Xuebin Wang,Qingfeng Tan,Jinqiao Shi,Shen Su,Meiqi Wang

DOI: https://doi.org/10.1109/dsc.2018.00077

2018-01-01

Abstract:With the rapid development of information technology, office automation is continuously improving. The data leakage problem resulting from insider threats is getting worse, legitimate users may abuse privileges or masquerade as other users, which may result in the loss of data. In this paper, a new data-centric approach is proposed to detect insider threat, which based on characterizing user behavior by extracting the features of user interaction behavior including keystroke dynamics and consecutive queries to model users' access patterns. Statistical learning algorithms are trained and tested from opening dataset to predict abnormal behavior patterns; experimental results indicate that the approach is very effective and accurate.

nitin v kanaskar,jiang bian,remzi seker,mais nijim,nuri yilmazer

DOI: https://doi.org/10.1109/SYSCON.2011.5929116

2011-01-01

Abstract:Insider attacks have the potential to inflict severe damage to an organizations reputation, intellectual property and financial assets. The primary difference between the external intrusions and the insider intrusions is that an insider wields power of knowledge about the information system resources, their environment, policies. We present an approach to detecting abnormal behavior of an insider by applying Dynamical System Theory to the insiders computer usage pattern. This is because abnormal system usage pattern is one of the necessary precursors to actual execution of an attack. A base profile of system usage pattern for an insider is created via applying dynamical system theory measures. A continuous monitoring of the insiders system usage and its comparison with this base profile is performed to identify considerable deviations. A sample system usage in terms of application system calls is collected, analyzed, and graphical results of the analysis are presented. Our results indicate that dynamical system theory has the potential of detecting suspicious insider behavior occurring prior to the actual attack execution.

Qiujian Lv,Yan Wang,Leiqi Wang,Dan Wang

DOI: https://doi.org/10.1109/ICNIDC.2018.8525804

2018-01-01

Abstract:Organizations are experiencing an ever-growing concern of how to identify and defend against insider threats. Existing methods have distinguished the minority of users who show suspicious behavior from the majority of users. However, these methods failed to apply the features reflecting the deviation between the behaviors of users and those of their user groups within the similar job roles. This paper focuses on insider threat detection by conducting both user and role behaviors analysis. It extracts multiple features that represent the details of activities conducted by each user and their deviations from the behaviors of their user groups. The malicious users are then detected by using an unsupervised algorithm, Isolation Forest Algorithm, which evaluates the variance that each user exhibits across multiple attributes, compared against the other users. To evaluate the performance of the proposed models comprehensively, we implement a series of experiments with the data lasting 17 months. We compare the proposed method with an existing state-of-the-art method and the results demonstrate the robust performance of the proposed detection method.

Hui Wang,Guangcan Yang,Shufen Liu,Xing Li

DOI: https://doi.org/10.1109/iccis.2011.214

2011-01-01

Abstract:By monitoring daily behaviors of insiders in enterprise, we can establish the process information model which reflects behavioral characteristic of insiders based on Bayesian learning theory. There will be a warning happened in the system when an insider's behaviors are deviating from the characteristic model. If applying the method to address insider threat, we can effectively improve the security of internal network, and reduce risk & loss from insider threat.

Weiyu He,Xu Wu,Jingchen Wu,Xiaqing Xie,Lirong Qiu,Lijuan Sun

DOI: https://doi.org/10.1109/dsc53577.2021.00089

2021-10-01

Abstract:Insider threat makes enterprises or organizations suffer from the loss of property and the negative influence of reputation. User behavior analysis is the mainstream method of insider threat detection, but due to the lack of fine-grained detection and the inability to effectively capture the behavior patterns of individual users, the accuracy and precision of detection are insufficient. To solve this problem, this paper designs an insider threat detection method based on user historical behavior and attention mechanism, including using Long Short Term Memory (LSTM) to extract user behavior sequence information, using Attention-based on user history behavior (ABUHB) learns the differences between different user behaviors, uses Bidirectional-LSTM (Bi-LSTM) to learn the evolution of different user behavior patterns, and finally realizes fine-grained user abnormal behavior detection. To evaluate the effectiveness of this method, experiments are conducted on the CMU-CERT Insider Threat Dataset. The experimental results show that the effectiveness of this method is 3.1% to 6.3% higher than that of other comparative model methods, and it can detect insider threats in different user behaviors with fine granularity.

Bin Lv,Dan Wang,Yan Wang,Qiujian Lv,Dan Lu

DOI: https://doi.org/10.1007/978-3-319-94268-1_28

2018-01-01

Abstract:Insider threats have shown their power by hugely affecting national security, financial stability, and the privacy of many people. A number of techniques have been proposed to detect insider threats by comparing behaviors among different individuals or by comparing the behaviors across different time periods of the same individual. However, both of them always fail to identify the certain kinds of inside threats due to the fact that the behaviors of insider threats are complex and diverse. To deal with this issue, this paper focuses on constructing a hybrid model to detect insider threats based on multi-dimensional features. First, an Across-Domain Anomaly Detection (ADAD) model is proposed to identify anomalous behaviors that deviate from the behaviors of their peers based on the isolation Forest algorithm. Second, an Across-Time Anomaly Detection (ATAD) model is proposed to measure the degree of unusual changes of a user's behavior based on an improved Markov model. What's more, we propose a hybrid model to integrate the evidence from the above two models ADAD and ATAD. To evaluate the performance of the proposed models comprehensively, we implement a series of experiments with the 17-month data. The experimental results show that the ADAD and ATAD models are robust and the hybrid model can outperform the two separated models obviously.

Taolue Chen,Tingting Han,Florian Kammueller,Ibrahim Nemli,Christian W. Probst

DOI: https://doi.org/10.1109/cybersecpods.2016.7502350

2016-01-01

Abstract:In order to detect malicious insider attacks it is important to model and analyse infrastructures and policies of organisations and the insiders acting within them. We extend formal approaches that allow modelling such scenarios by quantitative aspects to enable a precise analysis of security designs. Our framework enables evaluating the risks of an insider attack to happen quantitatively. The framework first identifies an insider's intention to perform an inside attack, using Bayesian networks, and in a second phase computes the probability of success for an inside attack by this actor, using probabilistic model checking. We provide prototype tool support using Matlab for Bayesian networks and PRISM for the analysis of Markov decision processes, and validate the framework with case studies.

Teng Hu,Weina Niu,Xiaosong Zhang,Xiaolei Liu,Jiazhong Lu,Yuan Liu

DOI: https://doi.org/10.1155/2019/3898951

IF: 1.968

2019-02-17

Security and Communication Networks

Abstract:In the current intranet environment, information is becoming more readily accessed and replicated across a wide range of interconnected systems. Anyone using the intranet computer may access content that he does not have permission to access. For an insider attacker, it is relatively easy to steal a colleague’s password or use an unattended computer to launch an attack. A common one-time user authentication method may not work in this situation. In this paper, we propose a user authentication method based on mouse biobehavioral characteristics and deep learning, which can accurately and efficiently perform continuous identity authentication on current computer users, thus to address insider threats. We used an open-source dataset with ten users to carry out experiments, and the experimental results demonstrated the effectiveness of the approach. This approach can complete a user authentication task approximately every 7 seconds, with a false acceptance rate of 2.94% and a false rejection rate of 2.28%.

computer science, information systems,telecommunications

Hui Wang,Liu Shu-fen,Zhang Xin-jia

2006-01-01

Abstract:To better help system administrators for systematically understanding the deployment of information system policy, the analysis and comparison of representative approaches in classification and modelling methods for insider threat were conducted. And on the basis of analysis of different solutions for mitigating insider threat, a largely improved solution was presented.

Junhong Kim,Minsik Park,Haedong Kim,Suhyoun Cho,Pilsung Kang,Kim,Park,Kim,Cho,Kang

DOI: https://doi.org/10.3390/app9194018

2019-09-25

Applied Sciences

Abstract:Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization’s system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user’s daily activity summary, e-mail contents topic distribution, and user’s weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts’ knowledge is provided.

Oksana Nikiforova,Andrejs Romanovs,Vitaly Zabiniako,Jurijs Kornienko

DOI: https://doi.org/10.1109/access.2024.3365424

IF: 3.9

2024-03-02

IEEE Access

Abstract:This paper explores the analysis of user behavior in information systems through audit records, creating a behavior model represented as a graph. The model captures actions over a specified period, facilitating real-time comparison to identify insider threats exploring anomalies detected in behavior models. "e-StepControl," developed by "ABC software" Ltd., incorporates this approach for monitoring user behavior in different business environments. The study proposes enhancing this solution with automatic user clustering, achieved by grouping individuals exhibiting similar behavior patterns using AI/ML algorithms. The research evaluates various clustering methods, discussing their suitability for grouping users based on their behavior. The subsequent step involves leveraging user class behavior models to identify anomalies by comparing an individual's actions with the behavior model expected in their specific user group. This extension aims to enhance the system's ability to detect potentially malicious activities, providing data security administrators with timely alerts in case of deviations from typical behavior.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wu Xin,Qingni Shen,Ke Feng,Yutang Xia,Zhonghai Wu,Zhenghao Lin

DOI: https://doi.org/10.1109/trustcom56396.2022.00204

2022-01-01

Abstract:In recent years, data security incidents caused by insider threats in distributed file systems have attracted the attention of academia and industry. The most common way to detect insider threats is based on user profiles. Through analysis, we realize that based on existing user profiles are not efficient enough, and there are many false positives when a stable user profile has not yet been formed. In this work, we propose personalized user profiles and design an insider threat detection framework, which can intelligently detect insider threats for securing distributed file systems in real-time. To generate personalized user profiles, we come up with a time window-based clustering algorithm and a weighted kernel density estimation algorithm. Compared with non-personalized user profiles, both the Recall and Precision of insider threat detection based on personalized user profiles have been improved, resulting in their harmonic mean F1 increased to 96.52%. Meanwhile, to reduce the false positives of insider threat detection, we put forward operation recommendations based on user similarity to predict new operations that users will produce in the future, which can reduce the false positive rate (FPR). The FPR is reduced to 1.54% and the false positive identification rate (FPIR) is as high as 92.62%. Furthermore, to mitigate the risks caused by inaccurate authorization for users, we present user tags based on operation content and permission. The experimental results show that our proposed framework can detect insider threats more effectively and precisely, with lower FPR and high FPIR.

Yu Cao,Yilu Chen,Ye Wang,Ning Hu,Zhaoquan Gu,Yan Jia

DOI: https://doi.org/10.1007/978-981-97-7244-5_2

2024-01-01

Abstract:Malicious insider attacks are among the most destructive threats to enterprises. Solving the insider threat problem involves several challenges, including data imbalance and detection of anomalous behavior. This paper presents TS-AUBD, a two-stage method for abnormal user behavior detection. TS-AUBD consists of coarse-grained and fine-grained user-level models. TS-AUBD can not only effectively detect abnormal behaviors and users but also analyze the situation of abnormal behaviors presented in each abnormal user. Experiments were conducted on a publicly available standard dataset CERT R4.2. Results show that TS-AUBD shows better performance compared with the baseline model, with an accuracy of up to 99.9% for behavior detection and 99. 8% for user detection.

Haozhe Zhang,Ioannis Agrafiotis,Arnau Erola,Sadie Creese,Michael Goldsmith

DOI: https://doi.org/10.1007/978-3-030-15465-3_7

2019-01-01

Abstract:The risk from insider threats is rising significantly, yet the majority of organizations are ill-prepared to detect and mitigate them. Research has focused on providing rule-based detection systems or anomaly detection tools which use features indicative of malicious insider activity. In this paper we propose a system complimentary to the aforementioned approaches. Based on theoretical advances in describing attack patterns for insider activity, we design and validate a state-machine system that can effectively combine policies from rule-based systems and alerts from anomaly detection systems to create attack patterns that insiders follow to execute an attack. We validate the system in terms of effectiveness and scalability by applying it on ten synthetic scenarios. Our results show that the proposed system allows analysts to craft novel attack patterns and detect insider activity while requiring minimum computational time and memory.

Rui Zhang,Xiaojun Chen,Jinqiao Shi,Fei Xu,Yiguo Pu

DOI: https://doi.org/10.1007/978-3-319-11119-3_35

2014-01-01

Abstract:In recent years, the major source of information leakage is due to insiders. In order to detect information leakage by some internal insiders, anomaly detection using individual and community behavior models have been developed. The basic assumption of anomaly detection is each user has his/her own profile of activities and anomaly detection algorithm attempts to identify any deviation from the basic profile by each user. Both models neglected the possibility of change of individual user profile, e.g. change of individual interests. We propose here an anomaly detection model of insider threat using file content. The proposed model uses the document segmentation and Naive Bayes algorithm to classify the contents of files in an organization. We then set up the correlation matrices between users and their interests, and also the user community and their interests. We then propose a comprehensive model to detect the insider threat, which takes into consideration of the deviations of individual users' current behaviors, their historical behaviors and their associated community behaviors simultaneously. According to the experimental test results, the proposed model can successfully detect the anomaly access to files in the internal systems.

Pratik Chattopadhyay,Lipo Wang,Yap-Peng Tan

DOI: https://doi.org/10.1109/tcss.2018.2857473

2018-09-01

IEEE Transactions on Computational Social Systems

Abstract:An insider threat scenario refers to the outcome of a set of malicious activities caused by intentional or unintentional misuse of the organization’s systems, networks, data, and resources. Prevention of insider threat is difficult, since trusted partners of the organization are involved in it, who have authorized access to these confidential/sensitive resources. The state-of-the-art research on insider threat detection mostly focuses on developing unsupervised behavioral anomaly detection techniques with the objective of finding out anomalousness or abnormal changes in user behavior over time. However, an anomalous activity is not necessarily malicious that can lead to an insider threat scenario. As an improvement to the existing approaches, we propose a technique for insider threat detection from time-series classification of user activities. Initially, a set of single-day features is computed from the user activity logs. A time-series feature vector is next constructed from the statistics of each single-day feature over a period of time. The label of each time-series feature vector (whether malicious or nonmalicious) is extracted from the ground truth. To classify the imbalanced ground-truth insider threat data consisting of only a small number of malicious instances, we employ a cost-sensitive data adjustment technique that undersamples the nonmalicious class instances randomly. As a classifier, we employ a two-layered deep autoencoder neural network and compare its performance with other popularly used classifiers: random forest and multilayer perceptron. Encouraging results are obtained by evaluating our approach using the CMU Insider Threat Data, which is the only publicly available insider threat data set consisting of about 14-GB web-browsing logs, along with logon, device connection, file transfer, and e-mail log files. We observe that both deep autoencoder and random forest classifiers classify the data-adjusted time-series feature set with high precision, recall, and f-score. Although multilayer perceptron has a high recall, it suffers from a lower precision and f-score compared to the other two classifiers.

Chen Xiaojun,Wei Zicheng,Pu Yiguo,Shi Jinqiao

DOI: https://doi.org/10.1016/j.procs.2013.05.111

2013-01-01

Procedia Computer Science

Abstract:Insider threat becomes a more and more serious problem to organizations. Identify theft is a common attack method among various attack methods from insider. And it is very hard to detection since the attacker acts as a legal identity. Existing researches focus on Human Computer Interaction (HCI) behavior such as keystroke dynamics or mouse dynamics to detection this kind of attack. Based on an obvious observable that different applications show different HCI behavioral patterns (rich-key-operations or rich-mice-operations), we demonstrate that single authentication method is not efficient always in full time work period. In this paper, we provide an ensemble re-authentication approach to detection identify theft in real time, which combine the classification of keystroke-classifier and mice-classifier to determine whether the current operations is produced by the real legitimate user or not. Our experiment proves this new approach is efficient and can provide consistent detection ability with high accuracy.

Haowei Liu

DOI: https://doi.org/10.1088/1742-6596/1994/1/012021

2021-08-01

Journal of Physics: Conference Series

Abstract:Abstract Under the background of “digital new era”, the trend of network environment diversification and personnel technical requirements complexity is becoming more and more intense. After the “Prism Gate” incident was exposed, the public began to think deeply about insider security. At present, most organizations adopt security information and event management (SIEM) security policies and the rules to carry out insider security detection. However, with the surge of insider information data, the number of false alarms and false alarms due to the lack of context increases, which consumes a lot of time and human and material resources. Based on these problems, it is particularly important to develop a new insider safety inspection system and tools. This work proposes to develop an insider threat detection system based on the security strategy of user and entity behavior analysis to realize the detection and analysis of insider threat with high precision. The main work is as follows:This work abandons the traditional SIEM combined rules to determine the anomaly, but adopts the detection strategy of User and Entity Behavior Analysis (UEBA).This work proposes an improved LSTM-GaN insider threat detection algorithm.

Xiaobin Wang,Yongjun Wang,Qiang Liu,Yonglin Sun,Peidai Xie

DOI: https://doi.org/10.1007/978-981-10-0068-3_28

2016-01-01

Abstract:Information security is a great challenge for most organizations in today’s information world, especially the insider problem. With the help of malwares, insiders can search and steal valuable files easily and safely in an organization’s network. In this paper, we collect a dataset of file access behaviors for normal processes and malware processes. We analyze the dataset and find several features in which normal processes and malware processes show significant differences, a file access behavior model is given based on these features, and we apply both semi-supervised and unsupervised approaches to verify the effectiveness of our model, experimental results demonstrate that our model is effective in distinguishing between file access behaviors of normal processes and malware processes.

Zhihong Tian,Wei Shi,Zhiyuan Tan,Jing Qiu,Yanbin Sun,Feng Jiang,Yan Liu

DOI: https://doi.org/10.1007/s11036-020-01656-7

2020-10-09

Mobile Networks and Applications

Abstract:Organizations' own personnel now have a greater ability than ever before to misuse their access to critical organizational assets. Insider threat detection is a key component in identifying rare anomalies in context, which is a growing concern for many organizations. Existing perimeter security mechanisms are proving to be ineffective against insider threats. As a prospective filter for the human analysts, a new deep learning based insider threat detection method that uses the Dempster-Shafer theory is proposed to handle both accidental as well as intentional insider threats via organization's channels of communication in real time. The long short-term memory (LSTM) architecture together with multi-head attention mechanism is applied in this work to detect anomalous network behavior patterns. Furthermore, belief is updated with Dempster's conditional rule and utilized to fuse evidence to achieve enhanced prediction. The CERT Insider Threat Dataset v6.2 is used to train the behavior model. Through performance evaluation, our proposed method is proven to be effective as an insider threat detection technique.

computer science, information systems,telecommunications, hardware & architecture