Modeling Human Behaviour with Higher Order Logic: Insider Threats

Abstract: In this paper, we approach the problem of modeling the human component in technical systems with a view on the difference between the use of model and theory in sociology and computer science. One aim of this essay is to show that building of theories and models for sociology can be compared to and implemented in Higher Order Logic. We validate this working hypothesis by revisiting Weber's understanding explanation. We focus on constructive realism in the context of logical explanation. We review Higher Order … Show more

“…In this paper we focus on theft picking the two general patterns of insider attacks on intellectual property defined as the major insider patterns for theft [4]: the Entitled Independent and the Ambitious Leader. We extend here the Isabelle/HOL model for social explanation of insider threats [7] to a more general framework and illustrate it on these general insider patterns in Section IV validating the application by properties of insider threats that can now readily be proved in Isabelle/HOL in our model. The personality split discovered in the Needham Schroeder protocol provides the means to formally prove that the CERT attacks are possible in vulnerable infrastructures.…”

“…We next present a brief summary of social explanation following Max Weber (Section III) illustrating its application to model insider threats on the Dropbox example. The example has been used in various works [6] including our own [2], [7]. Here we aim at generalizing the observation that Weber's three steps are a good model for insider threats.…”

Modeling and Verification of Insider Threats Using Logical Analysis

“…In this paper we focus on theft picking the two general patterns of insider attacks on intellectual property defined as the major insider patterns for theft [4]: the Entitled Independent and the Ambitious Leader. We extend here the Isabelle/HOL model for social explanation of insider threats [7] to a more general framework and illustrate it on these general insider patterns in Section IV validating the application by properties of insider threats that can now readily be proved in Isabelle/HOL in our model. The personality split discovered in the Needham Schroeder protocol provides the means to formally prove that the CERT attacks are possible in vulnerable infrastructures.…”

“…We next present a brief summary of social explanation following Max Weber (Section III) illustrating its application to model insider threats on the Dropbox example. The example has been used in various works [6] including our own [2], [7]. Here we aim at generalizing the observation that Weber's three steps are a good model for insider threats.…”

Modeling and Verification of Insider Threats Using Logical Analysis

“…In previous work [2], we used Higher Order Logic (HOL) to model insider threats accommodating the view of the insider's disposition based on these taxonomies, and insider patterns based on real case studies [3]. This logical modelling of insider patterns revealed that HOL allows modelling the human factor with its psychological disposition, the company's infrastructure including policies, and use theorem proving to prove that certain behaviours lead to policy violations, i.e., insider attacks.…”

“…As we have shown in previous work [2], insider threat analysis requires the combination of a macrolevel view and a micro-level view akin to sociological techniques. This is needed in order to integrate human factors into the context of an infrastructure, like the physical environment of a company and its IT network.…”

A Probabilistic Analysis Framework for Malicious Insider Threats

“…This early approach also uses infrastructure models of organisations, actors and policies but necessarily has to be simpler than the Isabelle Insider framework since model checking does only support finite models. The use of sociological explanation has been pioneered in [5] already with first formal experiments in Isabelle. Finally, the Isabelle Insider framework has been established [20] and has been validated on two of the main three Insider patterns the Entitled Independent and Ambitious Leader.…”

Isabelle Modelchecking for Insider Threats