Skip to main content

A State Machine System for Insider Threat Detection

  • Conference paper
  • First Online:
Graphical Models for Security (GraMSec 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11086))

Included in the following conference series:

Abstract

The risk from insider threats is rising significantly, yet the majority of organizations are ill-prepared to detect and mitigate them. Research has focused on providing rule-based detection systems or anomaly detection tools which use features indicative of malicious insider activity. In this paper we propose a system complimentary to the aforementioned approaches. Based on theoretical advances in describing attack patterns for insider activity, we design and validate a state-machine system that can effectively combine policies from rule-based systems and alerts from anomaly detection systems to create attack patterns that insiders follow to execute an attack. We validate the system in terms of effectiveness and scalability by applying it on ten synthetic scenarios. Our results show that the proposed system allows analysts to craft novel attack patterns and detect insider activity while requiring minimum computational time and memory.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Agrafiotis, I., Erola, A., Goldsmith, M., Creese, S.: Formalising policies for insider-threat detection: a tripwire grammar. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. (JoWUA) 8(1), 26–43 (2017)

    Google Scholar 

  2. Agrafiotis, I., Erola, A., Happa, J., Goldsmith, M., Creese, S.: Validating an insider threat detection system: a real scenario perspective. In: 2016 IEEE Security and Privacy Workshops (SPW), pp. 286–295. IEEE (2016)

    Google Scholar 

  3. Agrafiotis, I., Nurse, J.R., Buckley, O., Legg, P., Creese, S., Goldsmith, M.: Identifying attack patterns for insider threat detection. Comput. Fraud Secur. 2015(7), 9–17 (2015)

    Article  Google Scholar 

  4. Arulampalam, M.S., Maskell, S., Gordon, N., Clapp, T.: A tutorial on particle filters for online nonlinear/non-Gaussian Bayesian tracking. IEEE Trans. Sig. Process. 50(2), 174–188 (2002)

    Article  Google Scholar 

  5. Bishop, M., et al.: Insider threat identification by process analysis. In: 2014 IEEE Security and Privacy Workshops (SPW), pp. 251–264. IEEE (2014)

    Google Scholar 

  6. Bostock, M.: D3.js. Data Driven Doc. 492, 701 (2012)

    Google Scholar 

  7. Brdiczka, O., et al.: Proactive insider threat detection through graph learning and psychological context. In: 2012 IEEE Symposium on Security and Privacy Workshops (SPW), pp. 142–149. IEEE (2012)

    Google Scholar 

  8. Gemalto’s Breach Level Index: Data breach database and risk assessment calculator (2016). http://www.breachlevelindex.com/

  9. Buford, J.F., Lewis, L., Jakobson, G.: Insider threat detection using situation-aware MAS. In: 2008 11th International Conference on Information Fusion, pp. 1–8. IEEE (2008)

    Google Scholar 

  10. Cappelli, D.M., Moore, A.P., Trzeciak, R.F.: The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison-Wesley, Boston (2012)

    Google Scholar 

  11. Chen, Y., Malin, B.: Detection of anomalous insiders in collaborative environments via relational analysis of access logs. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, pp. 63–74. ACM (2011)

    Google Scholar 

  12. Eberle, W., Graves, J., Holder, L.: Insider threat detection using a graph-based approach. J. Appl. Secur. Res. 6(1), 32–81 (2010)

    Article  Google Scholar 

  13. Fedosejev, A.: React.js Essentials. Packt Publishing Ltd., Birmingham (2015)

    Google Scholar 

  14. Health Professions Education Unit United Kingdom: Ponemon cyber crime report: it, computer and internet security (2015). http://www8.hp.com/uk/en/software-solutions/ponemon-cyber-security-report/

  15. Magklaras, G., Furnell, S.: Insider threat prediction tool: evaluating the probability of IT misuse. Comput. Secur. 21(1), 62–73 (2001)

    Article  Google Scholar 

  16. Moore, A.P., Cappelli, D., Caron, T.C., Shaw, E.D., Spooner, D., Trzeciak, R.F.: A preliminary model of insider theft of intellectual property (2011)

    Google Scholar 

  17. Moore, A.P., Cappelli, D.M., Trzeciak, R.F.: The “Big Picture” of insider IT sabotage across U.S. critical infrastructures. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds.) Insider Attack and Cyber Security, pp. 17–52. Springer, Heidelberg (2008). https://doi.org/10.1007/978-0-387-77322-3_3

    Chapter  Google Scholar 

  18. Myers, J., Grimaila, M.R., Mills, R.F.: Towards insider threat detection using web server logs. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, p. 54. ACM (2009)

    Google Scholar 

  19. Nurse, J.R., et al.: Understanding insider threat: a framework for characterising attacks. In: 2014 IEEE Security and Privacy Workshops (SPW), pp. 214–228. IEEE (2014)

    Google Scholar 

  20. Nurse, J.R.C., et al.: A critical reflection on the threat from human insiders – its nature, industry perceptions, and detection approaches. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 270–281. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07620-1_24

    Chapter  Google Scholar 

  21. Parveen, P., Thuraisingham, B.: Unsupervised incremental sequence learning for insider threat detection. In: 2012 IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 141–143. IEEE (2012)

    Google Scholar 

  22. Rashid, T., Agrafiotis, I., Nurse, J.R.: A new take on detecting insider threats: exploring the use of hidden Markov models. In: Proceedings of the 2016 International Workshop on Managing Insider Security Threats, pp. 47–56. ACM (2016)

    Google Scholar 

  23. ISACA and RSA Conference: State of Cybersecurity: implications for 2015 (2015). http://www.isaca.org/cyber/Documents/State-of-Cybersecurity_Res_Eng_0415.pdf

  24. Sarkar, K.R.: Assessing insider threats to information security using technical, behavioural and organisational measures. Inf. Secur. Tech. Rep. 15(3), 112–133 (2010)

    Article  Google Scholar 

  25. Tilkov, S., Vinoski, S.: Node.js: using Javascript to build high-performance network programs. IEEE Internet Comput. 14(6), 80–83 (2010)

    Article  Google Scholar 

  26. Upton, D.M., Creese, S.: The danger from within. Harv. Bus. Rev. 92(9), 94–101 (2014)

    Google Scholar 

  27. Young, W.T., Memory, A., Goldberg, H.G., Senator, T.E.: Detecting unknown insider threat scenarios. In: 2014 IEEE Security and Privacy Workshops, pp. 277–288, May 2014. https://doi.org/10.1109/SPW.2014.42

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Haozhe Zhang .

Editor information

Editors and Affiliations

Appendices

Appendix 1.A Dataset for Every Scenario

The detection system can have access to both raw data logs and alerts from anomaly detection systems. In our evaluation, these datasets contain both the organisation logs and the alerts generated by the CITD system which is in the same format with the other logs. Logs in each dataset are stored as files, including

  • , which are the alerts generated by CITD system,

  • , which records the target addresses of emails sent by the users,

  • , which records the history of login and logout of the users,

  • , which contains the path of files accessed by the users,

  • , which records the URLs of websites accessed by the users,

  • and , containing the activity related to usb (inserted, removed).

This data is composed by the attributes , , and which refer to the user’s id, the time when this log is generated, the device’s id and the behaviour of the user recorded by this log. An example of a row in the is:

figure a

Alert logs store the alert information in and the severity of this alert in the extended attribute which can be “Green”, “Yellow” and “Red” as explained in [2]. An example of an alert data is:

figure b

Files for the same scenario are merged and sorted according to their so we have a file for each scenario containing all the logs from oldest to newest. In addition to the logs, the information of employees and their occupation role duties is also provided for each dataset. This information can be further used in building novel attack patterns or refining current ones. For example, we may want to detect and add a step if any employee accesses sensitive files where admin is part of a path or a name of a file.

Fig. 8.
figure 8

The attack pattern which generated an alert in our scenario

Appendix 1.B Attack Patterns

Figure 8 shows the attack pattern which raised an alert for the scenario explained in detail in Sect. 4. The texts next to the transitions contain the ids of the original attack steps in [3] and brief descriptions of the implementation of the transitions. For example, the transition from \(S_0\) to \(S_1\) in Fig. 8 refers to the attack step that insiders login to the organisations’ system using own credentials and this is implemented by capturing the logs in login system with value .

Figure 9 illustrates the trace followed by the insider (which is highlighted) and the thickness of the arrows in the figure represents the frequency of the transitions.

Fig. 9.
figure 9

The attack path which the insider followed in Scenario 1 (Color figure online)

Appendix 1.C Pattern Editor

Figure 10 presents the pattern editor interface and illustrates how analysts can straightforwardly design novel attack patterns without the need to change the code of the tool.

Fig. 10.
figure 10

The interface of the pattern editor

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhang, H., Agrafiotis, I., Erola, A., Creese, S., Goldsmith, M. (2019). A State Machine System for Insider Threat Detection. In: Cybenko, G., Pym, D., Fila, B. (eds) Graphical Models for Security. GraMSec 2018. Lecture Notes in Computer Science(), vol 11086. Springer, Cham. https://doi.org/10.1007/978-3-030-15465-3_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-15465-3_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-15464-6

  • Online ISBN: 978-3-030-15465-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics