Insider Threat Research Papers - Academia.edu (original) (raw)

Masqueraders are users who take control of a machine and perform malicious activities such as data exfiltration or system misuse on behalf of legitimate users. In the literature, there are various approaches for detecting masqueraders by modeling legitimate users' behavior during their daily tasks and automatically determine whether they are doing something suspicious. Usually, these techniques model user behavior using features extracted from various sources, such as file system, network activities, system calls, etc. In this work, we propose a one-class anomaly detection approach that measures similarities between a history of a user and events recorded in a time-window of the user's session which is to be classified. The idea behind our solution is the application of a graph partitioning technique on weighted oriented graphs generated from such event sequences, while considering that strongly connected nodes have to belong into the same cluster. First, a history of vertex clusters is build per each user and then this history is compared to a new input by using a similarity function, which leads either to the acceptance or rejection of a new input. This makes our approach substantially different from existing general graph-based approaches that consider graphs as a single entity. The approach can be applied for different kinds of homogeneous event sequences, however successful application of the approach will be demonstrated on file system access events only. The linear time complexity of the approach was demonstrated in the experiments and the performance evaluation was done using two state-of-the-art datasets-WUIL and TWOS-both of them containing file system access logs of legitimate users and masquerade attackers; for WUIL dataset we achieved an average per-user AUC of 0.94, a TPR over 95%, and a FPR less than 10%, while for TWOS dataset we achieved an average per-user AUC of 0.851, a TPR over 91% and a FPR around 11%.

- by
- •
- Anomaly Detection, One class Classification, Insider Threat, Malicious insider threat

The purpose of this document is to provide guidance on safeguards that limit the introduction of malicious code into software and software systems in order to reduce the risk posed to software by malicious code. The intended audience for the information contained in this document includes system security engineers, as well as system and software developers, evaluators, and development program offices.
Posting here because the document is no longer available online from NSA.

- by Karen Mercedes Goertzel
- •
- Software Assurance, Insider Threat, Malicious Code Design

Introduction
Among the problems discussed in this study is the issue of national security, broadly defined. Recognizing the need for safe existence of citizens, it is impossible not to note that we live in an increasingly global world, so discussion of the Republic of Poland national security can not be limited only to the territory of our motherland. Without a doubt, both in nationally and internationally a key role in shaping world security play safety regulations. In this work, the authors undertook a collective development of specific threats to the modern safety and security management organization (in terms of a complex and problematic) and
the development of attitudes and education standard for safety. The aim of this work is the exchange of views among representatives of various research and teaching centers and representatives of practices:
• Contemporary problems of safety and civilization threats
• Legal framework of internal security of the Republic of Poland and international security
• Dilemmas of internal security management
• Education and upbringing for security
Finally, we would like to thank the reviewers of this book - Prof. dr hab. Piotr Majer and Dr Ivan Iurlo whose valuable comments were received on the final shape of this study.
We also thank all the authors, representing various research centers, universities and institutions by which arose in this paper.
Prof. zw. dr hab. Bronisław Sitek
Mgr Aleksandra Ukleja

- by Bronisław Sitek
- •
- Law, International Relations, Multiculturalism, Social Sciences

Robert Hanssen, a career FBI Special Agent and " trusted insider " , was able to sell U.S. secrets to the Soviets and Russians for twenty-two years before his detection in December, 2000 by the FBI. Prior to Hanssen's arrest, the FBI's internal security programs were fragmented and contained severe deficiencies. These flaws made it relatively easy for Hanssen to commit espionage, and simultaneously, difficult for the FBI to identify him as an insider threat and ultimately arrest him. While the motivations and techniques surrounding espionage have significantly changed since the end of the Cold War, the " trusted insider " threat remains. This paper will examine the key aspects of the FBI's internal security program that enabled Hanssen to commit espionage, as well as some of the motivating factors behind his activity. A brief synopsis of Hanssen's background and FBI employment history will be included. However, the primary focus will be analysing Hanssen-era FBI security protocols and the 2002 Webster Commission Report, which was produced to examine the FBI's security programs and recommend methods to overhaul FBI internal security programs in light of the Hanssen case. The FBI's efforts to implement those recommendations, to effect a more technologically advanced and secure environment within the FBI, will also be examined.

- by Rebecca Vogel
- •
- Intelligence, FBI History, Espionage, Insider Threat

The current consensus is that there is a worldwide gap in skills needed for a competent cybersecurity workforce. This skills gap has implications for the national security sector, both public and private. Although the view is that this will take a concerted effort to rectify, it presents an opportunity for IT professionals, university students, and aspirants to take-up jobs in national security—national intelligence as well military and law enforcement intelligence. This paper examines context of the issue, the nature of the cybersecurity skills gap, and some key responses by governments to address the problem. The paper also examines the emerging employment trends, some of the employment challenges, and what these might mean for practice. The paper argues that the imperative is to close the cyber skills gap by taking advantage of the window of opportunity, allowing individuals interested in moving into the cybersecurity field to do so via education and training.

- by Rebecca Vogel
- •
- Intelligence, National Security, Insider Threat, CYBER ESPIONAGE
- by Mauro Berlanda
- •
- International Relations, Violence, International Law, Organizational Culture

Insider threats are one of today's most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. In this work we propose structural taxonomy and novel categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them. The objective of our categorization is to systematize knowledge in insider threat research, while using existing grounded theory method for rigorous literature review. The proposed categorization depicts the workflow among particular categories that include: 1) Incidents and datasets, 2) Analysis of incidents, 3) Simulations, and 4) Defense solutions. Special attention is paid to the definitions and taxonomies of the insider threat; we present a structural taxonomy of insider threat incidents, which is based on existing taxonomies and the 5W1H questions of the information gathering problem. Our survey will enhance researchers' efforts in the domain of insider threat, because it provides: a) a novel structural taxonomy that contributes to orthogonal classification of incidents and defining the scope of defense solutions employed against them, b) an overview on publicly available datasets that can be used to test new detection solutions against other works, c) references of existing case studies and frameworks modeling insiders' behaviors for the purpose of reviewing defense solutions or extending their coverage, and d) a discussion of existing trends and further research directions that can be used for reasoning in the insider threat domain.

- by Ivan Homoliak
- •
- Survey, Insider Threat, Malicious insider threat, Unintentional insider threat

This is a report submitted to the International Atomic Energy Agency (IAEA) under the IAEA-UGA (University of Georgia in Athens) Agreement on Coordinated Research Projects for Enhancement of Nuclear Security Culture. CITS/UGA staff and graduate students contributed to this report. Its objective is to tailor the IAEA generic methodology for nuclear security culture to specific security needs for users of radioactive sources. It can serve as a guidance for self-assessment and enhancement of security culture at diverse organizations which manufacture, operate and store radioactive sources.

The IAEA International Standards for Tissue Banks published in 2003 were based on the Standards then currently in use in the USA and the European Union, among others, and reflect the best practices associated with the operation of a tissue bank. They cover legal, ethical and regulatory controls as well as requirements and procedures from donor selection and tissue retrieval to processing and distribution of finished tissue for clinical use. The application of these standards allows tissue banks to operate with the current good tissue practice, thereby providing grafts of high quality that satisfy the national and international demand for safe and biologically useful grafts. The objective of this article is to review the IAEA Standards and recommend new topics that could improve the current version.

- by astrid lobo Gajiwala
- •
- Radiation, Organizational Culture, European Union, International Cooperation
- by Ruby B. Lee
- •
- Computer Architecture, Security, Cloud Computing, Cyber Physical Systems

Mass violence is empirically rare. Studying mass violence presents numerous meth-odological challenges. The complex nature of mass violence events, which may have germinated in years prior, make attempts to use conventional research methods problematic. Complexity science and the interdisciplinary field of computational social science offer new scientific paradigms and computational tools well suited to the study of complex and dynamic phenomena like mass violence. We review aspects of mass violence that can hamper research efforts, introduce complexity science, computational social science and computational modeling, and highlight three types of computational models that will likely be of particular interest and value to the threat assessment and management community. Public Significance Statement This theoretical review article discusses methodological challenges for mass violence research and proposes computational modeling and simulation as a valuable tool for use by threat assessment and management researchers and professionals. We discuss basic principles of complexity science, modeling, and simulation, and suggest three types of computational models-spatial/tactical, population, and organizational-of particular appeal for threat assessment and management. We conclude by presenting an example spatial/tactical agent-based model used to conduct computational research on the possibility of unarmed resistance in an active shooter scenario.

- by Tom Briggs
- •
- Criminology, Complexity Theory, Agent Based Simulation, Complex Systems

This article presents a new signcryption scheme which is based on the Schnorr digital signature algorithm. The new scheme represents my personal contribution to signcryption area. I have been implemented the algorithm in a program and here are provided the steps of the algorithm, the results and
some examples. The paper also contains the presentation of the original Signcryption scheme, based on ElGamal digital signature and discusses the practical applications of Signcryption in real life.

- by SDIWC Organization
- •
- Computer Science, Information Technology, Information Security, Security

This research analyzes how the perception of organizational injustice motivates the practice of cybercrimes in the workplace. In a qualitative and exploratory investigation, interviews have been carried out for 16 specialists in cybernetic security. Data were analyzed through the categorical content analysis technique. The results obtained suggest that the perception of injustice produces negative feelings, such as low self-esteem, frustration, and lack of guilt, and these emotions, in turn, motivate the practice of cybercrimes. Different perceptions have been identified among the interviewees of this study, which are associated with the literature review related to the theme, allowed the proposition of a conceptual model.

- by Marie Anne Macadar and +1
- •
- Cybercrime, Cyber Security, Justiça Organizacional, Insider Threat

Insider threat has become a serious issue to the many organizations. Various companies are increasingly deploying many information technologies to prevent unauthorized access to getting inside their system. Biometrics approaches have some techniques that contribute towards controlling the point of entry. However, these methods mainly are not able to continuously validate the users reliability. In contrast behavioral profiling is one of the biometrics technologies but it focusing on the activities of the users during using the system and comparing that with a previous history. This paper presents a comprehensive analysis, literature review and limitations on behavioral profiling approach and to what extent that can be used for mitigating insider misuse. KEYWORDS insider threat, behaviouial profiling, insider misuse

Insider Threats (ITs) are hard to identify because of their knowledge of the organization and motivation to avoid detection. One approach to detecting ITs utilizes Active Indicators (AI), stimuli that elicit a characteristic response from the insider. The present research implemented this approach within a simulation of financial investigative work. A sequence of AIs associated with accessing a locked file was introduced into an ongoing workflow. Participants allocated to an insider role accessed the file illicitly. Eye tracking metrics were used to differentiate insiders and control participants performing legitimate role. Data suggested that ITs may show responses suggestive of strategic concealment of interest and emotional stress. Such findings may provide the basis for a cognitive engineering approach to IT detection.

- by Gerald Matthews and +1
- •
- Cyber Security, Insider Threat
- by Tom Sauer
- •
- Business, Criminology, Security, Risk Management

Collaborative Information Systems (CIS) allow users to belong to different groups to communicate and interfere with shared tasks or documents for collaboration. Current Intrusion Detection Systems are not effective in detecting insider threats where users work in dynamic teams. A malicious hacker who works as an employee of an organization or an outsider who acts as an employee by obtaining false credentials is called an insider threat and that malicious hacker may cause damages to the shared information. The proposed Neighborhood Anomaly Detection System (NADS), is an unsupervised learning framework to detect insider threats. NADs makes use of access logs of collaborative environments for Intrusion Detection. This framework is based on the observation that typical CIS users tend to form Neighborhood structures based on the subjects accessed. NADS consists of two components: 1) relational pattern extraction, where Neighborhood structures are derived and 2) anomaly prediction, which uses a statistical model based on relational pattern extraction. Based on the observations, the deviation of users from the communities they belong to is detected. It is capable to detect anomalous insiders in systems that use dynamic teams.

- by Publishing India Group
- •
- Data Mining, Network Security, Network Analysis, Anomaly Detection

Information systems face several security threats, some of which originate by insiders. This paper presents a novel, interdisciplinary insider threat prediction model. It combines approaches, techniques, and tools from computer science and psychology. It utilizes real time monitoring , capturing the user's technological trait in an information system and analyzing it for misbehavior. In parallel, the model is using data from psychometric tests, so as to assess for each user the predisposition to malicious acts and the stress level, which is an enabler for the user to overcome his moral inhibitions, under the condition that the collection of such data complies with the legal framework. The model combines the above mentioned information, categorizes users, and identifies those that require additional monitoring, as they can potentially be dangerous for the information system and the organization.

- by DIMITRIS GRITZALIS
- •
- Insider Threat

In this paper we present the TWOS dataset that contains realistic instances of insider threats based on a gamified competition. The competition simulated user interactions in/among competing companies, where two types of behaviors (normal and malicious) were incentivized. For the case of malicious behavior, we designed sessions for two types of insider threats (masqueraders and traitors). The game involved the participation of 6 teams consisting of 4 students who competed with each other for a period of 5 days, while their activities were monitored considering several heterogeneous sources (mouse, keyboard, process and file-system monitor, network traffic, emails and login/logout). In total, we obtained 320 hours of active participation that included 18 hours of masquerader data and at least two instances of traitor data. In addition to expected malicious behaviors, students explored various defensive and offensive strategies such as denial of service attacks and obfuscation techniques, in an effort to get ahead in the competition. Furthermore, we illustrate the potential use of the TWOS dataset in multiple areas of cyber security , which does not limit to malicious insider threat detection, but also areas such as authorship verification and identification, continuous authentication, and sentiment analysis. We also present several state-of-the-art features that can be extracted from different data sources in order to guide researchers in the analysis of the dataset. The TWOS dataset is publicly accessible for further research purposes.

- by Ivan Homoliak
- •
- Insider research, Insider Threat, Imbalanced Datasets, Dataset

According to Transparency International, Australia is perceived to be one of the least corrupt countries in the world, although Australia's ranking in the latest Corruption Perceptions Index (Transparency International 2018) has recently declined. Public servants are particularly at risk of being invited to act corruptly because of their access to confidential and personal information and because they can provide benefits to, or discount the liabilities of, members of the public. Corruption affecting the public sector is a covert and pernicious criminal activity that has been defined as: …[a] public official…acting for personal gain, [violating] the norms of public office and [harming] the interests of the public to benefit a third party who rewards [the public official] for access to goods or services which [they] would not otherwise obtain (Philip 2006: 45). Because corruption is a much smaller problem in Australia than in many other countries, fewer resources have been devoted to detecting 'hard-to-find' corruption, such as where serious and organised crime groups (SOCG) target public officials. Abstract | This paper examines the nature of serious and organised crime group (SOCG) involvement in public sector corruption, associated risk factors and best-practice responses and prevention strategies. The paper draws on an environmental scan of international literature on the corruption of public sector officials by SOCGs to determine how corruption occurs and how it can best be prevented. The approaches of other countries were analysed to identify which initiatives can most effectively be applied to problems within Australia. Although the scale of the threat is less in Australia than in other countries, we can learn from overseas experiences how best to minimise this threat in future.

- by Georgina Fuller
- •
- Criminology, Public Administration, Organized Crime, Corruption (Corruption)

Insider’s malicious information security behaviours have always been a persistent problem and requiring urgent mitigation solutions. More recently, seminal calls for future research suggested exploring the influences of employee-workplace interaction and pre-kinetic events such as organisational injustice since they are argued to hold potential impacts on the insider’s intention to perform abusive computer behaviours. This study responds to those calls by investigating the relationship between organisational injustice and insider’s intention to commit malicious security behaviours. In addition, it employed General Strain Theory–a highly influential theory in criminology yet receives little attention in information security behavioural research. The literature review suggested the employed theory to have close relationship with organisational injustice concepts, therefore adds more explanations to why insiders deliberately perform computer abuses. As a result, a testable conceptual model incorporating strains, disgruntlement and organisational injustice is proposed to describe the relationships between those factors and insider’s malicious information security behaviours. The research concludes with the model’s potential implications, limitations and provides future directions.

- by Mauro Berlanda
- •
- International Relations, Violence, International Law, Organizational Culture
- by MANVENDRA LODHI
- •
- Computers, Organizations, Feature Extraction, Detectors

There is little literature examining the impact of non-crypto focused quantum computation threats such as maximum quasi clique, minimum clique cover, portfolio, risk optimization, asset degradation, and utility system distribution... more

- by Jorge Morales Pedraza
- •
- Organizational Culture, Argentina, International Cooperation, Tissue Bank
- by Brajendra Panda
- •
- Computer Science, Computer Security, Cloud Computing, Insider Threat
- by Ruby Lee
- •
- Computer Architecture, Security, Migration, Cloud Computing

Abstract Purpose The purpose of this paper is to demonstrate how document protection has become a key object of concern for organizations, how the threat of leaks has led to an increase in security technologies and policies and how these... more

- by Mike Prentice
- •
- South Korea, Securitization, Weber, Insider Threat

This paper reviews and integrates several accepted psychological constructs into a behavioral model that can be adapted for practical use and suggests new tools to leverage this model to mitigate threats from insiders who may... more

- by Daniel Mcgarvey and +1
- •
- Behavioral Sciences, Security, Counterintelligence, Insider Threat

Attacks on the organization networks can be classified as external and internal attacks. For the purpose of this paper we consider that external attacks are generated by the attackers or from hosts outside the organization, and internal attacks are generated by malicious insiders within the organization. Insider attacks have always been challenging to deal with as insiders have legitimate and physical access to the systems within the organization, and they have knowledge of the organization networks and more importantly, are aware of the security environment enforced within the organization. In this paper we propose novel trust enhanced security techniques to deal with the insider attack problem. Our architecture detects the attacks by monitoring the user activity as well as the state of the system using trusted computing in exposing and analyzing suspicious behaviour. We will demonstrate how an insider can exploit the weakness in the systems to generate different attacks and how our architecture can help to prevent such attacks.

- by Udaya Tupakula and +1
- •
- Computer Science, Information Security, Trusted Computing, Computer Security

Durante los últimos años han proliferado en el mercado tecnológico soluciones relacionadas con la detección del fraude a través de sistemas de inteligencia artificial basada en explotación de datos masiva (Big Data). La detección de patrones anómalos y correlación de eventos son dos de los elementos clave de éstas soluciones que permiten detectar los "inicios" de las anomalías antes de que se produzcan tanto con respecto a transacciones económicas, operacionales como de cualquier otro dato relacionado o no que se determine en un orden del tiempo o en lugar concreto.

According to Transparency International, Australia is perceived to be one of the least corrupt countries in the world, although Australia’s ranking in the latest Corruption Perceptions Index (Transparency International 2018) has recently declined. Public servants are particularly at risk of being invited to act corruptly because of their access to confidential and personal information and because they can provide benefits to, or discount the liabilities of, members of the public. Corruption affecting the public sector is a covert and pernicious criminal activity that has been defined as:

- by Georgina Fuller
- •
- Criminology, Public Administration, Political Science, Organized Crime

THE IMPORTANCE OF PROTECTING NUCLEAR POWER plants, laboratories, and other facilities can hardly be overstated, especially in light of increased threats of terrorism. But the two principal components of nu-clear facility securitythe... more

- by Igor Khripunov
- •
- Leadership, Motivation, Vigilance, HUMAN FACTOR

Among the problems discussed in this study is the issue of national security, broadly defined. Recognizing the need for safe existence of citizens, it is impossible not to note that we live in an increasingly global world, so discussion of the Republic of Poland national security can not be limited only to the territory of our motherland. Without a doubt, both in nationally and internationally a key role in shaping world security play safety regulations. In this work, the authors undertook a collective development of specific threats to the modern safety and security management organization (in terms of a complex and problematic) and the development of attitudes and education standard for safety. The aim of this work is the exchange of views among representatives of various research and teaching centers and representatives of practices: • Contemporary problems of safety and civilization threats • Legal framework of internal security of the Republic of Poland and international securi...

- by Bronisław Sitek
- •
- Law, International Relations, Multiculturalism, International Law

Book Details: Book Title: Computer Security & Risk Analysis Publisher: Independent Publishing, 2018 ISBN-13: 978-1731512895 ISBN-10: 1731512899 EAN: 9781731512895 Book language: English By (author) : Dileep Keshava Narayana Number of... more

Book Details:
Book Title: Computer Security & Risk Analysis
Publisher: Independent Publishing, 2018
ISBN-13: 978-1731512895
ISBN-10: 1731512899
EAN: 9781731512895
Book language: English
By (author) : Dileep Keshava Narayana
Number of Pages: 32
Published on: 2018-11-18
Category: Informatics, IT

- by Dileep Keshava Narayana
- •
- Risk Management, Computer Security, Risk Analysis, Espionage
- by Igor Khripunov
- •
- Leadership, Motivation, Vigilance, HUMAN FACTOR

This innovative approach narrates one of the crises of the late Hashemite monarchy from Wien. The Austrian capital (still under Soviet military occupation) took an unexpectedly-prominent role as the setting for both Iraq's centrist and extremist politics. During 1954, Hassan Abdul Rahman (serving as Minister of Social Affairs) accompanied his son for medical treatment. A member of the United Popular Front political group, his party’s Executive Committee demanded that the Cabinet lift martial law within 10 days; Abdul Rahman’s resignation opened the way for imposition of authoritarian controls in Iraq. Later that same year (following passage of the notorious decrees 16, 17, 18, and 19) a series of activists who had been deprived of their civil status turned up at the Soviet Embassy in Vienna.

- by Elizabeth Bishop
- •
- Iraqi History, Organizational Culture, Iraq, Nuclear security
- by Jorge Morales Pedraza
- •
- Radiation, Organizational Culture, Nuclear security, Sterilization

- by Tom Briggs and +1
- •
- Criminology, Computer Science, Complexity Theory, Agent Based Simulation
- by Brajendra Panda
- •
- Computer Science, Computer Security, Cloud Computing, Cluster Computing