Abstract
The risk from insider threats is rising significantly, yet the majority of organizations are ill-prepared to detect and mitigate them. Research has focused on providing rule-based detection systems or anomaly detection tools which use features indicative of malicious insider activity. In this paper we propose a system complimentary to the aforementioned approaches. Based on theoretical advances in describing attack patterns for insider activity, we design and validate a state-machine system that can effectively combine policies from rule-based systems and alerts from anomaly detection systems to create attack patterns that insiders follow to execute an attack. We validate the system in terms of effectiveness and scalability by applying it on ten synthetic scenarios. Our results show that the proposed system allows analysts to craft novel attack patterns and detect insider activity while requiring minimum computational time and memory.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Agrafiotis, I., Erola, A., Goldsmith, M., Creese, S.: Formalising policies for insider-threat detection: a tripwire grammar. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. (JoWUA) 8(1), 26–43 (2017)
Agrafiotis, I., Erola, A., Happa, J., Goldsmith, M., Creese, S.: Validating an insider threat detection system: a real scenario perspective. In: 2016 IEEE Security and Privacy Workshops (SPW), pp. 286–295. IEEE (2016)
Agrafiotis, I., Nurse, J.R., Buckley, O., Legg, P., Creese, S., Goldsmith, M.: Identifying attack patterns for insider threat detection. Comput. Fraud Secur. 2015(7), 9–17 (2015)
Arulampalam, M.S., Maskell, S., Gordon, N., Clapp, T.: A tutorial on particle filters for online nonlinear/non-Gaussian Bayesian tracking. IEEE Trans. Sig. Process. 50(2), 174–188 (2002)
Bishop, M., et al.: Insider threat identification by process analysis. In: 2014 IEEE Security and Privacy Workshops (SPW), pp. 251–264. IEEE (2014)
Bostock, M.: D3.js. Data Driven Doc. 492, 701 (2012)
Brdiczka, O., et al.: Proactive insider threat detection through graph learning and psychological context. In: 2012 IEEE Symposium on Security and Privacy Workshops (SPW), pp. 142–149. IEEE (2012)
Gemalto’s Breach Level Index: Data breach database and risk assessment calculator (2016). http://www.breachlevelindex.com/
Buford, J.F., Lewis, L., Jakobson, G.: Insider threat detection using situation-aware MAS. In: 2008 11th International Conference on Information Fusion, pp. 1–8. IEEE (2008)
Cappelli, D.M., Moore, A.P., Trzeciak, R.F.: The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison-Wesley, Boston (2012)
Chen, Y., Malin, B.: Detection of anomalous insiders in collaborative environments via relational analysis of access logs. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, pp. 63–74. ACM (2011)
Eberle, W., Graves, J., Holder, L.: Insider threat detection using a graph-based approach. J. Appl. Secur. Res. 6(1), 32–81 (2010)
Fedosejev, A.: React.js Essentials. Packt Publishing Ltd., Birmingham (2015)
Health Professions Education Unit United Kingdom: Ponemon cyber crime report: it, computer and internet security (2015). http://www8.hp.com/uk/en/software-solutions/ponemon-cyber-security-report/
Magklaras, G., Furnell, S.: Insider threat prediction tool: evaluating the probability of IT misuse. Comput. Secur. 21(1), 62–73 (2001)
Moore, A.P., Cappelli, D., Caron, T.C., Shaw, E.D., Spooner, D., Trzeciak, R.F.: A preliminary model of insider theft of intellectual property (2011)
Moore, A.P., Cappelli, D.M., Trzeciak, R.F.: The “Big Picture” of insider IT sabotage across U.S. critical infrastructures. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds.) Insider Attack and Cyber Security, pp. 17–52. Springer, Heidelberg (2008). https://doi.org/10.1007/978-0-387-77322-3_3
Myers, J., Grimaila, M.R., Mills, R.F.: Towards insider threat detection using web server logs. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, p. 54. ACM (2009)
Nurse, J.R., et al.: Understanding insider threat: a framework for characterising attacks. In: 2014 IEEE Security and Privacy Workshops (SPW), pp. 214–228. IEEE (2014)
Nurse, J.R.C., et al.: A critical reflection on the threat from human insiders – its nature, industry perceptions, and detection approaches. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 270–281. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07620-1_24
Parveen, P., Thuraisingham, B.: Unsupervised incremental sequence learning for insider threat detection. In: 2012 IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 141–143. IEEE (2012)
Rashid, T., Agrafiotis, I., Nurse, J.R.: A new take on detecting insider threats: exploring the use of hidden Markov models. In: Proceedings of the 2016 International Workshop on Managing Insider Security Threats, pp. 47–56. ACM (2016)
ISACA and RSA Conference: State of Cybersecurity: implications for 2015 (2015). http://www.isaca.org/cyber/Documents/State-of-Cybersecurity_Res_Eng_0415.pdf
Sarkar, K.R.: Assessing insider threats to information security using technical, behavioural and organisational measures. Inf. Secur. Tech. Rep. 15(3), 112–133 (2010)
Tilkov, S., Vinoski, S.: Node.js: using Javascript to build high-performance network programs. IEEE Internet Comput. 14(6), 80–83 (2010)
Upton, D.M., Creese, S.: The danger from within. Harv. Bus. Rev. 92(9), 94–101 (2014)
Young, W.T., Memory, A., Goldberg, H.G., Senator, T.E.: Detecting unknown insider threat scenarios. In: 2014 IEEE Security and Privacy Workshops, pp. 277–288, May 2014. https://doi.org/10.1109/SPW.2014.42
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix 1.A Dataset for Every Scenario
The detection system can have access to both raw data logs and alerts from anomaly detection systems. In our evaluation, these datasets contain both the organisation logs and the alerts generated by the CITD system which is in the same format with the other logs. Logs in each dataset are stored as files, including
-
, which are the alerts generated by CITD system,
-
, which records the target addresses of emails sent by the users,
-
, which records the history of login and logout of the users,
-
, which contains the path of files accessed by the users,
-
, which records the URLs of websites accessed by the users,
-
and , containing the activity related to usb (inserted, removed).
This data is composed by the attributes , , and which refer to the user’s id, the time when this log is generated, the device’s id and the behaviour of the user recorded by this log. An example of a row in the is:
Alert logs store the alert information in and the severity of this alert in the extended attribute which can be “Green”, “Yellow” and “Red” as explained in [2]. An example of an alert data is:
Files for the same scenario are merged and sorted according to their so we have a file for each scenario containing all the logs from oldest to newest. In addition to the logs, the information of employees and their occupation role duties is also provided for each dataset. This information can be further used in building novel attack patterns or refining current ones. For example, we may want to detect and add a step if any employee accesses sensitive files where admin is part of a path or a name of a file.
Appendix 1.B Attack Patterns
Figure 8 shows the attack pattern which raised an alert for the scenario explained in detail in Sect. 4. The texts next to the transitions contain the ids of the original attack steps in [3] and brief descriptions of the implementation of the transitions. For example, the transition from \(S_0\) to \(S_1\) in Fig. 8 refers to the attack step that insiders login to the organisations’ system using own credentials and this is implemented by capturing the logs in login system with value .
Figure 9 illustrates the trace followed by the insider (which is highlighted) and the thickness of the arrows in the figure represents the frequency of the transitions.
Appendix 1.C Pattern Editor
Figure 10 presents the pattern editor interface and illustrates how analysts can straightforwardly design novel attack patterns without the need to change the code of the tool.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Zhang, H., Agrafiotis, I., Erola, A., Creese, S., Goldsmith, M. (2019). A State Machine System for Insider Threat Detection. In: Cybenko, G., Pym, D., Fila, B. (eds) Graphical Models for Security. GraMSec 2018. Lecture Notes in Computer Science(), vol 11086. Springer, Cham. https://doi.org/10.1007/978-3-030-15465-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-15465-3_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-15464-6
Online ISBN: 978-3-030-15465-3
eBook Packages: Computer ScienceComputer Science (R0)