Automated Insider Threat Detection System Using User and Role-Based Profile Assessment

Legg, Phil; Buckley, Oliver; Goldsmith, Michael; Creese, Sadie

doi:10.1109/jsyst.2015.2438442

Cited by 108 publications

(77 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Traditionally, distance measurements have been applied to text analysis [1,2] and speech based matching [3,4]. Our work most closely matches classification techniques such as -NN and PCA as applied by [14] and [15], respectively. However, in the case of our distance measurement implementations, we only consider one set of prior data rather than attempt to classify 'normal' and 'anomalous' behaviour based on the whole range of available data.…”

Section: Related Workmentioning

confidence: 69%

“…Recent work in the application of data analytic techniques against the CERT dataset include [12][13][14][15]. The work of [13] focuses on the CERT r6.2 dataset and uses Deep Neural Networks (DNN) and Recurrent Neural Networks (RNN) to calculate an anomaly score of each individual user.…”

Section: Related Workmentioning

confidence: 99%

“…Their results show that -NN is generally more accurate and faster in comparison with -d tree. Additionally, the work of [15] uses both the CERT dataset and bespoke synthetic dataset generated to evaluate their approach which is based on grouping of users based on role and applying Principal Component Analysis (PCA) to detect outliers in user activity.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Distance Measurement Methods for Improved Insider Threat Detection

Buchanan

Griffiths

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Insider threats are a considerable problem within cyber security and it is often difficult to detect these threats using signature detection. Increasing machine learning can provide a solution, but these methods often fail to take into account changes of behaviour of users. This work builds on a published method of detecting insider threats and applies Hidden Markov method on a CERT data set (CERT r4.2) and analyses a number of distance vector methods (Damerau-Levenshtein Distance, Cosine Distance, and Jaccard Distance) in order to detect changes of behaviour, which are shown to have success in determining different insider threats.

show abstract

Section: Related Workmentioning

confidence: 69%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Distance Measurement Methods for Improved Insider Threat Detection

Buchanan

Griffiths

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Previous studies have grouped the features associated with motives into four broad categories [14,17,25,34,[38][39][40]:…”

Section: A) Motivementioning

confidence: 99%

Detection and prediction of insider threats to cyber security: a systematic literature review and meta-analysis

Gheyas

Abdallah

2016

Big Data Anal

View full text Add to dashboard Cite

Cyber security is vital to the success of today's digital economy. The major security threats are coming from within, as opposed to outside forces. Insider threat detection and prediction are important mitigation techniques. This study addresses the following research questions: 1) what are the research trends in insider threat detection and prediction nowadays? 2) What are the challenges associated with insider threat detection and prediction? 3) What are the best-to-date insider threat detection and prediction algorithms? We conduct a systematic review of 37 articles published in peer-reviewed journals, conference proceedings and edited books for the period of 1950-2015 to address the first two questions. Our survey suggests that game theoretic approach (GTA) is a popular source of insider threat data; the insiders' online activities are the most widely used features in insider threat detection and prediction; most of the papers use single point estimates of threat likelihood; and graph algorithms are the most widely used tools for detecting and predicting insider threats. The key challenges facing the insider threat detection and prediction system include unbounded patterns, uneven time lags between activities, data nonstationarity, individuality, collusion attacks, high false alarm rates, class imbalance problem, undetected insider attacks, uncertainty, and the large number of free parameters in the model. To identify the best-to-date insider threat detection and prediction algorithms, our meta-analysis study excludes theoretical papers proposing conceptual algorithms from the 37 selected papers resulting in the selection of 13 papers. We rank the insider threat detection and prediction algorithms presented in the 13 selected papers based on the theoretical merits and the transparency of information. To determine the significance of rank sums, we perform "the Friedman two-way analysis of variance by ranks" test and "multiple comparisons between groups or conditions" tests.

show abstract

“…The topic of insider threat detection has received many attentions in the literature. Traditional intrusion detection system is neither designed for nor capable of identifying those who act maliciously within an organization [3]. Researchers have proposed a number of systems and approaches to detect or predict insider threat based on different types of activities.…”

Section: Related Workmentioning

confidence: 99%

Abnormal Behavior Analysis in Office Automation System within Organizations

Wang¹,

Zhou²,

Zhu³

et al. 2017

IJCCE

View full text Add to dashboard Cite

Abstract:Insider threat is a serious and increasing concern for many organizations. The group of individuals who operate within the organization have access to highly confidential and sensitive information, however, if they choose to act against the organization, with their privileged access authority and their extensive knowledge, they are well positioned to cause serious damage. Compared with vast amounts of normal daily operations, malicious behaviors are indeed small probability events, and are easily ignored. Thus, there is a desperate need to explore an effective approach to detect such suspicious behaviors. In order to solve this problem, we propose a two-stage algorithm to detect anomaly through analyzing user behavior based on activity log data collected in a real office automation system. In the first stage, we compare users' behavioral activities with activities of his/her belonging role, and in the second stage, we compare individual behavioral activities with his/her activities in a window period. By adopting several effective features to describe users' regular behavioral patterns, the analyst is capable of refining underlying abnormal users and abnormal periods to better support the network security administration.

show abstract

Automated Insider Threat Detection System Using User and Role-Based Profile Assessment

Cited by 108 publications

References 23 publications

Distance Measurement Methods for Improved Insider Threat Detection

Distance Measurement Methods for Improved Insider Threat Detection

Detection and prediction of insider threats to cyber security: a systematic literature review and meta-analysis

Abnormal Behavior Analysis in Office Automation System within Organizations

Contact Info

Product

Resources

About