelligent agents for document control, objectoriented hybrid logic-based and probabilistic modeling to characterize and detect illicit insider behaviors, and automated data collection and data mining of the operational environment to continually learn and update the underlying statistical and probabilistic nature of characteristic behaviors. To evaluate the DTB concept, we are conducting a human subjects experiment, which we will also include in our discussion.
A methodology and supporting techniques for the quantitative assessment of insider threats
Proceedings of the 2nd International Workshop on Dependability Issues in Cloud Computing - DISCCO '13, 2013
Security is a major challenge for today's companies, especially ICT ones which manages large scale cyber-critical systems. Amongst the multitude of attacks and threats to which a system is potentially exposed, there are insiders attackers i.e., users with legitimate access which abuse or misuse of their power, thus leading to unexpected security violation (e.g., acquire and disseminate sensitive information). These attacks are very difficult to detect and mitigate due to the nature of the attackers, which often are company's employees motivated by socio-economical reasons, and to the fact that attackers operate within their granted restrictions: it is a consequence that insiders attackers constitute an actual threat for ICT organizations. In this paper we present our ongoing work towards a methodology and supporting libraries and tools for insider threats assessment and mitigation. The ultimate objective is to quantitatively evaluate the possibility that a user will perform an attack, the severity of potential violations, the costs, and finally select the countermeasures. The methodology also includes a maintenance phase during which the assessment is updated on the basis of system evolution. The paper discusses future works towards the completion of our methodology.
Insider Threat Detection in Organization using Machine Learning
Journal of Applied Information Science, 2022
A Cyber Attack is a sudden attempt launched by cybercriminals against multiple computers or networks. According to evolution of cyber space, insider attack is the most serious attack faced by end users, all over the world. Insiders that perform attack have certain advantage over other attack since they familiar system policies and procedures. It is performed by authorized person such as current working employee, pre-working employee and business organizations. Cyber security reports show that both US federal Agency as well as different organizations faces insider threat. Compromised Users, Careless Users and Malicious Users are some of the ground for insider attack. User-Centric insider threat detection based on data granularity provide a new extent for insider detection since data is analysed on it's depth. but, improper selection of feature is a demerit. As a result, Data granularity with two stage confirmation method is used in the proposed system. In the first stage dual filtering using Hidden Markov model and fuzzy logic is involved. In the second stage, the predicted output from first stage is again checked using profile-toprofile or template-to-template comparison. The selection of user's information as well as triple feature for generating training set is an additional advantage of the proposed approach. Two stage confirmation leads to increase in performance measure with very low false positive rate.
2015
The insider threat problem is a significant and ever present issue faced by any organisation. While security mechanisms can be put in place to reduce the chances of external agents gaining access to a system, either to steal assets or alter records, the issue is more complex in tackling insider threat. If an employee already has legitimate access rights to a system, it is much more difficult to prevent them from carrying out inappropriate acts, as it is hard to determine whether the acts are part of their official work or indeed malicious. We present in this paper the concept of “Ben-ware”: a beneficial software system that uses low-level data collection from employees’ computers, along with Artificial Intelligence, to identify anomalous behaviour of an employee. By comparing each employee’s activities against their own ‘normal’ profile, as well as against the organisational’s norm, we can detect those that are significantly divergent, which might indicate malicious activities. Deal...
A review for insider threats detection using machine learning
INNOVATIONS IN COMPUTATIONAL AND COMPUTER TECHNIQUES: ICACCT-2021
The insider threat involves the theft of confidential information, commercial information, business plans, intellectual property, or any fraud. The attacker may be an employee, third-party vendor, contractor, business associate, partner, or former employee who has access to data or information which may violate the organization's security practices. According to the surveys done in some previous years, it has been identified that the threats are harming organizations and among those attacks, 60-70% of attacks are performed by insider employees. The insider attacker is much more dangerous as compared to the external attacker as security devices like intrusion detection, firewalls, and antivirus systems cannot detect them because they are using trusted access which increases the difficulty in detecting insider threat detection. In this paper, a study has been done on various types of insiders as some of them are malicious but most of the threats occur due to carelessness and unintentionally. Then insiders attack types that used different approaches and several characteristics like user action logs, biometric patterns, behavioral changes, and distinct algorithms.