ABSTRACT
It has long been recognized that solutions to insider threat are mainly user-centric and several psychological and psychosocial models have been proposed. However, user behavior underlying these malicious acts is still not fully understood, motivating further investigation at the neuro-physiological level. In this work, we conduct a multi-modal study of how users-brain processes malicious and benign activities. In particular, we focus on using Electroencephalogram (EEG) signals that arise from the user's brain activities and eye tracking which can capture spontaneous responses that are unfiltered by the conscious mind. We conduct human study experiments to capture the Electroencephalogram (EEG) signals for a group of 25 participants while performing several computer-based activities in different scenarios. We analyze the EEG signals and the eye tracking data and extract features and evaluate our approach using several classifiers. The results show that our approach achieved an average accuracy of 99.77% in detecting the malicious insider using the EEG data of 256 channels (sensors) and average detection accuracy up to 95.64% using only five channels (sensors). The results show an average detection accuracy up to 83% using the eye movements and pupil behaviors data. In general, our results indicates that human Electroencephalogram (EEG) signals and eye tracking data can reveal valuable knowledge about user's malicious intent and can be used as an effective indicator in designing real-time insider threats monitoring and detection frameworks.
- AlgoSec 2014. AlgoSec Survey: State of Network Security 2014. (2014). shownoteRetrieved August 22, 2017 from http://www.algosec.com.Google Scholar
- Abdulaziz Almehmadi and Khalil El-Khatib 2014. On the possibility of insider threat detection using physiological signal monitoring Proceedings of the 7th International Conference on Security of Information and Networks. ACM, 223.Google Scholar
- Naomi S Altman. 1992. An introduction to kernel and nearest-neighbor nonparametric regression. The American Statistician Vol. 46, 3 (1992), 175--185.Google ScholarCross Ref
- Claude J Bajada, Hamied A Haroon, Hojjatollah Azadbakht, Geoff JM Parker, Matthew A Lambon Ralph, and Lauren L Cloutman 2016. The tract terminations in the temporal lobe: Their location and associated functions. Cortex (2016).Google Scholar
- Robert Baloh, Andrew Sills, Warren Kumley, and Vicente Honrubia 1975. Quantitative measurement of saccade amplitude, duration, and velocity. Neurology, Vol. 25, 11 (1975), 1065--1065.Google ScholarCross Ref
- Benjamin Blankertz, Michael Tangermann, Carmen Vidaurre, Siamac Fazli, Claudia Sannelli, Stefan Haufe, Cecilia Maeder, Lenny Ramsey, Irene Sturm, Gabriel Curio, et almbox. 2010. The Berlin brain-computer interface: non-medical uses of BCI technology. Frontiers in neuroscience Vol. 4 (2010).Google Scholar
- Warrent T Blume. 1999. Atlas of pediatric electroencephalography. (1999).Google Scholar
- Leo Breiman. 1996. Bagging predictors. Machine learning, Vol. 24, 2 (1996), 123--140. Google ScholarCross Ref
- Leo Breiman. 2001. Random forests. Machine learning, Vol. 45, 1 (2001), 5--32. Google ScholarDigital Library
- Corinna Cortes and Vladimir Vapnik 1995. Support-vector networks. Machine learning, Vol. 20, 3 (1995), 273--297. Google ScholarCross Ref
- Alexander De Luca, Martin Denzel, and Heinrich Hussmann. 2009. Look into my eyes!: Can you guess my password?. In Proceedings of the 5th Symposium on Usable Privacy and Security. ACM, 7. Google ScholarDigital Library
- Simon Eberz, Kasper Bonne Rasmussen, Vincent Lenders, and Ivan Martinovic 2015. Preventing Lunchtime Attacks: Fighting Insider Threats With Eye Movement Biometrics. Proceedings 2015 Network and Distributed System Security Symposium (NDSS). Google ScholarCross Ref
- Leonardo Fogassi, Pier Francesco Ferrari, Benno Gesierich, Stefano Rozzi, Fabian Chersi, and Giacomo Rizzolatti 2005. Parietal lobe: from action organization to intention understanding. Science, Vol. 308, 5722 (2005), 662--667.Google Scholar
- Jose Gómez-Poveda and Elena Gaudioso 2016. Evaluation of temporal stability of eye tracking algorithms using webcams. Expert Systems with Applications Vol. 64 (2016), 69--83. Google ScholarDigital Library
- Frank L Greitzer and Deborah A Frincke 2010. Combining traditional cyber security audit data with psychosocial data: towards predictive modeling for insider threat mitigation. Insider Threats in Cyber Security. Springer, 85--113.Google Scholar
- Frank L Greitzer, Lars J Kangas, Christine F Noonan, Angela C Dalton, and Ryan E Hohimer. 2012. Identifying at-risk employees: Modeling psychosocial precursors of potential insider threats. System Science (HICSS), 2012 45th Hawaii International Conference on (2012), 2392--2401.Google ScholarDigital Library
- Yassir Hashem, Hassan Takabi, Mohammad GhasemiGol, and Ram Dantu 2015. Towards Insider Threat Detection Using Psychophysiological Signals Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats. ACM, 71--74.Google Scholar
- Yassir Hashem, Hassan Takabi, Mohammad GhasemiGol, and Ram Dantu 2016. Inside the Mind of the Insider: Towards Insider Threat Detection Using Psychophysiological Signals. Journal of Internet Services and Information Security (JISIS), Vol. 6, 1 (2016), 20--36.Google Scholar
- Jeffrey Hunker and Christian W Probst 2011. Insiders and Insider Threats-An Overview of Definitions and Mitigation Techniques. JoWUA, Vol. 2, 1 (2011), 4--27.Google Scholar
- Emotiv Inc. 2017natexlaba. Emotive System. (2017). shownoteRetrieved August 22, 2017 from http://www.emotiv.com.Google Scholar
- Electrical Geodesics Inc. 2017natexlabb. Clinical Geodesic EEG System 400. (2017). shownoteRetrieved August 22, 2017 from http://www.egi.com.Google Scholar
- NeuroSky Inc. 2017natexlabc. NeuroSky System. (2017). shownoteRetrieved August 22, 2017 from http://www.neurosky.com.Google Scholar
- Anil Jain and Douglas Zongker 1997. Feature selection: Evaluation, application, and small sample performance. IEEE transactions on pattern analysis and machine intelligence, Vol. 19, 2 (1997), 153--158. Google ScholarDigital Library
- Parisa Kaghazgaran and Hassan Takabi 2015. Toward an Insider Threat Detection Framework Using Honey Permissions. Journal of Internet Services and Information Security (JISIS), Vol. 5, 3 (2015), 19--36.Google Scholar
- Oleg V Komogortsev and Ioannis Rigas 2015. BioEye 2015: Competition on biometrics via eye movements Biometrics Theory, Applications and Systems (BTAS), 2015 IEEE 7th International Conference on. IEEE, 1--8.Google Scholar
- Zhancheng Li, Minfen Shen, and Patch Beadle. 2004. Classification of EEG signals under different brain functional states using RBF neural network International Symposium on Neural Networks. Springer, 356--361.Google Scholar
- Gregory A Light, Lisa E Williams, Falk Minow, Joyce Sprock, Anthony Rissling, Richard Sharp, Neal R Swerdlow, and David L Braff. 2010. Electroencephalography (EEG) and event-related potentials (ERPs) with human participants. Current Protocols in Neuroscience (2010), 6--25.Google Scholar
- Ponemon Institute LLC. 2016. Cost of Cyber Crime 2016: Reducing the Risk of Business Innovation. (2016). shownoteRetrieved August 22, 2017 from https://saas.hpe.com/en-us/marketing/cyber-crime-risk-to-business-innovation.Google Scholar
- Osama Mazhar, Taimoor Ali Shah, Muhammad Ahmed Khan, and Sameed Tehami 2015. A real-time webcam based Eye Ball Tracking System using MATLAB Design and Technology in Electronic Packaging (SIITME), 2015 IEEE 21st International Symposium for. IEEE, 139--142.Google Scholar
- Brett D Mensh, Justin Werfel, and H Sebastian Seung. 2004. BCI competition 2003-data set Ia: combining gamma-band power with slow cortical potentials to improve single-trial classification of electroencephalographic signals. IEEE Transactions on Biomedical Engineering, Vol. 51, 6 (2004), 1052--1056.Google ScholarCross Ref
- National Institutes of Health National Library of Medicine 2012. electroencephalogram (EEG). (2012). shownoteRetrieved August 22, 2017 from http://www.nlm.nih.gov/medlineplus/ency/article/003931.htm.Google Scholar
- Ajaya Neupane, Md Lutfor Rahman, Nitesh Saxena, and Leanne Hirshfield 2015. A Multi-Modal Neuro-Physiological Study of Phishing Detection and Malware Warnings Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 479--491.Google Scholar
- Younghee Park and Salvatore J Stolfo 2012. Software decoys for insider threat. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security. ACM, 93--94.Google ScholarDigital Library
- Michael I Posner and Steven E Petersen 1990. The attention system of the human brain. Annual review of neuroscience Vol. 13, 1 (1990), 25--42. Google ScholarCross Ref
- Tobii pro group. 2017. Tobii Pro X2--60 eye tracker. (2017). shownoteRetrieved August 22, 2017 from http://www.tobiipro.com/product-listing/tobii-pro-x2--60/.Google Scholar
- Per E Roland, Pere E Roland, and Per E Roland. 1993. Brain activation. Wiley-Liss New York.Google Scholar
- M Ben Salem and Salvatore J Stolfo 2009. Masquerade attack detection using a search-behavior modeling approach. Columbia University, Computer Science Department, Technical Report CUCS-027-09 (2009).Google Scholar
- Steven L Salzberg. 1994. C4. 5: Programs for machine learning by j. ross quinlan. morgan kaufmann publishers, inc., 1993. Machine Learning, Vol. 16, 3 (1994), 235--240. Google ScholarDigital Library
- Veritas Scientific. 2013. handshakes test and technologies. (2013). shownoteRetrieved August 22, 2017 from http://veritas.blueleveragemedia.com/products/handshake/.Google Scholar
- Sara C Sereno and Keith Rayner 2003. Measuring word recognition in reading: eye movements and event-related potentials. Trends in cognitive sciences Vol. 7, 11 (2003), 489--493. Google ScholarCross Ref
- George Silowash, Dawn Cappelli, Andrew Moore, Randall Trzeciak, Timothy J Shimeall, and Lori Flynn 2012. Common sense guide to mitigating insider threats 4th edition. bibinfotypeTechnical Report. bibinfoinstitutionDTIC Document.Google Scholar
- SolarWinds. 2015. SolarWinds Survey Investigates Insider Threats to Federal Cybersecurity. (2015). shownoteRetrieved August 22, 2017 from http://www.solarwinds.com/company/newsroom/press_releases/threats_to_federal_cybersecurity.aspx.Google Scholar
- Donald T Stuss and Robert T Knight 2002. Principles of frontal lobe function. Oxford University Press.Google Scholar
- Kun Ha Suh, Yun-Jung Kim, Yoonkyoung Kim, Daejune Ko, and Eui Chul Lee 2015. Monocular Eye Tracking System Using Webcam and Zoom Lens. Advanced Multimedia and Ubiquitous Engineering. Springer, 135--141. Google ScholarCross Ref
- Marianthi Theoharidou, Spyros Kokolakis, Maria Karyda, and Evangelos Kiountouzis 2005. The insider threat to information systems and the effectiveness of ISO17799. Computers & Security Vol. 24, 6 (2005), 472--484. Google ScholarDigital Library
- Paul Thompson. 2004. Weak models for insider threat detection. International Society for Optics and Photonics,Defense and Security (2004), 40--48.Google Scholar
- Xiao-Wei Wang, Dan Nie, and Bao-Liang Lu 2014. Emotional state classification from EEG data using machine learning approach. Neurocomputing Vol. 129 (2014), 94--106. Google ScholarDigital Library
- Bing Xue, Mengjie Zhang, Will N Browne, and Xin Yao. 2016. A survey on evolutionary computation approaches to feature selection. IEEE Transactions on Evolutionary Computation, Vol. 20, 4 (2016), 606--626. Google ScholarDigital Library
- Thorsten O Zander and Christian Kothe 2011. Towards passive brain-computer interfaces: applying brain-computer interface technology to human--machine systems in general. Journal of neural engineering Vol. 8, 2 (2011), 025005. endthebibliography Google ScholarCross Ref
Index Terms
- A Multi-Modal Neuro-Physiological Study of Malicious Insider Threats
Recommendations
A Multi-Modal Neuro-Physiological Study of Phishing Detection and Malware Warnings
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityDetecting phishing attacks (identifying fake vs. real websites) and heeding security warnings represent classical user-centered security tasks subjected to a series of prior investigations. However, our understanding of user behavior underlying these ...
Summarization of Neonatal Video EEG for Seizure and Artifact Detection
NCVPRIPG '11: Proceedings of the 2011 Third National Conference on Computer Vision, Pattern Recognition, Image Processing and GraphicsMonitoring neonatal EEG signal is useful in identifying neonatal convulsions or seizures. For neonates, seizures can be electrographic, electro clinical, or both simultaneously. Electrographic seizure is identified via recorded EEG signal, while electro ...
Insider Threats: It's the HUMAN, Stupid!
NCS '19: Proceedings of the Northwest Cybersecurity SymposiumInsider threats refer to threats posed by individuals who intentionally or unintentionally destroy, exfiltrate, or leak sensitive information, or expose their organization to outside attacks. Surveys of organizations in government and industry ...
Comments