Detecting Unknown Insider Threat Scenarios

Young, William T.; Memory, Alex; Goldberg, Henry G.; Senator, Ted E.

doi:10.1109/spw.2014.42

Cited by 26 publications

(21 citation statements)

References 9 publications

(19 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Experiments and results included in this paper extend previously reported results ( [21], [24], [25]) to cover 16 months of data from September 2012 through February 2014. Testing on the additional eight months included a number of new Red Team (RT) scenarios, new detection algorithms, and improved versions of existing detectors.…”

supporting

confidence: 55%

“…Since this paper continues and extends experiments previously reported in [25], we have repeated some introductory material and descriptions of our approach -especially regarding metrics, the test data, and the ensemble approach. While the previous paper looked at results from data collected over eight months, we cover results from 16 months, including a number of novel inserted target scenarios.…”

Section: Introductionmentioning

confidence: 77%

“…Anomaly detector ensemble methods combine the results (i.e., scores) from multiple detectors in a way that is analogous to how classifier ensembles combine predictions from multiple classifiers [8]. The following description of our ensemble approach is taken from [25]. We have not significantly altered the algorithm for the experiments reported here.…”

Section: Unsupervised Ensemble-based Anomaly Detection a Methodsmentioning

confidence: 99%

“…We extend preliminary results (from [25]) to an additional eight months, including 27 additional threat data sets comprising 15 new Red Team scenarios. The average AUC achieved by the ensemble over the new data is identical to that over the initial data, at 0.85, while the average "best" detector AUC only improved slightly from 0.88 to 0.89.…”

mentioning

confidence: 85%

“…To illustrate PRODIGAL's ability to detect such complex scenarios, we repeat a discussion of one such target scenario inserted in multiple data set by the Red Team as described in [25].…”

Section: Complex Scenario Detectionmentioning

confidence: 99%

See 4 more Smart Citations

Insider Threat Detection in PRODIGAL

Goldberg

Young

Reardon

et al. 2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

View full text Add to dashboard Cite

Abstract-This paper reports on insider threat detection research, during which a prototype system (PRODIGAL)1 was developed and operated as a testbed for exploring a range of detection and analysis methods. The data and test environment, system components, and the core method of unsupervised detection of insider threat leads are presented to document this work and benefit others working in the insider threat domain.We also discuss a core set of experiments evaluating the prototype's ability to detect both known and unknown malicious insider behaviors. The experimental results show the ability to detect a large variety of insider threat scenario instances imbedded in real data with no prior knowledge of what scenarios are present or when they occur.We report on an ensemble-based, unsupervised technique for detecting potential insider threat instances. When run over 16 months of real monitored computer usage activity augmented with independently developed and unknown but realistic, insider threat scenarios, this technique robustly achieves results within five percent of the best individual detectors identified after the fact. We discuss factors that contribute to the success of the ensemble method, such as the number and variety of unsupervised detectors and the use of prior knowledge encoded in detectors designed for specific activity patterns.Finally, the paper describes the architecture of the prototype system, the environment in which we conducted these experiments and that is in the process of being transitioned to operational users.

show abstract

supporting

confidence: 55%

Section: Introductionmentioning

confidence: 77%

Section: Unsupervised Ensemble-based Anomaly Detection a Methodsmentioning

confidence: 99%

mentioning

confidence: 85%

“…To illustrate PRODIGAL's ability to detect such complex scenarios, we repeat a discussion of one such target scenario inserted in multiple data set by the Red Team as described in [25].…”

Section: Complex Scenario Detectionmentioning

confidence: 99%

See 3 more Smart Citations

Insider Threat Detection in PRODIGAL

Goldberg

Young

Reardon

et al. 2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

View full text Add to dashboard Cite

show abstract

Towards a Design Pattern for Adaptive Systems Inspired by the Neocortex

Phillips

Blackburn

2016

Systems Engineering

View full text Add to dashboard Cite

This paper discusses a general design pattern that can provide systems engineering guidance for building adaptive systems. The Neocortex Adaptive System Pattern (NASP) architecture is an adaptive decision‐making architecture. It is derived from the physical architecture observed within the neocortex. It allows different adaptive system components with diverse methodologies and techniques to coexist and cooperate within a single system. A literature review of relevant neuroscience literature is provided. An architectural view, along with a taxonomy of architecture features, is explained in detail. Experiment results that compare an implemented NASP system, a non‐NASP adaptive system, and rule‐based systems within a combative simulation are presented. The NASP design pattern unifies the diverse set of algorithms and technologies found across the spectrum of adaptive systems. Evidence from this study indicates that multiple methods and time windows for adaptation can result in superior performance of the overall system. The implications of this result infer a clear preference for Bayesian‐based adaptive systems over neural network–based adaptive systems when the system faces time‐sensitive problems. This paper supports the claim of a design pattern by providing an example system that shares the same architectural features as NASP.

show abstract

A State Machine System for Insider Threat Detection

Zhang

Agrafiotis

Erola

et al. 2019

Graphical Models for Security

View full text Add to dashboard Cite

The risk from insider threats is rising significantly, yet the majority of organizations are ill-prepared to detect and mitigate them. Research has focused on providing rule-based detection systems or anomaly detection tools which use features indicative of malicious insider activity.In this paper we propose a system complimentary to the aforementioned approaches. Based on theoretical advances in describing attack patterns for insider activity, we design and validate a state-machine system that can effectively combine policies from rule-based systems and alerts from anomaly detection systems to create attack patterns that insiders follow to execute an attack. We validate the system in terms of effectiveness and scalability by applying it on ten synthetic scenarios. Our results show that the proposed system allows analysts to craft novel attack patterns and detect insider activity while requiring minimum computational time and memory.

show abstract

Detecting Unknown Insider Threat Scenarios

Cited by 26 publications

References 9 publications

Insider Threat Detection in PRODIGAL

Insider Threat Detection in PRODIGAL

Towards a Design Pattern for Adaptive Systems Inspired by the Neocortex

A State Machine System for Insider Threat Detection

Contact Info

Product

Resources

About