Proactive Insider Threat Detection through Graph Learning and Psychological Context

Brdiczka, Oliver; Liu, Juan; Price, Bob; Shen, Jianqiang; Patil, Akshay; Chow, Richard; Bart, Evgeniy; Ducheneaut, Nicolas

doi:10.1109/spw.2012.29

Cited by 78 publications

(61 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A copy of the data is transmitted to the ADAMS testbed environment, where it is anonymized by removal or hashing of personally identifying information (PII) and stored in an instance of the SureView warehouse schema. In parallel, the Red Team creates additional SureView events (boxes [4][5] that are inserted into a separate partition for merger with the collected data.…”

Section: A Monthly Pipeline Processing In Testbed Environmentmentioning

confidence: 99%

“…Understanding the types of attacks designed to steal protected information informs the development of defensive enterprise detection technologies such as decoys ([4], [17]). Understanding complex human behaviors in enterprise environments supports the identification of patterns of activity in computer usage data related to behaviors associated with insider threat actions, such as quitting ( [10], [5]). Characterizing behavior demonstrated by users in online social communities such as deception ( [3]) and negative predisposition toward law enforcement ( [13]) can be relevant to the insider threat domain.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Insider Threat Detection in PRODIGAL

Goldberg

Young

Reardon

et al. 2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

View full text Add to dashboard Cite

Abstract-This paper reports on insider threat detection research, during which a prototype system (PRODIGAL)1 was developed and operated as a testbed for exploring a range of detection and analysis methods. The data and test environment, system components, and the core method of unsupervised detection of insider threat leads are presented to document this work and benefit others working in the insider threat domain.We also discuss a core set of experiments evaluating the prototype's ability to detect both known and unknown malicious insider behaviors. The experimental results show the ability to detect a large variety of insider threat scenario instances imbedded in real data with no prior knowledge of what scenarios are present or when they occur.We report on an ensemble-based, unsupervised technique for detecting potential insider threat instances. When run over 16 months of real monitored computer usage activity augmented with independently developed and unknown but realistic, insider threat scenarios, this technique robustly achieves results within five percent of the best individual detectors identified after the fact. We discuss factors that contribute to the success of the ensemble method, such as the number and variety of unsupervised detectors and the use of prior knowledge encoded in detectors designed for specific activity patterns.Finally, the paper describes the architecture of the prototype system, the environment in which we conducted these experiments and that is in the process of being transitioned to operational users.

show abstract

Section: A Monthly Pipeline Processing In Testbed Environmentmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Insider Threat Detection in PRODIGAL

Goldberg

Young

Reardon

et al. 2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

View full text Add to dashboard Cite

show abstract

“…In addition, [8] research is emphasizing that human behavior and personality are important for insider detection, and research on how to improve the accuracy of detection by combining human psychological profile information with detection models is underway.…”

Section: Etcmentioning

confidence: 99%

Carnegie Mellon University's CERT Dataset Analysis and Suggestions

KIM¹,

KIM²

2017

IJARBMS

View full text Add to dashboard Cite

show abstract

“…Buford et al [7] use situation-aware multi-agent systems as part of a distributed architecture for insider threat detection. Brdiczka et al [8] combine psychological profiling with structural anomaly detection to develop an architecture for insider-threat detection. Eberle et al [9] consider Graph-Based Anomaly Detection as a tool for detecting insiders, based on modifications, insertions and deletions of activities from the graph.…”

Section: Related Workmentioning

confidence: 99%

Caught in the act of an insider attack: detection and assessment of insider threat

Legg

Buckley

Goldsmith

et al. 2015

2015 IEEE International Symposium on Technologies for Homeland Security (HST)

View full text Add to dashboard Cite

Abstract-The greatest asset that any organisation has are its people, but they may also be the greatest threat. Those who are within the organisation may have authorised access to vast amounts of sensitive company records that are essential for maintaining competitiveness and market position, and knowledge of information services and procedures that are crucial for daily operations. In many cases, those who have such access do indeed require it in order to conduct their expected workload. However, should an individual choose to act against the organisation, then with their privileged access and their extensive knowledge, they are well positioned to cause serious damage. Insider threat is becoming a serious and increasing concern for many organisations, with those who have fallen victim to such attacks suffering significant damages including financial and reputational. It is clear then, that there is a desperate need for more effective tools for detecting the presence of insider threats and analyzing the potential of threats before they escalate. We propose Corporate Insider Threat Detection (CITD), an anomaly detection system that is the result of a multi-disciplinary research project that incorporates technical and behavioural activities to assess the threat posed by individuals. The system identifies user and role-based profiles, and measures how users deviate from their observed behaviours to assess the potential threat that a series of activities may pose. In this paper, we present an overview of the system and describe the concept of operations and practicalities of deploying the system. We show how the system can be utilised for unsupervised detection, and also how the human analyst can engage to provide an active learning feedback loop. By adopting an accept or reject scheme, the analyst is capable of refining the underlying detection model to better support their decisionmaking process and significant reduce the false positive rate.

show abstract

Proactive Insider Threat Detection through Graph Learning and Psychological Context

Cited by 78 publications

References 21 publications

Insider Threat Detection in PRODIGAL

Insider Threat Detection in PRODIGAL

Carnegie Mellon University's CERT Dataset Analysis and Suggestions

Caught in the act of an insider attack: detection and assessment of insider threat

Contact Info

Product

Resources

About