Insider threat detection and its future directions

The ability to detect insider threats is important for many organisations. However, the field of insider threat detection is not well understood. In this paper, we survey existing insider threat detection mechanisms to provide a better understanding of the field. We identify and categorise insider behaviours into four classes - biometric behaviours, cyber behaviours, communication behaviours, and psychosocial behaviours. Each class is further comprised of several independent research fields of anomaly detection. Our survey reveals that there is significant scope for further research in many of those research fields, with many machine learning algorithms and features that have not been explored. We identify and summarise the unexplored areas as future directions.

[1]  Mark Stamp,et al.  Masquerade detection on GUI-based Windows systems , 2015, Int. J. Secur. Networks.

[2]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[3]  Lilian Mitrou,et al.  Can We Trust This User? Predicting Insider's Attitude via YouTube Usage Profiling , 2013, 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing.

[4]  Yehuda Vardi,et al.  A Hybrid High-Order Markov Chain Model for Computer Intrusion Detection , 2001 .

[5]  Oliver Brdiczka,et al.  A Bayesian Network Model for Predicting Insider Threats , 2013, 2013 IEEE Security and Privacy Workshops.

[6]  Randall F. Trzeciak,et al.  Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector , 2012 .

[7]  Malek Ben Salem,et al.  Modeling User Search Behavior for Masquerade Detection , 2011, RAID.

[8]  Qiang Ji,et al.  In the Eye of the Beholder: A Survey of Models for Eyes and Gaze , 2010, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[9]  Kwong H. Yung,et al.  Using Self-Consistent Naive-Bayes to Detect Masquerades , 2004, PAKDD.

[10]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[11]  Roman V. Yampolskiy,et al.  Behavioral Biometrics: Categorization and Review , 2014, Int. J. Nat. Comput. Res..

[12]  Roy A. Maxion,et al.  Masquerade detection using enriched command lines , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[13]  Dimitris Gritzalis,et al.  Proactive insider threat detection through social media: the YouTube case , 2013, WPES.

[14]  Jorma Rissanen,et al.  Stochastic Complexity in Statistical Inquiry , 1989, World Scientific Series in Computer Science.

[15]  Lawrence B. Holder,et al.  Applying graph-based anomaly detection approaches to the discovery of insider threats , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[16]  Pawanesh Abrol,et al.  Eye Gaze Techniques for Human Computer Interaction: A Research Survey , 2013 .

[17]  David J. Marchette,et al.  Scan Statistics on Enron Graphs , 2005, Comput. Math. Organ. Theory.

[18]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[19]  Brian D. Davison,et al.  Predicting Sequences of User Actions , 1998 .

[20]  Malek Ben Salem,et al.  On the Design and Execution of Cyber-Security User Studies: Methodology, Challenges, and Lessons Learned , 2011, CSET.

[21]  Luis A. Trejo,et al.  The Windows-Users and -Intruder simulations Logs dataset (WUIL): An experimental framework for masquerade detection mechanisms , 2014, Expert Syst. Appl..

[22]  Frank L. Greitzer,et al.  Modeling Human Behavior to Anticipate Insider Attacks , 2011 .

[23]  Lawrence B. Holder,et al.  Mining for insider threats in business transactions and processes , 2009, 2009 IEEE Symposium on Computational Intelligence and Data Mining.

[24]  Min Yang,et al.  Masquerade Detection Using String Kernels , 2007, 2007 International Conference on Wireless Communications, Networking and Mobile Computing.

[25]  Christos Faloutsos,et al.  oddball: Spotting Anomalies in Weighted Graphs , 2010, PAKDD.

[26]  Salvatore J. Stolfo,et al.  One-Class Training for Masquerade Detection , 2003 .

[27]  Marcus A. Maloof,et al.  elicit: A System for Detecting Insiders Who Violate Need-to-Know , 2007, RAID.

[28]  Kazuhiko Kato,et al.  Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix , 2004, RAID.

[29]  Lawrence B. Holder,et al.  Insider Threat Detection Using a Graph-Based Approach , 2010 .

[30]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Government Sector , 2008 .

[31]  Malek Ben Salem,et al.  System Level User Behavior Biometrics using Fisher Features and Gaussian Mixture Models , 2013, 2013 IEEE Security and Privacy Workshops.

[32]  Marcus A. Maloof,et al.  Detecting Insider Theft of Trade Secrets , 2009, IEEE Security & Privacy.

[33]  Lawrence B. Holder,et al.  Mining for Structural Anomalies in Graph-based Data , 2007, DMIN.

[34]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[35]  Bradley Malin,et al.  Learning relational policies from electronic health record access logs , 2011, J. Biomed. Informatics.

[36]  Bin Liu,et al.  Masquerade Detection System Based on Correlation Eigen Matrix and Support Vector Machine , 2006, 2006 International Conference on Computational Intelligence and Security.

[37]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector , 2008 .

[38]  Boleslaw K. Szymanski,et al.  Intrusion detection: a bioinformatics approach , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[39]  Frank L. Greitzer,et al.  Identifying At-Risk Employees: Modeling Psychosocial Precursors of Potential Insider Threats , 2012, 2012 45th Hawaii International Conference on System Sciences.

[40]  Thomas G. Dietterich,et al.  Detecting insider threats in a real corporate database of computer usage activity , 2013, KDD.

[41]  David S. Almeling,et al.  A Statistical Analysis of Trade Secret Litigation in Federal Courts , 2010 .

[42]  Saul Greenberg,et al.  USING UNIX: COLLECTED TRACES OF 168 USERS , 1988 .

[43]  Matthias Schonlau,et al.  Detecting masquerades in intrusion detection based on unpopular commands , 2000, Inf. Process. Lett..

[44]  Joshua Glasser,et al.  Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data , 2013, 2013 IEEE Security and Privacy Workshops.

[45]  Robert Tibshirani,et al.  The Elements of Statistical Learning: Data Mining, Inference, and Prediction, 2nd Edition , 2001, Springer Series in Statistics.

[46]  Boleslaw K. Szymanski,et al.  Sequence alignment for masquerade detection , 2008, Comput. Stat. Data Anal..

[47]  Dimitris Gritzalis,et al.  Insider Threat: Enhancing BPM through Social Media , 2014, 2014 6th International Conference on New Technologies, Mobility and Security (NTMS).