Insider threat event detection in user-system interactions

Pablo Moriano, Jared Pendleton, Steven Rich, L. Jean Camp

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

15 Scopus citations

Abstract

Detection of insider threats relies on monitoring individuals and their interactions with organizational resources. Identification of anomalous insiders typically relies on supervised learning models that use labeled data. However, such labeled data is not easily obtainable. The labeled data that does exist is also limited by current insider threat detection methods and undetected insiders would not be included. These models also inherently assume that the insider threat is not rapidly evolving between model generation and use of the model in detection. Yet there is a large body of research that illustrates that the insider threat changes significantly after some types of precipitating events, such as layoffs, significant restructuring, and plant or facility closure. To capture this temporal evolution of user-system interactions, we use an unsupervised learning framework to evaluate whether potential insider threat events are triggered following precipitating events. The analysis leverages a bipartite graph of user and system interactions. The approach shows a clear correlation between precipitating events and the number of apparent anomalies. The results of our empirical analysis show a clear shift in behaviors after events which have previously been shown to increase insider activity, specifically precipitating events. We argue that this metadata about the level of insider threat behaviors validates the potential of the approach. We apply our method to a dataset that comprises interactions between engineers and software components in an enterprise version control system spanning more than 22 years. We use this unlabeled dataset and automatically detect statistically significant events. We show that there is statistically significant evidence that a subset of users diversify their committing behavior after precipitating events have been announced. Although these findings do not constitute detection of insider threat events per se, they do identify patterns of potentially malicious high-risk insider behavior. They reinforce the idea that insider operations can be motivated by the insiders' environment. Our proposed framework outperforms algorithms based on naive random approaches and algorithms using volume dependent statistics. This graph mining technique has potential for early detection of insider threat behavior in user-system interactions independent of the volume of interactions. The proposed method also enables organizations without a corpus of identified insider threats to train its own anomaly detection system.

Original languageEnglish
Title of host publicationMIST 2017 - Proceedings of the 2017 International Workshop on Managing Insider Security Threats, co-located with CCS 2017
PublisherAssociation for Computing Machinery, Inc
Pages1-12
Number of pages12
ISBN (Electronic)9781450351775
DOIs
StatePublished - Oct 30 2017
Externally publishedYes
Event9th ACM CCS International Workshop on Managing Insider Security Threats, MIST 2017 - Dallas, United States
Duration: Oct 30 2017 → …

Publication series

NameMIST 2017 - Proceedings of the 2017 International Workshop on Managing Insider Security Threats, co-located with CCS 2017
Volume2017-January

Conference

Conference9th ACM CCS International Workshop on Managing Insider Security Threats, MIST 2017
Country/TerritoryUnited States
CityDallas
Period10/30/17 → …

Keywords

  • Anomaly detection
  • Bipartite graph
  • Community structure
  • Graph mining
  • IBM rational clearcase
  • Insider threat

Fingerprint

Dive into the research topics of 'Insider threat event detection in user-system interactions'. Together they form a unique fingerprint.

Cite this