论文信息 - Detecting Insider Threat Based on Document Access Behavior Analysis

Detecting Insider Threat Based on Document Access Behavior Analysis

In recent years, the major source of information leakage is due to insiders. In order to detect information leakage by some internal insiders, anomaly detection using individual and community behavior models have been developed. The basic assumption of anomaly detection is each user has his/her own profile of activities and anomaly detection algorithm attempts to identify any deviation from the basic profile by each user. Both models neglected the possibility of change of individual user profile, e.g. change of individual interests. We propose here an anomaly detection model of insider threat using file content. The proposed model uses the document segmentation and Naive Bayes algorithm to classify the contents of files in an organization. We then set up the correlation matrices between users and their interests, and also the user community and their interests. We then propose a comprehensive model to detect the insider threat, which takes into consideration of the deviations of individual users’ current behaviors, their historical behaviors and their associated community behaviors simultaneously. According to the experimental test results, the proposed model can successfully detect the anomaly access to files in the internal systems.

Rui Zhang | Jinqiao Shi | Fei Xu | Yiguo Pu | Xiaojun Chen

[1] Haining Wang,et al. An efficient user verification system via mouse movements , 2011, CCS '11.

[2] Ravi S. Sandhu,et al. Role-Based Access Control Models , 1996, Computer.

[3] Marcus A. Maloof,et al. elicit: A System for Detecting Insiders Who Violate Need-to-Know , 2007, RAID.

[4] Bradley Malin,et al. Detecting Anomalous Insiders in Collaborative Information Systems , 2012, IEEE Transactions on Dependable and Secure Computing.

[5] Dieter Gollmann,et al. Computer Security - ESORICS 2005, 10th European Symposium on Research in Computer Security, Milan, Italy, September 12-14, 2005, Proceedings , 2005, ESORICS.

[6] Indrajit Ray,et al. Using Attack Trees to Identify Malicious Attacks from Authorized Insiders , 2005, ESORICS.

[7] Gerard Salton,et al. A vector space model for automatic indexing , 1975, CACM.

[8] Hinrich Schütze,et al. Introduction to Information Retrieval: Scoring, term weighting, and the vector space model , 2008 .

[9] Peter Harrington,et al. Machine Learning in Action , 2012 .