论文信息 - Use of Domain Knowledge to Detect Insider Threats in Computer Activities

Use of Domain Knowledge to Detect Insider Threats in Computer Activities

This paper reports the first set of results from a comprehensive set of experiments to detect realistic insider threat instances in a real corporate database of computer usage activity. It focuses on the application of domain knowledge to provide starting points for further analysis. Domain knowledge is applied (1) to select appropriate features for use by structural anomaly detection algorithms, (2) to identify features indicative of activity known to be associated with insider threat, and (3) to model known or suspected instances of insider threat scenarios. We also introduce a visual language for specifying anomalies across different types of data, entities, baseline populations, and temporal ranges. Preliminary results of our experiments on two months of live data suggest that these methods are promising, with several experiments providing area under the curve scores close to 1.0 and lifts ranging from ×20 to ×30 over random.

Ted E. Senator | Henry G. Goldberg | Alex Memory | William T. Young | James F. Sartain

[1] Dawn M. Cappelli,et al. Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors , 2005 .

[2] Lawrence B. Holder,et al. Insider Threat Detection Using a Graph-Based Approach , 2010 .

[3] Robert H. Anderson,et al. Understanding the Insider Threat , 2004 .

[4] Malek Ben Salem,et al. A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[5] Dawn M. Cappelli,et al. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes , 2012 .

[6] Robert H. Anderson,et al. Understanding the Insider Threat: Proceedings of a March 2004 Workshop , 2005 .

[7] Jay Yoon Lee,et al. Fast Anomaly Discovery Given Duplicates , 2012 .

[8] Joshua Glasser,et al. Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data , 2013, 2013 IEEE Security and Privacy Workshops.

[9] Dawn M. Cappelli,et al. Insider Threat Study: Illicit Cyber Activity in the Government Sector , 2008 .