Use of Domain Knowledge to Detect Insider Threats in Computer Activities

Young, William T.; Goldberg, Henry G.; Memory, Alex; Sartain, James F.; Senator, Ted E.

doi:10.1109/spw.2013.32

Cited by 32 publications

(29 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Experiments and results included in this paper extend previously reported results ( [21], [24], [25]) to cover 16 months of data from September 2012 through February 2014. Testing on the additional eight months included a number of new Red Team (RT) scenarios, new detection algorithms, and improved versions of existing detectors.…”

supporting

confidence: 55%

“…Characterizing behavior demonstrated by users in online social communities such as deception ( [3]) and negative predisposition toward law enforcement ( [13]) can be relevant to the insider threat domain. Machine learning techniques, such as outlier detection [2] and unsupervised anomaly detection [7], have likewise shown utility for identifying insider threat activiites in large, complex data sets ( [9], [24]). Finally, the efficacy of ensembles of detectors has been shown ( [1], [8]) and inspired our approach.…”

Section: Introductionmentioning

confidence: 99%

“…Baselines for comparison may be crosssectional (i.e., compare a user's actions over a particular time period with that of other users in a peer group over some time comparable time period) or temporal (i.e., compare a user with his/her own behavior over different time periods), or both. Especially for the more complex, scenario detectors, we develop specifications using an Anomaly Detection Language (ADL) that was introduced in [21] and [24]. We have found specification of a complex planned detection in ADL to be extremely useful in the process of developing and testing combinations of feature sub-setting, classification, anomaly detection, and threat ranking mechanisms.…”

mentioning

confidence: 99%

“…We have found specification of a complex planned detection in ADL to be extremely useful in the process of developing and testing combinations of feature sub-setting, classification, anomaly detection, and threat ranking mechanisms. Figure 1, taken from [24], shows the design of a complex scenario-based detector.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Insider Threat Detection in PRODIGAL

Goldberg

Young

Reardon

et al. 2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

View full text Add to dashboard Cite

Abstract-This paper reports on insider threat detection research, during which a prototype system (PRODIGAL)1 was developed and operated as a testbed for exploring a range of detection and analysis methods. The data and test environment, system components, and the core method of unsupervised detection of insider threat leads are presented to document this work and benefit others working in the insider threat domain.We also discuss a core set of experiments evaluating the prototype's ability to detect both known and unknown malicious insider behaviors. The experimental results show the ability to detect a large variety of insider threat scenario instances imbedded in real data with no prior knowledge of what scenarios are present or when they occur.We report on an ensemble-based, unsupervised technique for detecting potential insider threat instances. When run over 16 months of real monitored computer usage activity augmented with independently developed and unknown but realistic, insider threat scenarios, this technique robustly achieves results within five percent of the best individual detectors identified after the fact. We discuss factors that contribute to the success of the ensemble method, such as the number and variety of unsupervised detectors and the use of prior knowledge encoded in detectors designed for specific activity patterns.Finally, the paper describes the architecture of the prototype system, the environment in which we conducted these experiments and that is in the process of being transitioned to operational users.

show abstract

supporting

confidence: 55%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Insider Threat Detection in PRODIGAL

Goldberg

Young

Reardon

et al. 2017

Proceedings of the 50th Hawaii International Conference on System Sciences (2017)

View full text Add to dashboard Cite

show abstract

“…Fusion algorithm is used to combine anomaly from multiple source of information. William T.Young et al, [10] this paper presents the realistic associate menace instances in a real company database of computer custom activity. Area vision is requested (1) to select appropriate features for use by structural anomaly detection algorithms, (2) to recognize features indicative of attention recognized to be associated alongside associate menace, and (3) to ideal recognized or distrusted instances of associate menace scenarios.…”

Section: Related Workmentioning

confidence: 99%

Enhanced Framework for Detecting Malicious HTTP Redirections with Supporting Classifier

2015

IJSR

View full text Add to dashboard Cite

Malicious URL detection has become increasingly difficult due to the evolution of phishing campaigns and efforts to avoid weakening blacklists. The existing state of cybercrime has allowed pirates to host campaigns with smaller lifespan, which reduces the efficacy of the backlist. At the same time, standard supervised learning algorithms are known to generalize in specific patterns observed in the training data, which makes them a better alternative against piracy campaigns. However the highly dynamic environment of these campaigns requires models updated frequently, which poses new challenge as most learning algorithms are too computationally require exclusive retraining. This paper surveys two contributions. Firstly it discusses the problems associated with Malicious URL and there propagation mechanism. Secondly, it provides method to detect and distinguish Malicious URL by analyzing them. For analysis Recall, Precision and F-measures matrices are used.

show abstract

Towards a Design Pattern for Adaptive Systems Inspired by the Neocortex

Phillips

Blackburn

2016

Systems Engineering

View full text Add to dashboard Cite

This paper discusses a general design pattern that can provide systems engineering guidance for building adaptive systems. The Neocortex Adaptive System Pattern (NASP) architecture is an adaptive decision‐making architecture. It is derived from the physical architecture observed within the neocortex. It allows different adaptive system components with diverse methodologies and techniques to coexist and cooperate within a single system. A literature review of relevant neuroscience literature is provided. An architectural view, along with a taxonomy of architecture features, is explained in detail. Experiment results that compare an implemented NASP system, a non‐NASP adaptive system, and rule‐based systems within a combative simulation are presented. The NASP design pattern unifies the diverse set of algorithms and technologies found across the spectrum of adaptive systems. Evidence from this study indicates that multiple methods and time windows for adaptation can result in superior performance of the overall system. The implications of this result infer a clear preference for Bayesian‐based adaptive systems over neural network–based adaptive systems when the system faces time‐sensitive problems. This paper supports the claim of a design pattern by providing an example system that shares the same architectural features as NASP.

show abstract

Use of Domain Knowledge to Detect Insider Threats in Computer Activities

Cited by 32 publications

References 3 publications

Insider Threat Detection in PRODIGAL

Insider Threat Detection in PRODIGAL

Enhanced Framework for Detecting Malicious HTTP Redirections with Supporting Classifier

Towards a Design Pattern for Adaptive Systems Inspired by the Neocortex

Contact Info

Product

Resources

About