While most organizations continue to invest in traditional network defences, a formidable security challenge has been brewing within their own boundaries. Malicious insiders with privileged access in the guise of a trusted source have carried out many attacks causing far reaching damage to financial stability, national security and brand reputation for both public and private sector organizations. Growing exposure and impact of the whistleblower community and concerns about job security with changing organizational dynamics has further aggravated this situation. The unpredictability of malicious attackers, as well as the complexity of malicious actions, necessitates the careful analysis of network, system and user parameters correlated with insider threat problem. Thus it creates a high dimensional, heterogeneous data analysis problem in isolating suspicious users. This research work proposes an insider threat detection framework, which utilizes the attributed graph clustering techniques and outlier ranking mechanism for enterprise users. Empirical results also confirm the effectiveness of the method by achieving the best area under curve value of 0.7648 for the receiver operating characteristic curve.
I. IntroductionInsider threat mitigation or finding the enemy hiding within the boundaries of an enterprise network is one of the most critical and complex cybersecurity threats. By looking at the publicly available threat cases [6] and published literature [13] [27] on insider threat, it is evident that the insider threat can no longer be treated as a data driven problem. It needs to be considered as a combination of data and human behavior driven problem. This drives the requirement for going beyond technical capabilities to understand the unpredictable behavior of the trusted insider. Though there is no particular demographic profile for malicious insiders, there are common characteristics among the three broad categories of insider threat, namely IT sabotage, theft of intellectual property and IT fraud.These characteristics are based on the type of people involved, the motivation for the attack, the time span and the level of damage caused by the attack. In addition several researchers, e.g., Berk et al [3] and Massberg et al [20], highlighted the correlation between Capability (Means), Motivation, and Opportunity (CMO/MMO Model) for triggering a malicious insider activity. In addition to disgruntle workplace behavior, users tend to publicize their inside (in-office) experiences online. This includes their interests which have been influenced by positive and negative organizational dynamics. Therefore the insider threat mitigation framework needs to be expanded so that it arXiv:1809.00231v1 [cs.CR] 1 Sep 2018