skip to main content
10.1145/1866886.1866897acmconferencesArticle/Chapter ViewAbstractPublication Pagesinsider-threatsConference Proceedingsconference-collections
research-article

Role-based differentiation for insider detection algorithms

Published: 08 October 2010 Publication History

Abstract

Insider threat problems are widespread in industry today, resulting in large losses of intellectual property. Reputable reports assert that attacks from within an organization are on the rise, making detection of insider-based attacks a top priority. This paper evaluates the effectiveness of using role-based differentiation of user behavior as a tool in detecting insider attack behavior. This differentiation is natural in contexts where role-based access control (RBAC) mechanisms are in place. Using synthetically generated traffic (which puts placement and intensity of insider behavior under experimental control), we train five different algorithms on "normal" behavior with and without RBAC differentiation, and measure the accuracy of detecting malicious behavior with, and without RBAC, as a function of insider behavior. We find that in some contexts RBAC differentiation significantly reduces these errors. However, in our experiments two of the five algorithms had statistically significant increases in false positives under RBAC as opposed to non-RBAC. However, these increases are small compared to the very large gain in detection capability that RBAC brings, and we conclude that RBAC is very much worth considering as a tool for insider threat detection.

References

[1]
}}T. Tuglular and E. H. Spafford, "A framework for characterization of insider computer misuse," unpublished, 2007.
[2]
}}R. Richardson, "2007 computer crime and security survey," Computer Security Institute, 2007, pp. 12--13.
[3]
}}J. Hunker, "Taking stock and looking forward - An outsider's perspective on the insider threat," in Insider Attack and Cyber Security, vol. 39, Advances in Information Security, S. Jajodia, Consulting Ed., New York, NY: Springer, 2008, pp. 195--214.
[4]
}}G. F. Anderson, D. A. Selby, and M. Ramsey, "Insider attack and real-time data mining of user behavior," IBM Journal of Research and Development, vol. 51, pp. 465--475, 2007.
[5]
}}H. Wang, S. Liu, and X. Zhang, "A prediction model of insider threat based on multi-agent," in 1st International Symposium on Pervasive Computing and Applications, Aug. 2006, pp. 273--278.
[6]
}}D. E. Denning, "An intrusion detection model," IEEE Transactions on Software Engineering, no. 2, p. 222, Feb. 1987.
[7]
}}L. Bauer, L. F. Cranor, R. W. Reeder, M. K. Reiter, and K. Vaniea, "Real life challenges in access-control management," in Proceedings of the 27th International Conference on Human Factors in Computing Systems, Apr. 2009, pp. 899--908.
[8]
}}D. Cappelli, A. Moore, R. Trzeciak, and T. J. Shimeall, "Common sense guide to prevention and detection of insider threats," Technical Report 3rd Edition - Version 3.1, CERT, Jan. 2009.
[9]
}}B. Schneier, "Attack trees: Modeling security threat," Dr. Dobb's Journal, vol. 24, pp. 21--29, Dec. 1999.
[10]
}}G. Xiang, et al. "Generating IDS attack pattern automatically based on attack tree," Journal of Beijing Institute of Technology, vol.12, pp. 138--142, 2003.
[11]
}}R. Chinchani, S. Upadhyaya, and K. Kwiat, "Towards the scalable implementation of a user level anomaly detection system," in Proceedings of the 2002 IEEE MILCOM Conference, Anaheim, CA, Oct. 2002, volume 2, pp. 7--10.
[12]
}}S. Pramanik, V. Sankaranarayanan, and S. Upadhyaya, "Security policies to mitigate insider threat in the document control domain," in ACSAC '04: Proceedings of the 20th Annual Computer Security Applications Conference, Washington, DC, USA, 2004, pp. 304--313.
[13]
}}A. Lazarevic, A. Ozgur, L. Ertoz, J. Srivastava, and V. Kumar, "A comparative study of anomaly detection schemes in network intrusion detection," in Proceedings of the Third SIAM International Conference on Data Mining, 2003.
[14]
}}D. F. Ferraiolo and D. R. Kuhn, "Role Based Access Control," in 15th National Computer Security Conference, Oct.1992, pp. 554--563.
[15]
}}R. Sandhu, D. Ferraiolo, and R. Kuhn, "The NIST Model for Role Based Access Control: Towards a Unified Standard," in Proceedings, 5th ACM Workshop on Role Based Access Control, July 2000, pp. 47--63.
[16]
}}S. Pramanik, V. Sankaranarayanan, and S. Upadhyaya, "Security policies to mitigate insider threat in the document control domain," in Proceedings of the 20th Annual Computer Security Applications Conference, 2004, pp. 304--313.
[17]
}}J. S. Park and J. Giordano, "Role-based profile analysis for scalable and accurate insider-anomaly detection," in IEEE International Performance Computing and Communications Conference, 2006, pp. 463--470.
[18]
}}E. Bertino and E. Terzi, "Intrusion Detection in RBAC-administered Databases," in ACSAC: Proceedings of the 21st Annual Computer Security Applications Conference, 2005.
[19]
}}A. Kamra, E. Terzi, and E. Bertino, "Detecting Anomalous Access Patterns in Relational Databases," The VLDB Journal, vol. 17, no. 5, pp. 1063--1077, August 2008.
[20]
}}N. Hu, P. G. Bradford, and J. Liu, "Applying role based access control and genetic algorithms to insider threat detection," in Proceedings of the 44th Annual Southeast Regional Conference, March 2006
[21]
}}A. H. Phyo, S. Furnell, F. Portilla, "A Framework For Role-based Monitoring of Insider Misuse," in 10th IFIP WG 11.1 Annual Working Conference on Information Security Management.
[22]
}}Parallel Real-time Immersive Modeling Environment (PRIME) Scalable Simulation Framework (SSF)-Users Manual, Colorado School of Mines, 2006.
[23]
}}B. Scholkopf, J. C. Platt, J. Shawe-Taylor, A. J. Smola, and R. C.Williamson, "Estimating the support of a high-demensional distribution," Neural Computation, vol. 13, pp. 1443--1472, 2001.
[24]
}}G. Lee and C. D. Scott, "The one class support vector machine solution path," in IEEE International Conference on In Acoustics, Speech and Signal Processing, 2007, pp. 521--524.
[25]
}}O. Yilmazel, S. Symonenko, N. Balasubramanian, and E. D. Liddy, "Leveraging One-Class SVM and Semantic Analysis to Detect Anomalous Content," in IEEE International Conference on Intelligence and Security Informatics (ISI), May 2005, pp. 381--388.
[26]
}}D. M. J Tax and R. P. W Duin, "Support Vector Data Description", Pattern Recognition Letters, vol. 20(11-13), pp. 1191--1199, Dec. 1999.
[27]
}}P. Juszczak, D. M. J. Taxy, and R. P. W. Duin, "Feature scaling in support vector data description," in Proc. 8th Annual Conf. of the Advanced School for Computing and Imaging, 2002, pp. 95--102.
[28]
}}D. Comaniciu and P. Meer, "Mean shift: A robust approach toward feature space analysis," IEEE Transactions Pattern Analysis and Machine Intelligence, vol. 24, pp. 603--619, 2002.
[29]
}}B. Georgescu, I. Shimshoni, and P. Meer, "Mean Shift Based Clustering in High Dimensions: A Texture Classification Example," in Proceedings of the International Conference on Computer Vision, 2003, pp. 456--463.
[30]
}}K. Hempstalk, E. Frank, and I. H. Witten, "One-class Classification by Combining Density and Class Probability Estimation," in Proceedings of the 2008 European Conference on Machine Learning and Knowledge Discovery in Databases-Part I, 2008, pp. 505--519.
[31]
}}D. Tax, "One-class Classification: Concept-learning in the Absence of Counterexamples," PhD dissertation, Delft University of Technology, Netherlands, 2001.
[32]
}}A. Munoz and J. M. Moguerza, "One-Class Support Vector Machines and Density Estimation: The Precise Relation," in CIARP, 2004, pp. 216--223.
[33]
}}C.-C. Chang and C.-J. Lin. (2001). LIBSVM : a library for support vector machines. {Online}. Available: http://www.csie.ntu.edu.tw/~cjlin/libsvm
[34]
}}M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, and I. H. Witten, "The WEKA Data Mining Software: An Update," SIGKDD Explorations, vol. 11, pp. 10--18, 2009.

Cited By

View all
  • (2018)Towards Adaptive Access ControlData and Applications Security and Privacy XXXII10.1007/978-3-319-95729-6_7(99-109)Online publication date: 10-Jul-2018

Index Terms

  1. Role-based differentiation for insider detection algorithms

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      Insider Threats '10: Proceedings of the 2010 ACM workshop on Insider threats
      October 2010
      70 pages
      ISBN:9781450300926
      DOI:10.1145/1866886
      • General Chair:
      • Ehab Al-Shaer,
      • Program Chairs:
      • Brent Lagesse,
      • Craig Shue
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 08 October 2010

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. data mining algorithms
      2. insider detection algorithms
      3. insider threat
      4. role based access

      Qualifiers

      • Research-article

      Conference

      CCS '10
      Sponsor:

      Acceptance Rates

      Insider Threats '10 Paper Acceptance Rate 7 of 14 submissions, 50%;
      Overall Acceptance Rate 7 of 14 submissions, 50%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)5
      • Downloads (Last 6 weeks)0
      Reflects downloads up to 23 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2018)Towards Adaptive Access ControlData and Applications Security and Privacy XXXII10.1007/978-3-319-95729-6_7(99-109)Online publication date: 10-Jul-2018

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media