Abstract
The increasing threat of insider attacks has resulted in a correlated increase in incentives to monitor trusted insiders. Measures of volumes of access, detailed background checks, and statistical characterizations of employee behaviors are all commonly used to mitigate the insider threat. These traditional approaches usually rely on supervised learning models or case studies to determine the critical features or attributes that can be used as indicators. Such approaches require labeled data for correct characterization of the threat. Yet regardless of the incentives to detect the insider threat, the incentives to share detailed labeled data on successful malicious insiders have proven inadequate. To address this challenging data environment, we developed an innovative approach that captures the temporal evolution of user-system interactions, to create an unsupervised learning framework to detect high-risk insider behaviors. Our method is based on the analysis of a bipartite graph of user and system interactions. The graph mining method detects increases in potential insider threat events following precipitating events, e.g., a limited restructuring. We apply our method to a dataset that comprises interactions between engineers and components in a software version control system spanning 22 years, and automatically detect statistically significant events. We find that there is statistically significant evidence for increasing anomalies in the committing behavior after precipitating events. Although these findings do not constitute detection of insider threat events per se, they reinforce the idea that insider operations can be motivated by the insiders’ environment and detected with the proposed method. We compare our results with algorithms based on volume-dependent statistics showing that our proposed framework outperforms those measures. This graph mining method has potential for early detection of insider threat behavior from user-system interactions, which could enable quicker mitigation.
Original language | English |
---|---|
Pages (from-to) | 4-29 |
Number of pages | 26 |
Journal | Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications |
Volume | 9 |
Issue number | 1 |
DOIs | |
State | Published - Mar 2018 |
Externally published | Yes |
Funding
Pablo Moriano acknowledges Yong-Yeol Ahn for early feedback and discussions about the use of community diversification metrics for detecting anomalous events in Twitter data as well as Jorge Finke for his insights about the temporal abstraction for performance evaluation of detection algorithms. All authors thank Cisco ASIG members for help in collecting data and setting up experiments. This research was supported in part by the National Science Foundation under CNS-1565375, Cisco Research Support #591000, and the Comcast Innovation Fund. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the the US Government, the National Science Foundation, Cisco, Comcast, or Indiana University.
Funders | Funder number |
---|---|
Comcast Innovation Fund | |
National Science Foundation | 591000, CNS-1565375 |
Indiana University |
Keywords
- Anomaly detection
- Bipartite graph
- Community structure
- Graph mining
- IBM Rational ClearCase
- Insider threat