Alex Memory scite author profile

This paper reports on methods and results of an applied research project by a team consisting of SAIC and four universities to develop, integrate, and evaluate new approaches to detect the weak signals characteristic of insider threats on organizations' information systems. Our system combines structural and semantic information from a real corporate database of monitored activity on their users' computers to detect independently developed red team inserts of malicious insider activities. We have developed and applied multiple algorithms for anomaly detection based on suspected scenarios of malicious insider behavior, indicators of unusual activities, high-dimensional statistical patterns, temporal sequences, and normal graph evolution. Algorithms and representations for dynamic graph processing provide the ability to scale as needed for enterpriselevel deployments on real-time data streams. We have also developed a visual language for specifying combinations of features, baselines, peer groups, time periods, and algorithms to detect anomalies suggestive of instances of insider threat behavior. We defined over 100 data features in seven categories based on approximately 5.5 million actions per day from approximately 5,500 users. We have achieved area under the ROC curve values of up to 0.979 and lift values of 65 on the top 50 user-days identified on two months of real data.

show abstract

Use of Domain Knowledge to Detect Insider Threats in Computer Activities

Young

Goldberg

Memory

et al. 2013

View full text Add to dashboard Cite

Detecting Unknown Insider Threat Scenarios

Young

Memory

Goldberg

et al. 2014

View full text Add to dashboard Cite

Abstract-This paper reports results from a set of experiments that evaluate an insider threat detection prototype on its ability to detect scenarios that have not previously been seen or contemplated by the developers of the system. We show the ability to detect a large variety of insider threat scenario instances imbedded in real data with no prior knowledge of what scenarios are present or when they occur. We report results of an ensemble-based, unsupervised technique for detecting potential insider threat instances over eight months of real monitored computer usage activity augmented with independently developed, unknown but realistic, insider threat scenarios that robustly achieves results within 5% of the best individual detectors identified after the fact. We explore factors that contribute to the success of the ensemble method, such as the number and variety of unsupervised detectors and the use of prior knowledge encoded in scenario-based detectors designed for known activity patterns. We report results over the entire period of the ensemble approach and of ablation experiments that remove the scenario-based detectors.

show abstract

Explaining and Aggregating Anomalies to Detect Insider Threats

Goldberg

Young

Memory

et al. 2016

View full text Add to dashboard Cite

A Collective, Probabilistic Approach to Schema Mapping

Kimmig

Memory

Miller

et al. 2017

View full text Add to dashboard Cite

A Collective, Probabilistic Approach to Schema Mapping Using Diverse Noisy Evidence

Kimmig

Memory

Miller

et al. 2019

IEEE Trans. Knowl. Data Eng.

View full text Add to dashboard Cite

Abstract-We propose a probabilistic approach to the problem of schema mapping. Our approach is declarative, scalable, and extensible. It builds upon recent results in both schema mapping and probabilistic reasoning and contributes novel techniques in both fields. We introduce the problem of schema mapping selection, that is, choosing the best mapping from a space of potential mappings, given both metadata constraints and a data example. As selection has to reason holistically about the inputs and the dependencies between the chosen mappings, we define a new schema mapping optimization problem which captures interactions between mappings as well as inconsistencies and incompleteness in the input. We then introduce Collective Mapping Discovery (CMD), our solution to this problem using state-of-the-art probabilistic reasoning techniques. Our evaluation on a wide range of integration scenarios, including several real-world domains, demonstrates that CMD effectively combines data and metadata information to infer highly accurate mappings even with significant levels of noise.

show abstract

Distinguishing the unexplainable from the merely unusual

Senator¹,

Goldberg²,

Memory³

2013

View full text Add to dashboard Cite

Causal Discovery of Cyber Attack Phases

Mueller

Memory

Bartrem

2019

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Alex Memory

Detecting insider threats in a real corporate database of computer usage activity

Use of Domain Knowledge to Detect Insider Threats in Computer Activities

Detecting Unknown Insider Threat Scenarios

Explaining and Aggregating Anomalies to Detect Insider Threats

A Collective, Probabilistic Approach to Schema Mapping

A Collective, Probabilistic Approach to Schema Mapping Using Diverse Noisy Evidence

Distinguishing the unexplainable from the merely unusual

Causal Discovery of Cyber Attack Phases

Contact Info

Product

Resources

About