skip to main content
10.1145/2179298.2179386acmotherconferencesArticle/Chapter ViewAbstractPublication PagescsiirwConference Proceedingsconference-collections
research-article

Anomaly detection in multiple scale for insider threat analysis

Published:12 October 2011Publication History

ABSTRACT

Insiders now pose the greatest risk to organizations' information infrastructure when they have the incentive, opportunity, rationalization and the capability to circumvent rules. Cost estimates approach $1000 B/year from modification of data, security mechanisms, unauthorized network connections, covert channels, and physical damage and destruction including information extrusion/exfiltration.

We propose a method to quantify malicious insider activity with statistical and graph-based analysis aided with semantic scoring rules. Different types of personal activities or interactions are monitored to form a set of directed weighted graphs. The semantic scoring rules assign higher scores for events more significant or suspicious. Then we build personal activity profiles in the form of score tables. Profiles are created in multiple scales where the low level profiles are aggregated toward more stable higher-level profiles within the subject or object hierarchy.

Further, the profiles are created in different time scales such as day, week, or month. During operation, the insider's current activity profile is compared to the historical profiles to produce an anomaly score. For each subject with a high anomaly score, a subgraph of connected subjects is extracted to look for any related score movement. Finally the subjects are ranked by their anomaly scores to help the analysts focus on high-scored subjectsln this research, we show the framework of the proposed system and the operational algorithms.

  1. Anomaly detection in multiple scale for insider threat analysis

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in
      • Published in

        cover image ACM Other conferences
        CSIIRW '11: Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research
        October 2011
        18 pages
        ISBN:9781450309455
        DOI:10.1145/2179298

        Copyright © 2011 ACM

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 12 October 2011

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader