Detecting insider threats in a real corporate database of computer usage activity

Senator, Ted E.; Goldberg, Henry G.; Memory, Alex; Young, William T.; Rees, Brad; Pierce, Robert D.; Huang, Daniel; Reardon, Matthew; Bader, David A.; Chow, Edmond; Essa, Irfan; Jones, J. A. A.; Bettadapura, Vinay; Chau, Duen Horng; Green, Oded; Kaya, Oguz; Zakrzewska, Anita; Briscoe, Erica; Mappus, Rudolph Iv L.; McColl, Robert; Weiss, Lora G.; Dietterich, Thomas G.; Fern, Alan; Wong, Weng‐Keen; Das, Shubhomoy; Emmott, Andrew; Irvine, Jed; Lee, Jay-Yoon; Koutra, Danai; Faloutsos, Christos; Corkill, Daniel D.; Friedland, Lisa; Gentzel, Amanda; Jensen, David

doi:10.1145/2487575.2488213

Cited by 100 publications

(77 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Experiments and results included in this paper extend previously reported results ( [21], [24], [25]) to cover 16 months of data from September 2012 through February 2014. Testing on the additional eight months included a number of new Red Team (RT) scenarios, new detection algorithms, and improved versions of existing detectors.…”

supporting

confidence: 55%

“…Relational features such as the email and text-message communication graphs are used to provide comparison groups in some detectors. Different approaches to feature normalization are incorporated into variants of the same detection models used in PRODIGAL [21].…”

Section: B Developing a Diverse Suite Of Detectorsmentioning

confidence: 99%

“…As in other adversarial domains, a useful insider threat detection system must be able to detect not only instances of known, suspected, or hypothesized insider threat scenarios, but also instances of previously unseen and novel insider threat scenarios [21].…”

Section: Introductionmentioning

confidence: 99%

“…Baselines for comparison may be crosssectional (i.e., compare a user's actions over a particular time period with that of other users in a peer group over some time comparable time period) or temporal (i.e., compare a user with his/her own behavior over different time periods), or both. Especially for the more complex, scenario detectors, we develop specifications using an Anomaly Detection Language (ADL) that was introduced in [21] and [24]. We have found specification of a complex planned detection in ADL to be extremely useful in the process of developing and testing combinations of feature sub-setting, classification, anomaly detection, and threat ranking mechanisms.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Insider Threat Detection in PRODIGAL

Goldberg

Young

Reardon

et al. 2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

Self Cite

View full text Add to dashboard Cite

Abstract-This paper reports on insider threat detection research, during which a prototype system (PRODIGAL)1 was developed and operated as a testbed for exploring a range of detection and analysis methods. The data and test environment, system components, and the core method of unsupervised detection of insider threat leads are presented to document this work and benefit others working in the insider threat domain.We also discuss a core set of experiments evaluating the prototype's ability to detect both known and unknown malicious insider behaviors. The experimental results show the ability to detect a large variety of insider threat scenario instances imbedded in real data with no prior knowledge of what scenarios are present or when they occur.We report on an ensemble-based, unsupervised technique for detecting potential insider threat instances. When run over 16 months of real monitored computer usage activity augmented with independently developed and unknown but realistic, insider threat scenarios, this technique robustly achieves results within five percent of the best individual detectors identified after the fact. We discuss factors that contribute to the success of the ensemble method, such as the number and variety of unsupervised detectors and the use of prior knowledge encoded in detectors designed for specific activity patterns.Finally, the paper describes the architecture of the prototype system, the environment in which we conducted these experiments and that is in the process of being transitioned to operational users.

show abstract

supporting

confidence: 55%

Section: B Developing a Diverse Suite Of Detectorsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Insider Threat Detection in PRODIGAL

Goldberg

Young

Reardon

et al. 2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Senator et al [10] developed multiple algorithms for anomaly detection and demonstrated the feasibility of proposed methods for insider threat detection. Magklaras and Furnell [11] proposed a threat evaluation system based on profiles of user behaviors to estimate the level of threat.…”

Section: Related Workmentioning

confidence: 99%

Abnormal Behavior Analysis in Office Automation System within Organizations

Wang¹,

Zhou²,

Zhu³

et al. 2017

IJCCE

View full text Add to dashboard Cite

Abstract:Insider threat is a serious and increasing concern for many organizations. The group of individuals who operate within the organization have access to highly confidential and sensitive information, however, if they choose to act against the organization, with their privileged access authority and their extensive knowledge, they are well positioned to cause serious damage. Compared with vast amounts of normal daily operations, malicious behaviors are indeed small probability events, and are easily ignored. Thus, there is a desperate need to explore an effective approach to detect such suspicious behaviors. In order to solve this problem, we propose a two-stage algorithm to detect anomaly through analyzing user behavior based on activity log data collected in a real office automation system. In the first stage, we compare users' behavioral activities with activities of his/her belonging role, and in the second stage, we compare individual behavioral activities with his/her activities in a window period. By adopting several effective features to describe users' regular behavioral patterns, the analyst is capable of refining underlying abnormal users and abnormal periods to better support the network security administration.

show abstract

Exploring anomalous behaviour detection and classification for insider threat identification

Zincir-Heywood

2020

Int J Network Mgmt

View full text Add to dashboard Cite

Summary Recently, malicious insider threats represent one of the most damaging threats to companies and government agencies. Insider threat detection is a highly skewed data analysis problem, where the huge class imbalance makes the adaptation of learning algorithms to the real‐world context very difficult. This study proposes a new system for user‐centred machine learning‐based anomaly behaviour and insider threat detection on multiple data granularity levels. System evaluations and analysis are performed not only on individual data instances but also on normal and malicious users. Our results show that the proposed system, which is a combination of unsupervised anomaly detection and supervised machine learning methods, can learn from unlabelled data and a very small amount of labelled data. Furthermore, it can generalize to bigger datasets for detecting anomalous behaviours and unseen malicious insiders with a high detection and a low false‐positive rate.

show abstract

Detecting insider threats in a real corporate database of computer usage activity

Cited by 100 publications

References 24 publications

Insider Threat Detection in PRODIGAL

Insider Threat Detection in PRODIGAL

Abnormal Behavior Analysis in Office Automation System within Organizations

Exploring anomalous behaviour detection and classification for insider threat identification

Contact Info

Product

Resources

About