Skip to main content
SpringerLink
Log in

Data-Driven Model-Based Detection of Malicious Insiders via Physical Access Logs

  • Conference paper
  • First Online:
Quantitative Evaluation of Systems (QEST 2017)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 10503))

Included in the following conference series:

Abstract

The risk posed by insider threats has usually been approached by analyzing the behavior of users solely in the cyber domain. In this paper, we show the viability of using physical movement logs, collected via a building access control system, together with an understanding of the layout of the building housing the system’s assets, to detect malicious insider behavior that manifests itself in the physical domain. In particular, we propose a systematic framework that uses contextual knowledge about the system and its users, learned from historical data gathered from a building access control system, to select suitable models for representing movement behavior. We then explore the online usage of the learned models, together with knowledge about the layout of the building being monitored, to detect malicious insider behavior. Finally, we show the effectiveness of the developed framework using real-life data traces of user movement in railway transit stations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This implies that if \(e(v_1,v_2)\) exists, the backward edge \(e(v_2,v_1)\) also exists in G.

  2. 2.

    This may apply to other systems too. E.g., a security guard doing rotations in a building belongs to \(q_1\), and a technical support staff member who goes to an office when his or her assistance is required belongs to \(q_2\).

  3. 3.

    Although the Markov model imposes certain assumptions about the movement behavior, such as the memoryless property, it can be extended to include temporal and spatial correlations. We intend to explore these extensions in future work.

References

  1. Salem, M., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds.) Insider Attack and Cyber Security: Beyond the Hacker. AIS, vol. 39, pp. 69–90. Springer, Boston (2008)

    Chapter  Google Scholar 

  2. Alien Vault: Insider threat detection software (2016). https://www.alienvault.com/

  3. Insider threat security & detection (2016). http://www.tripwire.com/

  4. CERT Insider Threat Center: Insider threat and physical security of organizations (2011). https://insights.sei.cmu.edu/insider-threat/2011/05/insider-threat-and-physical-security-of-organizations.html

  5. Luallen, M.E.: Managing insiders in utility control environments. Technical report, SANS Institute (2011)

    Google Scholar 

  6. Bauer, L., Cranor, L.F., Reeder, R.W., Reiter, M.K., Vaniea, K.: Real life challenges in access-control management. In: Proceedings of ACM SIGCHI Conference on Human Factors in Computing Systems, pp. 899–908 (2009)

    Google Scholar 

  7. Kent, A.D., Liebrock, L.M., Neil, J.C.: Authentication graphs: analyzing user behavior within an enterprise network. Comput. Secur. 48, 150–166 (2015)

    Article  Google Scholar 

  8. Pallotta, G., Jousselme, A.L.: Data-driven detection and context-based classification of maritime anomalies. In: Proceedings of 18th International Conference on Information Fusion, pp. 1152–1159 (2015)

    Google Scholar 

  9. Radon, A.N., Wang, K., Glasser, U., Wehn, H., Westwell-Roper, A.: Contextual verification for false alarm reduction in maritime anomaly detection. In: Proceedings of IEEE International Conference on Big Data, pp. 1123–1133 (2015)

    Google Scholar 

  10. Dash, M., Koo, K.K., Gomes, J.B., Krishnaswamy, S.P., Rugeles, D., Shi-Nash, A.: Next place prediction by understanding mobility patterns. In: Proceedings of IEEE International Conference on Pervasive Computing and Communication Workshops, pp. 469–474 (2015)

    Google Scholar 

  11. Gellert, A., Vintan, L.: Person movement prediction using hidden Markov models. Stud. Inf. Control 15(1), 17–30 (2006)

    Google Scholar 

  12. Koehler, C., Banovic, N., Oakley, I., Mankoff, J., Dey, A.K.: Indoor-ALPS: an adaptive indoor location prediction system. In: Proceedings of ACM International Joint Conference on Pervasive and Ubiquitous Computing, pp. 171–181 (2014)

    Google Scholar 

  13. Eberle, W., Holder, L.: Anomaly detection in data represented as graphs. Intell. Data Anal.: Int. J. 11(6), 663–689 (2007)

    Google Scholar 

  14. Davis, M., Liu, W., Miller, P., Redpath, G.: Detecting anomalies in graphs with numeric labels. In: Proceedings of 29th ACM Conference on Information and Knowledge Management, pp. 1197–1202 (2011)

    Google Scholar 

  15. Eberle, W., Holder, L., Graves, J.: Detecting employee leaks using badge and network IP traffic. In: IEEE Symposium on Visual Analytics Science and Technology, October 2009

    Google Scholar 

  16. Liu, C., Xiong, H., Ge, Y., Geng, W., Perkins, M.: A stochastic model for context-aware anomaly detection in indoor location traces. In: Proceedings of IEEE 12th International Conference on Data Mining, pp. 449–458 (2012)

    Google Scholar 

  17. Biuk-Aghai, R.P., Si, Y.W., Fong, S., Yan, P.F.: Individual movement behaviour in secure physical environments: modeling and detection of suspicious activity. In: Cao, L., Yu, P.S. (eds.) Behavior Computing, pp. 241–253. Springer, London (2012)

    Chapter  Google Scholar 

  18. Hoesl, M.J.: Integrated physical access control and information technology security U.S. Patent No. 6641090 B2, granted on 17 June 2014

    Google Scholar 

  19. Khurana, H., Guralnik, V., Shanley, R.: System and method for insider threat detection U.S. Patent No. 8793790 B2, granted on 29 July 2014

    Google Scholar 

  20. Baker, G.: Schoolboy hacks into city’s tram system, 11 January 2008. http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html

  21. Grad, S.: Engineers who hacked into L.A. traffic signal computer, jamming streets, sentenced, 1 December 2009. http://latimesblogs.latimes.com/lanow/2009/12/engineers-who-hacked-in-la-traffic-signal-computers-jamming-traffic-sentenced.html

  22. Pincus, S.M.: Approximate entropy as a measure of system complexity. Proc. Nat. Acad. Sci. 88(6), 2297–2301 (1991)

    Article  MathSciNet  MATH  Google Scholar 

  23. Li, X.: Using complexity measures of movement for automatically detecting movement types of unknown GPS trajectories. Am. J. Geogr. Inf. Syst. 3(2), 63–74 (2014)

    Google Scholar 

  24. Song, C., Qu, Z., Blumm, N., Barabási, A.L.: Limits of predictability in human mobility. Science 327(5968), 1018–1021 (2010)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Acknowledgements

This work was supported in part by the National Research Foundation (NRF), Prime Minister’s Office, Singapore, under its National Cybersecurity R&D Programme (Award No. NRF2014NCR-NCR001-31) and administered by the National Cybersecurity R&D Directorate, and supported in part by the research grant for the Human-Centered Cyber-physical Systems Programme at the Advanced Digital Sciences Center from Singapore’s Agency for Science, Technology and Research (A*STAR). This work was partly done when Carmen Cheh was a research intern at ADSC. We also want to thank the experts from SMRT Trains LTD for providing us data and domain knowledge.

Author information

Authors and Affiliations

  1. University of Illinois, Urbana, IL, 61801, USA

    Carmen Cheh & William H. Sanders

  2. Advanced Digital Sciences Center, Singapore, Singapore

    Binbin Chen & William G. Temple

Authors
  1. Carmen Cheh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Binbin Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. William G. Temple
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. William H. Sanders
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Carmen Cheh .

Editor information

Editors and Affiliations

  1. Inria, Rennes, France

    Nathalie Bertrand

  2. University of Trieste, Trieste, Italy

    Luca Bortolussi

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Cheh, C., Chen, B., Temple, W.G., Sanders, W.H. (2017). Data-Driven Model-Based Detection of Malicious Insiders via Physical Access Logs. In: Bertrand, N., Bortolussi, L. (eds) Quantitative Evaluation of Systems. QEST 2017. Lecture Notes in Computer Science(), vol 10503. Springer, Cham. https://doi.org/10.1007/978-3-319-66335-7_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66335-7_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66334-0

  • Online ISBN: 978-3-319-66335-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation