research-article

Public Access

Detecting Insider Threat from Enterprise Social and Online Activity Data

Authors:

Mudita SinghalAuthors Info & Claims

MIST '15: Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats

Pages 13 - 20

https://doi.org/10.1145/2808783.2808784

Published: 16 October 2015 Publication History

PDF eReader

Abstract

Insider threat is a significant security risk for organizations. In this paper, we attempt to discover insider threat by identifying abnormal behavior in enterprise social and online activity data of employees. To this end, we process and extract relevant features that are possibly indicative of insider threat behavior. This includes features extracted from social data including email communication patterns and content, and online activity data such as web browsing patterns, email frequency, and file and machine access patterns. Subsequently, we detect statistically abnormal behavior with respect to these features using state-of-the-art anomaly detection methods, and declare this abnormal behavior as a proxy for insider threat activity. We test our approach on a real world data set with artificially injected insider threat events. We obtain a ROC score of 0.77, which shows that our proposed approach is fairly successful in identifying insider threat events. Finally, we build a visualization dashboard that enables managers and HR personnel to quickly identify employees with high threat risk scores which will enable them to take suitable preventive measures and limit security risk.

References

[1]

William Eberle, Jeffrey Graves, and Lawrence Holder. Insider threat detection using a graph-based approach. Journal of Applied Security Research, 6(1):32--81, 2010.

Crossref

Google Scholar

[2]

Frank L Greitzer, Lars J Kangas, Christine F Noonan, and Angela C Dalton. Identifying at-risk employees: A behavioral model for predicting potential insider threats. Pacific Northwest National Laboratory Richland, WA, 2010.

Google Scholar

[3]

Miltiadis Kandias, Alexios Mylonas, Nikos Virvilis, Marianthi Theoharidou, and Dimitris Gritzalis. An insider threat prediction model. In Trust, privacy and security in digital business, pages 26--37. Springer, 2010.

Digital Library

Google Scholar

[4]

Fei Tony Liu, Kai Ming Ting, and Zhi-Hua Zhou. Isolation forest. In Data Mining, 2008. ICDM'08. Eighth IEEE International Conference on, pages 413--422. IEEE, 2008.

Digital Library

Google Scholar

[5]

Teresa F Lunt. A survey of intrusion detection techniques. Computers & Security, 12(4):405--418, 1993.

Digital Library

Google Scholar

[6]

GB Magklaras and SM Furnell. Insider threat prediction tool: Evaluating the probability of it misuse. Computers & Security, 21(1):62--73, 2001.

Digital Library

Google Scholar

[7]

Sunu Mathew, Michalis Petropoulos, Hung Q Ngo, and Shambhu Upadhyaya. A data-centric approach to insider attack detection in database systems. In Recent Advances in Intrusion Detection, pages 382--401. Springer, 2010.

Digital Library

Google Scholar

[8]

Alex Memory, Henry G Goldberg, and E Ted. Context-aware insider threat detection. In Workshops at the Twenty-Seventh AAAI Conference on Artificial Intelligence, 2013.

Google Scholar

[9]

Robert F Mills, Michael R Grimaila, Gilbert L Peterson, and Jonathan W Butts. A scenario-based approach to mitigating the insider threat. Technical report, DTIC Document, 2011.

Google Scholar

Cited By

View all

Gonzales OYang KHuang S(2025)Contextual Sequence-Based User Behavior Anomaly DetectionIEEE Access10.1109/ACCESS.2025.354350013(35539-35554)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3543500
Ojo DAl-Mhiqani MAl-Aqrabi HAl-Shehari T(2025)Evaluation of Machine Learning Algorithm and SMOTE for Insider Threat DetectionIntelligent Computing Systems10.1007/978-3-031-82931-4_23(303-318)Online publication date: 27-Feb-2025
https://doi.org/10.1007/978-3-031-82931-4_23
Song SGao NZhang YMa C(2024)BRITD: behavior rhythm insider threat detection with time awareness and user adaptationCybersecurity10.1186/s42400-023-00190-97:1Online publication date: 2-Jan-2024
https://doi.org/10.1186/s42400-023-00190-9
Show More Cited By

Index Terms

Detecting Insider Threat from Enterprise Social and Online Activity Data
1. Information systems
  1. Information systems applications
    1. Data mining

Recommendations

Towards Insider Threat Detection Using Psychophysiological Signals
MIST '15: Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats

Insider threat is one of the greatest concerns for the information security system that could cause greater financial losses and damages than any other attacks. Recently many studies have been proposed to monitor and detect the insider attacks. However, ...
Classification of Insider Threat Detection Techniques
CISRC '16: Proceedings of the 11th Annual Cyber and Information Security Research Conference

Most insider attacks done by people who have the knowledge and technical know-how of launching such attacks. This topic has long been studied and many detection techniques were proposed to deal with insider threats. This short paper summarized and ...
Multi-Domain Information Fusion for Insider Threat Detection
SPW '13: Proceedings of the 2013 IEEE Security and Privacy Workshops

Malicious insiders pose significant threats to information security, and yet the capability of detecting malicious insiders is very limited. Insider threat detection is known to be a difficult problem, presenting many research challenges. In this paper ...

Comments

Information & Contributors

Information

Published In

MIST '15: Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats

October 2015

90 pages

ISBN:9781450338240

DOI:10.1145/2808783

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ilsun You
Soon Chun Hyang University, Republic of Korea

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Defense Advanced Research Projects Agency

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 16, 2015

Colorado, Denver, USA

Acceptance Rates

MIST '15 Paper Acceptance Rate 6 of 14 submissions, 43%;

Overall Acceptance Rate 21 of 54 submissions, 39%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

50
Total Citations
View Citations
1,536
Total Downloads

Downloads (Last 12 months)378
Downloads (Last 6 weeks)30

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Gonzales OYang KHuang S(2025)Contextual Sequence-Based User Behavior Anomaly DetectionIEEE Access10.1109/ACCESS.2025.354350013(35539-35554)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3543500
Ojo DAl-Mhiqani MAl-Aqrabi HAl-Shehari T(2025)Evaluation of Machine Learning Algorithm and SMOTE for Insider Threat DetectionIntelligent Computing Systems10.1007/978-3-031-82931-4_23(303-318)Online publication date: 27-Feb-2025
https://doi.org/10.1007/978-3-031-82931-4_23
Song SGao NZhang YMa C(2024)BRITD: behavior rhythm insider threat detection with time awareness and user adaptationCybersecurity10.1186/s42400-023-00190-97:1Online publication date: 2-Jan-2024
https://doi.org/10.1186/s42400-023-00190-9
Jordan AChen Y(2024)Security Anomaly Detection in Enterprise GitHubPractice and Experience in Advanced Research Computing 2024: Human Powered Computing10.1145/3626203.3670591(1-5)Online publication date: 17-Jul-2024
https://dl.acm.org/doi/10.1145/3626203.3670591
Tao XLu SZhao FLan RChen LFu LJia R(2024)User Behavior Threat Detection Based on Adaptive Sliding Window GANIEEE Transactions on Network and Service Management10.1109/TNSM.2024.335569821:2(2493-2503)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2024.3355698
Gonzales OHuang SYang K(2024)Towards More Effective Insider Threat Countermeasures: A Survey of Approaches for Addressing Challenges and Limitations2024 IEEE International Systems Conference (SysCon)10.1109/SysCon61195.2024.10553441(1-8)Online publication date: 15-Apr-2024
https://doi.org/10.1109/SysCon61195.2024.10553441
Manoharan PYin JWang HZhang YYe W(2024)Insider Threat Detection: A Review2024 International Conference on Networking and Network Applications (NaNA)10.1109/NaNA63151.2024.00031(147-153)Online publication date: 9-Aug-2024
https://doi.org/10.1109/NaNA63151.2024.00031
Gökstorp SNyberg JKim YJohnson PDán G(2024)Anomaly Detection in Security Logs using Sequence ModelingNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575561(1-9)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575561
Huang ZTang XLi HCao XCheng JTu WLiu L(2024)TabSec: A Collaborative Framework for Novel Insider Threat Detection2024 IEEE International Symposium on Parallel and Distributed Processing with Applications (ISPA)10.1109/ISPA63168.2024.00277(2030-2037)Online publication date: 30-Oct-2024
https://doi.org/10.1109/ISPA63168.2024.00277
Al-Shehari TRosaci DAl-Razgan MAlfakih TKadrie MAfzal HNawaz R(2024)Enhancing Insider Threat Detection in Imbalanced Cybersecurity Settings Using the Density-Based Local Outlier Factor AlgorithmIEEE Access10.1109/ACCESS.2024.337369412(34820-34834)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3373694
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Towards Insider Threat Detection Using Psychophysiological Signals

Classification of Insider Threat Detection Techniques

Multi-Domain Information Fusion for Insider Threat Detection