Caught in the act of an insider attack: detection and assessment of insider threat (original) (raw)
Related papers
Empirical Detection Techniques of Insider Threat Incidents
IEEE Access, 2020
Vital organizations have faced increasing challenges of how to defend against insider threats that may cause a severe damage to their assets. The nature of insider threats is more challenging than external threats, as insiders have a privileged access to sensitive assets of an organization. In fact, there are several studies that reviewed the insider threat detection approaches from taxonomical and theoretical perspectives. However, the protection against insider threat incidents requires empirical defense solutions. Hence, our study uniquely focuses on empirical detection approaches that are validated with empirical results. We propose a 10-question model that highlights different prospective of empirical detection approaches. Significant factors are also proposed to reveal the extent to which the detection approaches are effective against insider threat incidents (e.g., feature domains, protection coverage, classification techniques, simulated scenarios, performance and accuracy metrics, etc.). The objective of this paper is to enhance researchers' efforts in the domain of insider attack by systemizing the detection techniques in comparable manner. It also highlights the challenges and gaps for further research to institute more effective solutions that can predict, detect, and prevent emerging attack incidents. Some recommendations for future research directions are also presented.
Validating an Insider Threat Detection System: A Real Scenario Perspective
2016 IEEE Security and Privacy Workshops (SPW), 2016
There exists unequivocal evidence denoting the dire consequences which organisations and governmental institutions face from insider threats. While the in-depth knowledge of the modus operandi that insiders possess provides ground for more sophisticated attacks, organisations are ill-equipped to detect and prevent these from happening. The research community has provided various models and detection systems to address the problem, but the lack of real data due to privacy and ethical issues remains a significant obstacle for validating and designing effective and scalable systems. In this paper, we present the results and our experiences from applying our detection system into a multinational organisation, the approach followed to abide with the ethical and privacy considerations and the lessons learnt on how the validation process refined the system in terms of effectiveness and scalability.
2015
The insider threat problem is a significant and ever present issue faced by any organisation. While security mechanisms can be put in place to reduce the chances of external agents gaining access to a system, either to steal assets or alter records, the issue is more complex in tackling insider threat. If an employee already has legitimate access rights to a system, it is much more difficult to prevent them from carrying out inappropriate acts, as it is hard to determine whether the acts are part of their official work or indeed malicious. We present in this paper the concept of “Ben-ware”: a beneficial software system that uses low-level data collection from employees’ computers, along with Artificial Intelligence, to identify anomalous behaviour of an employee. By comparing each employee’s activities against their own ‘normal’ profile, as well as against the organisational’s norm, we can detect those that are significantly divergent, which might indicate malicious activities. Deal...
DTB Project: A Behavioral Model for Detecting Insider Threats
2005
This paper describes the Detection of Threat Behavior (DTB) project, a joint effort being conducted by George Mason University (GMU) and Information Extraction and Transport, Inc. (IET). DTB uses novel approaches for detecting insiders in tightly controlled computing environments. Innovations include a distributed system of dynamically generated document-centric intelligent agents for document control, objectoriented hybrid logic-based and probabilistic modeling to characterize and detect illicit insider behaviors, and automated data collection and data mining of the operational environment to continually learn and update the underlying statistical and probabilistic nature of characteristic behaviors. To evaluate the DTB concept, we are conducting a human subjects experiment, which we will also include in our discussion.
A methodology and supporting techniques for the quantitative assessment of insider threats
Proceedings of the 2nd International Workshop on Dependability Issues in Cloud Computing - DISCCO '13, 2013
Security is a major challenge for today's companies, especially ICT ones which manages large scale cyber-critical systems. Amongst the multitude of attacks and threats to which a system is potentially exposed, there are insiders attackers i.e., users with legitimate access which abuse or misuse of their power, thus leading to unexpected security violation (e.g., acquire and disseminate sensitive information). These attacks are very difficult to detect and mitigate due to the nature of the attackers, which often are company's employees motivated by socio-economical reasons, and to the fact that attackers operate within their granted restrictions: it is a consequence that insiders attackers constitute an actual threat for ICT organizations. In this paper we present our ongoing work towards a methodology and supporting libraries and tools for insider threats assessment and mitigation. The ultimate objective is to quantitatively evaluate the possibility that a user will perform an attack, the severity of potential violations, the costs, and finally select the countermeasures. The methodology also includes a maintenance phase during which the assessment is updated on the basis of system evolution. The paper discusses future works towards the completion of our methodology.
Towards a Conceptual Model and Reasoning Structure for Insider Threat Detection
Journal of Wireless Mobile Networks Ubiquitous Computing and Dependable Applications, 2013
The insider threat faced by corporations and governments today is a real and significant problem, and one that has become increasingly difficult to combat as the years have progressed. From a technology standpoint, traditional protective measures such as intrusion detection systems are largely inadequate given the nature of the 'insider' and their legitimate access to prized organisational data and assets. As a result, it is necessary to research and develop more sophisticated approaches for the accurate recognition, detection and response to insider threats. One way in which this may be achieved is by understanding the complete picture of why an insider may initiate an attack, and the indicative elements along the attack chain. This includes the use of behavioural and psychological observations about a potential malicious insider in addition to technological monitoring and profiling techniques. In this paper, we propose a framework for modelling the insider-threat problem that goes beyond traditional technological observations and incorporates a more complete view of insider threats, common precursors, and human actions and behaviours. We present a conceptual model for insider threat and a reasoning structure that allows an analyst to make or draw hypotheses regarding a potential insider threat based on measurable states from real-world observations.
Detecting Unknown Insider Threat Scenarios
International Journal on Computational Science & Applications, 2016
Problems from the inside of an organization's perimeters are a significant threat, since it is very difficult to differentiate them from outside activity. In this dissertation, evaluate an insider threat detection motto on its ability to detect different type of scenarios that have not previously been identify or contemplated by the developers of the system. We show the ability to detect a large variety of insider threat scenario instances We report results of an ensemble-based, unsupervised technique for detecting potential insider threat, insider threat scenarios that robustly achieves results. We explore factors that contribute to the success of the ensemble method, such as the number and variety of unsupervised detectors and the use of existing knowledge encoded in scenario based detectors made for different known activity patterns. We report results over the entire period of the ensemble approach and of ablation experiments that remove the scenario-based detectors.
AZALIA: an A to Z assessment of the likelihood of insider attack
2009
The insider threat problem is increasing, both in terms of the number of incidents and their financial impact. To date, solutions have been developed to detect specific instances of insider attacks (e.g., fraud detection) and therefore use very limited information for input. In this paper we describe an architecture for an enterprise-level solution that incorporates data from multiple sources. The unique aspects of this solution include the prioritization of resources based on the business value of the protected assets, and the use of psychological indicators and language affectation analysis to predict insider attacks. The goal of this architecture is not to detect that insider abuse has occurred, but rather to determine how to prioritize monitoring activities, giving priority to scrutinizing those whose background includes access to key combinations of assets as well as those psychological/other factors that have in the past been associated with malicious insiders.