ABSTRACT
Insiders now pose the greatest risk to organizations' information infrastructure when they have the incentive, opportunity, rationalization and the capability to circumvent rules. Cost estimates approach $1000 B/year from modification of data, security mechanisms, unauthorized network connections, covert channels, and physical damage and destruction including information extrusion/exfiltration.
We propose a method to quantify malicious insider activity with statistical and graph-based analysis aided with semantic scoring rules. Different types of personal activities or interactions are monitored to form a set of directed weighted graphs. The semantic scoring rules assign higher scores for events more significant or suspicious. Then we build personal activity profiles in the form of score tables. Profiles are created in multiple scales where the low level profiles are aggregated toward more stable higher-level profiles within the subject or object hierarchy.
Further, the profiles are created in different time scales such as day, week, or month. During operation, the insider's current activity profile is compared to the historical profiles to produce an anomaly score. For each subject with a high anomaly score, a subgraph of connected subjects is extracted to look for any related score movement. Finally the subjects are ranked by their anomaly scores to help the analysts focus on high-scored subjectsln this research, we show the framework of the proposed system and the operational algorithms.
Anomaly detection in multiple scale for insider threat analysis
Recommendations
A new intelligent multilayer framework for insider threat detection
Highlights- Proposes a new intelligent multilayers framework for selecting the best insider threat detection models and hybrid detection system for insider threat.
AbstractIn several earlier studies, machine learning (ML) has been widely used for building insider threat detection systems. However, the selection of the most appropriate ML classification model for insider threats detection remains a ...
Graphical abstract.
Display Omitted
Multi-Domain Information Fusion for Insider Threat Detection
SPW '13: Proceedings of the 2013 IEEE Security and Privacy WorkshopsMalicious insiders pose significant threats to information security, and yet the capability of detecting malicious insiders is very limited. Insider threat detection is known to be a difficult problem, presenting many research challenges. In this paper ...
Comments