research-article

A Multi-Modal Neuro-Physiological Study of Malicious Insider Threats

Authors:
Yassir Hashem

University of North Texas, Denton, TX, USA

University of North Texas, Denton, TX, USA
View Profile

,
Hassan Takabi

University of North Texas, Denton, TX, USA

University of North Texas, Denton, TX, USA
View Profile

,
Ram Dantu

University of North Texas, Denton, TX, USA

University of North Texas, Denton, TX, USA
View Profile

,
Rodney Nielsen

University of North Texas, Denton, TX, USA

University of North Texas, Denton, TX, USA
View Profile

MIST '17: Proceedings of the 2017 International Workshop on Managing Insider Security ThreatsOctober 2017Pages 33–44https://doi.org/10.1145/3139923.3139930

Published:30 October 2017Publication History

MIST '17: Proceedings of the 2017 International Workshop on Managing Insider Security Threats

Pages 33–44

ABSTRACT

It has long been recognized that solutions to insider threat are mainly user-centric and several psychological and psychosocial models have been proposed. However, user behavior underlying these malicious acts is still not fully understood, motivating further investigation at the neuro-physiological level. In this work, we conduct a multi-modal study of how users-brain processes malicious and benign activities. In particular, we focus on using Electroencephalogram (EEG) signals that arise from the user's brain activities and eye tracking which can capture spontaneous responses that are unfiltered by the conscious mind. We conduct human study experiments to capture the Electroencephalogram (EEG) signals for a group of 25 participants while performing several computer-based activities in different scenarios. We analyze the EEG signals and the eye tracking data and extract features and evaluate our approach using several classifiers. The results show that our approach achieved an average accuracy of 99.77% in detecting the malicious insider using the EEG data of 256 channels (sensors) and average detection accuracy up to 95.64% using only five channels (sensors). The results show an average detection accuracy up to 83% using the eye movements and pupil behaviors data. In general, our results indicates that human Electroencephalogram (EEG) signals and eye tracking data can reveal valuable knowledge about user's malicious intent and can be used as an effective indicator in designing real-time insider threats monitoring and detection frameworks.

References

AlgoSec 2014. AlgoSec Survey: State of Network Security 2014. (2014). shownoteRetrieved August 22, 2017 from http://www.algosec.com.Google Scholar
Abdulaziz Almehmadi and Khalil El-Khatib 2014. On the possibility of insider threat detection using physiological signal monitoring Proceedings of the 7th International Conference on Security of Information and Networks. ACM, 223.Google Scholar
Naomi S Altman. 1992. An introduction to kernel and nearest-neighbor nonparametric regression. The American Statistician Vol. 46, 3 (1992), 175--185.Google ScholarCross Ref
Claude J Bajada, Hamied A Haroon, Hojjatollah Azadbakht, Geoff JM Parker, Matthew A Lambon Ralph, and Lauren L Cloutman 2016. The tract terminations in the temporal lobe: Their location and associated functions. Cortex (2016).Google Scholar
Robert Baloh, Andrew Sills, Warren Kumley, and Vicente Honrubia 1975. Quantitative measurement of saccade amplitude, duration, and velocity. Neurology, Vol. 25, 11 (1975), 1065--1065.Google ScholarCross Ref
Benjamin Blankertz, Michael Tangermann, Carmen Vidaurre, Siamac Fazli, Claudia Sannelli, Stefan Haufe, Cecilia Maeder, Lenny Ramsey, Irene Sturm, Gabriel Curio, et almbox. 2010. The Berlin brain-computer interface: non-medical uses of BCI technology. Frontiers in neuroscience Vol. 4 (2010).Google Scholar
Warrent T Blume. 1999. Atlas of pediatric electroencephalography. (1999).Google Scholar
Leo Breiman. 1996. Bagging predictors. Machine learning, Vol. 24, 2 (1996), 123--140. Google ScholarCross Ref
Leo Breiman. 2001. Random forests. Machine learning, Vol. 45, 1 (2001), 5--32. Google ScholarDigital Library
Corinna Cortes and Vladimir Vapnik 1995. Support-vector networks. Machine learning, Vol. 20, 3 (1995), 273--297. Google ScholarCross Ref
Alexander De Luca, Martin Denzel, and Heinrich Hussmann. 2009. Look into my eyes!: Can you guess my password?. In Proceedings of the 5th Symposium on Usable Privacy and Security. ACM, 7. Google ScholarDigital Library
Simon Eberz, Kasper Bonne Rasmussen, Vincent Lenders, and Ivan Martinovic 2015. Preventing Lunchtime Attacks: Fighting Insider Threats With Eye Movement Biometrics. Proceedings 2015 Network and Distributed System Security Symposium (NDSS). Google ScholarCross Ref
Leonardo Fogassi, Pier Francesco Ferrari, Benno Gesierich, Stefano Rozzi, Fabian Chersi, and Giacomo Rizzolatti 2005. Parietal lobe: from action organization to intention understanding. Science, Vol. 308, 5722 (2005), 662--667.Google Scholar
Jose Gómez-Poveda and Elena Gaudioso 2016. Evaluation of temporal stability of eye tracking algorithms using webcams. Expert Systems with Applications Vol. 64 (2016), 69--83. Google ScholarDigital Library
Frank L Greitzer and Deborah A Frincke 2010. Combining traditional cyber security audit data with psychosocial data: towards predictive modeling for insider threat mitigation. Insider Threats in Cyber Security. Springer, 85--113.Google Scholar
Frank L Greitzer, Lars J Kangas, Christine F Noonan, Angela C Dalton, and Ryan E Hohimer. 2012. Identifying at-risk employees: Modeling psychosocial precursors of potential insider threats. System Science (HICSS), 2012 45th Hawaii International Conference on (2012), 2392--2401.Google ScholarDigital Library
Yassir Hashem, Hassan Takabi, Mohammad GhasemiGol, and Ram Dantu 2015. Towards Insider Threat Detection Using Psychophysiological Signals Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats. ACM, 71--74.Google Scholar
Yassir Hashem, Hassan Takabi, Mohammad GhasemiGol, and Ram Dantu 2016. Inside the Mind of the Insider: Towards Insider Threat Detection Using Psychophysiological Signals. Journal of Internet Services and Information Security (JISIS), Vol. 6, 1 (2016), 20--36.Google Scholar
Jeffrey Hunker and Christian W Probst 2011. Insiders and Insider Threats-An Overview of Definitions and Mitigation Techniques. JoWUA, Vol. 2, 1 (2011), 4--27.Google Scholar
Emotiv Inc. 2017natexlaba. Emotive System. (2017). shownoteRetrieved August 22, 2017 from http://www.emotiv.com.Google Scholar
Electrical Geodesics Inc. 2017natexlabb. Clinical Geodesic EEG System 400. (2017). shownoteRetrieved August 22, 2017 from http://www.egi.com.Google Scholar
NeuroSky Inc. 2017natexlabc. NeuroSky System. (2017). shownoteRetrieved August 22, 2017 from http://www.neurosky.com.Google Scholar
Anil Jain and Douglas Zongker 1997. Feature selection: Evaluation, application, and small sample performance. IEEE transactions on pattern analysis and machine intelligence, Vol. 19, 2 (1997), 153--158. Google ScholarDigital Library
Parisa Kaghazgaran and Hassan Takabi 2015. Toward an Insider Threat Detection Framework Using Honey Permissions. Journal of Internet Services and Information Security (JISIS), Vol. 5, 3 (2015), 19--36.Google Scholar
Oleg V Komogortsev and Ioannis Rigas 2015. BioEye 2015: Competition on biometrics via eye movements Biometrics Theory, Applications and Systems (BTAS), 2015 IEEE 7th International Conference on. IEEE, 1--8.Google Scholar
Zhancheng Li, Minfen Shen, and Patch Beadle. 2004. Classification of EEG signals under different brain functional states using RBF neural network International Symposium on Neural Networks. Springer, 356--361.Google Scholar
Gregory A Light, Lisa E Williams, Falk Minow, Joyce Sprock, Anthony Rissling, Richard Sharp, Neal R Swerdlow, and David L Braff. 2010. Electroencephalography (EEG) and event-related potentials (ERPs) with human participants. Current Protocols in Neuroscience (2010), 6--25.Google Scholar
Ponemon Institute LLC. 2016. Cost of Cyber Crime 2016: Reducing the Risk of Business Innovation. (2016). shownoteRetrieved August 22, 2017 from https://saas.hpe.com/en-us/marketing/cyber-crime-risk-to-business-innovation.Google Scholar
Osama Mazhar, Taimoor Ali Shah, Muhammad Ahmed Khan, and Sameed Tehami 2015. A real-time webcam based Eye Ball Tracking System using MATLAB Design and Technology in Electronic Packaging (SIITME), 2015 IEEE 21st International Symposium for. IEEE, 139--142.Google Scholar
Brett D Mensh, Justin Werfel, and H Sebastian Seung. 2004. BCI competition 2003-data set Ia: combining gamma-band power with slow cortical potentials to improve single-trial classification of electroencephalographic signals. IEEE Transactions on Biomedical Engineering, Vol. 51, 6 (2004), 1052--1056.Google ScholarCross Ref
National Institutes of Health National Library of Medicine 2012. electroencephalogram (EEG). (2012). shownoteRetrieved August 22, 2017 from http://www.nlm.nih.gov/medlineplus/ency/article/003931.htm.Google Scholar
Ajaya Neupane, Md Lutfor Rahman, Nitesh Saxena, and Leanne Hirshfield 2015. A Multi-Modal Neuro-Physiological Study of Phishing Detection and Malware Warnings Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 479--491.Google Scholar
Younghee Park and Salvatore J Stolfo 2012. Software decoys for insider threat. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security. ACM, 93--94.Google ScholarDigital Library
Michael I Posner and Steven E Petersen 1990. The attention system of the human brain. Annual review of neuroscience Vol. 13, 1 (1990), 25--42. Google ScholarCross Ref
Tobii pro group. 2017. Tobii Pro X2--60 eye tracker. (2017). shownoteRetrieved August 22, 2017 from http://www.tobiipro.com/product-listing/tobii-pro-x2--60/.Google Scholar
Per E Roland, Pere E Roland, and Per E Roland. 1993. Brain activation. Wiley-Liss New York.Google Scholar
M Ben Salem and Salvatore J Stolfo 2009. Masquerade attack detection using a search-behavior modeling approach. Columbia University, Computer Science Department, Technical Report CUCS-027-09 (2009).Google Scholar
Steven L Salzberg. 1994. C4. 5: Programs for machine learning by j. ross quinlan. morgan kaufmann publishers, inc., 1993. Machine Learning, Vol. 16, 3 (1994), 235--240. Google ScholarDigital Library
Veritas Scientific. 2013. handshakes test and technologies. (2013). shownoteRetrieved August 22, 2017 from http://veritas.blueleveragemedia.com/products/handshake/.Google Scholar
Sara C Sereno and Keith Rayner 2003. Measuring word recognition in reading: eye movements and event-related potentials. Trends in cognitive sciences Vol. 7, 11 (2003), 489--493. Google ScholarCross Ref
George Silowash, Dawn Cappelli, Andrew Moore, Randall Trzeciak, Timothy J Shimeall, and Lori Flynn 2012. Common sense guide to mitigating insider threats 4th edition. bibinfotypeTechnical Report. bibinfoinstitutionDTIC Document.Google Scholar
SolarWinds. 2015. SolarWinds Survey Investigates Insider Threats to Federal Cybersecurity. (2015). shownoteRetrieved August 22, 2017 from http://www.solarwinds.com/company/newsroom/press_releases/threats_to_federal_cybersecurity.aspx.Google Scholar
Donald T Stuss and Robert T Knight 2002. Principles of frontal lobe function. Oxford University Press.Google Scholar
Kun Ha Suh, Yun-Jung Kim, Yoonkyoung Kim, Daejune Ko, and Eui Chul Lee 2015. Monocular Eye Tracking System Using Webcam and Zoom Lens. Advanced Multimedia and Ubiquitous Engineering. Springer, 135--141. Google ScholarCross Ref
Marianthi Theoharidou, Spyros Kokolakis, Maria Karyda, and Evangelos Kiountouzis 2005. The insider threat to information systems and the effectiveness of ISO17799. Computers & Security Vol. 24, 6 (2005), 472--484. Google ScholarDigital Library
Paul Thompson. 2004. Weak models for insider threat detection. International Society for Optics and Photonics,Defense and Security (2004), 40--48.Google Scholar
Xiao-Wei Wang, Dan Nie, and Bao-Liang Lu 2014. Emotional state classification from EEG data using machine learning approach. Neurocomputing Vol. 129 (2014), 94--106. Google ScholarDigital Library
Bing Xue, Mengjie Zhang, Will N Browne, and Xin Yao. 2016. A survey on evolutionary computation approaches to feature selection. IEEE Transactions on Evolutionary Computation, Vol. 20, 4 (2016), 606--626. Google ScholarDigital Library
Thorsten O Zander and Christian Kothe 2011. Towards passive brain-computer interfaces: applying brain-computer interface technology to human--machine systems in general. Journal of neural engineering Vol. 8, 2 (2011), 025005. endthebibliography Google ScholarCross Ref

Index Terms

A Multi-Modal Neuro-Physiological Study of Malicious Insider Threats
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems
  2. Security services
    1. Authentication
      1. Biometrics

Recommendations

A Multi-Modal Neuro-Physiological Study of Phishing Detection and Malware Warnings
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Detecting phishing attacks (identifying fake vs. real websites) and heeding security warnings represent classical user-centered security tasks subjected to a series of prior investigations. However, our understanding of user behavior underlying these ...
Read More
Summarization of Neonatal Video EEG for Seizure and Artifact Detection
NCVPRIPG '11: Proceedings of the 2011 Third National Conference on Computer Vision, Pattern Recognition, Image Processing and Graphics

Monitoring neonatal EEG signal is useful in identifying neonatal convulsions or seizures. For neonates, seizures can be electrographic, electro clinical, or both simultaneously. Electrographic seizure is identified via recorded EEG signal, while electro ...
Read More
Insider Threats: It's the HUMAN, Stupid!
NCS '19: Proceedings of the Northwest Cybersecurity Symposium

Insider threats refer to threats posed by individuals who intentionally or unintentionally destroy, exfiltrate, or leak sensitive information, or expose their organization to outside attacks. Surveys of organizations in government and industry ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
MIST '17: Proceedings of the 2017 International Workshop on Managing Insider Security Threats
October 2017
108 pages
ISBN:9781450351775
DOI:10.1145/3139923
General Chairs:
Ilsun You
Soonchunhyang University, Republic of Korea
,
Elisa Bertino
Purdue University, USA
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 October 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
electroencephalogram (eeg)
eye tracking
insider threat
neuroscience
Qualifiers
- research-article
Conference

Acceptance Rates
MIST '17 Paper Acceptance Rate7of18submissions,39%Overall Acceptance Rate21of54submissions,39%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 4
  Total Citations
  View Citations
- 305
  Total Downloads
- Downloads (Last 12 months)23
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A Multi-Modal Neuro-Physiological Study of Malicious Insider Threats

MIST '17: Proceedings of the 2017 International Workshop on Managing Insider Security Threats

ABSTRACT

References

Cited By

Index Terms

Recommendations

A Multi-Modal Neuro-Physiological Study of Phishing Detection and Malware Warnings

Summarization of Neonatal Video EEG for Seizure and Artifact Detection

Insider Threats: It's the HUMAN, Stupid!