Behavioral Analysis of Insider Threat: A Survey and Bootstrapped Prediction in Imbalanced Data

The problem of insider threat is receiving increasing attention both within the computer science community as well as government and industry. This paper starts by presenting a broad, multidisciplinary survey of insider threat capturing contributions from computer scientists, psychologists, criminologists, and security practitioners. Subsequently, we present the behavioral analysis of insider threat (BAIT) framework, in which we conduct a detailed experiment involving 795 subjects on Amazon Mechanical Turk (AMT) in order to gauge the behaviors that real human subjects follow when attempting to exfiltrate data from within an organization. In the real world, the number of actual insiders found is very small, so supervised machine-learning methods encounter a challenge. Unlike past works, we develop bootstrapping algorithms that learn from highly imbalanced data, mostly unlabeled, and almost no history of user behavior from an insider threat perspective. We develop and evaluate seven algorithms using BAIT and show that they can produce a realistic (and acceptable) balance of precision and recall.

[1]  Eliot Rich Simulating Insider Cyber-Threat Risks : A Model-Based Case and a Case-Based Model , 2005 .

[2]  Sarit Kraus,et al.  Resolving crises through automated bilateral negotiations , 2008, Artif. Intell..

[3]  V. Rao Vemuri,et al.  Using Text Categorization Techniques for Intrusion Detection , 2002, USENIX Security Symposium.

[4]  W. F. Skinner,et al.  A Social Learning Theory Analysis of Computer Crime among College Students , 1997 .

[5]  Bernhard Schölkopf,et al.  Support Vector Method for Novelty Detection , 1999, NIPS.

[6]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[7]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[8]  Ioanna Kantzavelou,et al.  A game-based intrusion detection mechanism to confront internal attackers , 2010, Comput. Secur..

[9]  Thomas G. Dietterich,et al.  Detecting insider threats in a real corporate database of computer usage activity , 2013, KDD.

[10]  Xiaojin Zhu,et al.  Semi-Supervised Learning Literature Survey , 2005 .

[11]  M. Schreiner,et al.  We Have Met the Enemy and He Is Us , 2011 .

[12]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[13]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[14]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[15]  Sean W. Smith,et al.  Preventative Directions For Insider Threat Mitigation Via Access Control , 2008, Insider Attack and Cyber Security.

[16]  F AndersenDavid,et al.  A behavioral theory of insider-threat risks , 2008 .

[17]  Joshua Alspector,et al.  The Impact of Feature Selection on Signature-Driven Spam Detection , 2004, CEAS.

[18]  Sushil Jajodia,et al.  Recognizing Unexplained Behavior in Network Traffic , 2014, Network Science and Cybersecurity.

[19]  Christian W. Probst,et al.  Insiders and Insider Threats - An Overview of Definitions and Mitigation Techniques , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[20]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[21]  A. Liu,et al.  A comparison of system call feature representations for insider threat detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[22]  Panagiotis G. Ipeirotis,et al.  Running Experiments on Amazon Mechanical Turk , 2010, Judgment and Decision Making.

[23]  T. Basar,et al.  A game theoretic approach to decision and analysis in network intrusion detection , 2003, 42nd IEEE International Conference on Decision and Control (IEEE Cat. No.03CH37475).

[24]  Amos Azaria,et al.  Analyzing the Effectiveness of Adversary Modeling in Security Games , 2013, AAAI.

[25]  Philip S. Yu,et al.  Partially Supervised Classification of Text Documents , 2002, ICML.

[26]  Frank L. Greitzer,et al.  Identifying At-Risk Employees: Modeling Psychosocial Precursors of Potential Insider Threats , 2012, 2012 45th Hawaii International Conference on System Sciences.

[27]  Sarit Kraus,et al.  Robust solutions to Stackelberg games: Addressing bounded rationality and limited observations in human cognition , 2010, Artif. Intell..

[28]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[29]  E. Cole,et al.  Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft , 2005 .

[30]  Sajal K. Das,et al.  Maintaining Defender's Reputation in Anomaly Detection Against Insider Attacks , 2010, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[31]  J A Swets,et al.  Psychological Science Can Improve Diagnostic Decisions , 2000, Psychological science in the public interest : a journal of the American Psychological Society.

[32]  Sushil Jajodia,et al.  ADAM: a testbed for exploring the use of data mining in intrusion detection , 2001, SGMD.

[33]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[34]  Jude W. Shavlik,et al.  Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage , 2004, KDD.

[35]  Alexander Liu,et al.  AI Lessons Learned from Experiments in Insider Threat Detection , 2006, AAAI Spring Symposium: What Went Wrong and Why: Lessons from AI Research and Applications.

[36]  Mingtian Zhou,et al.  Cyber Insider Threats Situation Awareness Using Game Theory and Information Fusion-based User Behavior Predicting Algorithm , 2011 .

[37]  Andreas Koch,et al.  MalCoBox: Designing a 10 Gb/s Malware Collection Honeypot Using Reconfigurable Technology , 2010, 2010 International Conference on Field Programmable Logic and Applications.

[38]  J. Swets The Relative Operating Characteristic in Psychology , 1973, Science.

[39]  Stuart J. Russell,et al.  Dynamic bayesian networks: representation, inference and learning , 2002 .

[40]  Dimitris Gritzalis,et al.  An Insider Threat Prediction Model , 2010, TrustBus.

[41]  Sushil Jajodia,et al.  Moving Target Defense II: Application of Game Theory and Adversarial Modeling , 2012 .

[42]  Deborah A. Frincke,et al.  A Risk Management Approach to the "Insider Threat" , 2010, Insider Threats in Cyber Security.

[43]  Diego Reforgiato Recupero,et al.  AVA: Adjective-Verb-Adverb Combinations for Sentiment Analysis , 2008, IEEE Intelligent Systems.

[44]  Charles P. Pfleeger Reflections on the Insider Threat , 2008, Insider Attack and Cyber Security.

[45]  Lawrence B. Holder,et al.  Insider Threat Detection Using a Graph-Based Approach , 2010 .

[46]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[47]  Fabio Persia,et al.  Discovering the Top-k Unexplained Sequences in Time-Stamped Observation Data , 2014, IEEE Transactions on Knowledge and Data Engineering.

[48]  Malek Ben Salem,et al.  Designing Host and Network Sensors to Mitigate the Insider Threat , 2009, IEEE Security & Privacy.

[49]  Robert F. Mills,et al.  Towards insider threat detection using web server logs , 2009, CSIIRW '09.

[50]  Sushil Jajodia,et al.  Multiple coordinated views for network attack graphs , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[51]  Evangelos A. Kiountouzis,et al.  The insider threat to information systems and the effectiveness of ISO17799 , 2005, Comput. Secur..

[52]  Sarit Kraus,et al.  CUBS: Multivariate Sequence Classification Using Bounded Z-score with Sampling , 2010, 2010 IEEE International Conference on Data Mining Workshops.

[53]  I. Ajzen Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. , 2002 .

[54]  Ted E. Senator,et al.  Use of Domain Knowledge to Detect Insider Threats in Computer Activities , 2013, 2013 IEEE Security and Privacy Workshops.

[55]  Gary M. Weiss Mining with rarity: a unifying framework , 2004, SKDD.

[56]  Fabio Persia,et al.  Finding "Unexplained" Activities in Video , 2011, IJCAI.

[57]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[58]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[59]  N. Littlestone Learning Quickly When Irrelevant Attributes Abound: A New Linear-Threshold Algorithm , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[60]  Malek Ben Salem,et al.  A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[61]  Stephen H. Conrad,et al.  Modeling behavioral considerations related to information security , 2011, Comput. Secur..

[62]  Geoff Holmes,et al.  Multinomial Naive Bayes for Text Categorization Revisited , 2004, Australian Conference on Artificial Intelligence.

[63]  V. Devita,et al.  We Have Met the Enemy and He Is Us , 2011 .

[64]  Hung Q. Ngo,et al.  Towards a theory of insider threat assessment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[65]  Stephen H. Conrad,et al.  A behavioral theory of insider-threat risks: A system dynamics approach , 2008, TOMC.

[66]  Diego Reforgiato Recupero,et al.  Sentiment Analysis: Adjectives and Adverbs are Better than Adjectives Alone , 2007, ICWSM.

[67]  Salvatore J. Stolfo,et al.  Addressing the Insider Threat , 2009, IEEE Security & Privacy Magazine.

[68]  Bill McCarty,et al.  Automated Identity Theft , 2003, IEEE Secur. Priv..

[69]  Deborah A. Frincke,et al.  Combining Traditional Cyber Security Audit Data with Psychosocial Data: Towards Predictive Modeling for Insider Threat Mitigation , 2010, Insider Threats in Cyber Security.

[70]  Christian W. Probst,et al.  The Risk of Risk Analysis-And its relation to the Economics of Insider Threats , 2009, WEIS.

[71]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[72]  Paolo Traverso,et al.  Automated Planning: Theory & Practice , 2004 .

[73]  George Fyffe,et al.  Insider Threats: Addressing the insider threat , 2008 .

[74]  Indrajit Ray,et al.  Using Attack Trees to Identify Malicious Attacks from Authorized Insiders , 2005, ESORICS.

[75]  Daniel A. Menascé,et al.  The Insider Threat Security Architecture: A Framework for an Integrated, Inseparable, and Uninterrupted Self-Protection Mechanism , 2009, 2009 International Conference on Computational Science and Engineering.

[76]  Tom M. Mitchell,et al.  Semi-Supervised Text Classification Using EM , 2006, Semi-Supervised Learning.

[77]  Steven Furnell,et al.  Insider Threat Prediction Tool: Evaluating the probability of IT misuse , 2002, Comput. Secur..

[78]  R. Willison Understanding and Addressing Criminal Opportunity: The Application of Situational Crime Prevention to IS Security , 2000 .

[79]  Chase Qishi Wu,et al.  A Survey of Game Theory as Applied to Network Security , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[80]  Salvatore J. Stolfo,et al.  Real time data mining-based intrusion detection , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[81]  Bhavani M. Thuraisingham,et al.  Insider Threat Detection Using Stream Mining and Graph Mining , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[82]  Rong Yang,et al.  Scaling-up Security Games with Boundedly Rational Adversaries: A Cutting-plane Approach , 2013, IJCAI.

[83]  L. Jean Camp,et al.  Game-theoretic modeling and analysis of insider threats , 2008, Int. J. Crit. Infrastructure Prot..

[84]  Marcus A. Maloof,et al.  elicit: A System for Detecting Insiders Who Violate Need-to-Know , 2007, RAID.

[85]  Bhavani M. Thuraisingham,et al.  Supervised Learning for Insider Threat Detection Using Stream Mining , 2011, 2011 IEEE 23rd International Conference on Tools with Artificial Intelligence.

[86]  Amos Azaria,et al.  Combining psychological models with machine learning to better predict people’s decisions , 2012, Synthese.

[87]  Andreas Christmann,et al.  Support vector machines , 2008, Data Mining and Knowledge Discovery Handbook.

[88]  Carl Colwill,et al.  Human factors in information security: The insider threat - Who can you trust these days? , 2009, Inf. Secur. Tech. Rep..

[89]  R. Willison,et al.  Motivations for employee computer crime: understanding and addressing workplace disgruntlement through the application of organisational justice , 2009 .

[90]  Marcus A. Maloof,et al.  Detecting Insider Theft of Trade Secrets , 2009, IEEE Security & Privacy.

[91]  Raffael Marty,et al.  Identifying and Visualizing the Malicious Insider Threat Using Bipartite Graphs , 2011, 2011 44th Hawaii International Conference on System Sciences.