A multi-perspective approach to insider threat detection

Insider Threat has become one of the most important types of attacks to identify and combat for both government and commercial organizations in recent years. The irreversible financial and security damages that can result from this type of threat have placed Insider Threat among the most important problems in cybersecurity [1]. The complexity of the problem is mainly due to the fact that the attacker is a legitimate user of the system, which makes it very difficult to draw a clear line between legitimate and malicious actions. This paper presents a multi-perspective approach for detection of insider threats in typical enterprise networks. In this approach, multiple detection engines monitor network activities from different perspectives and use the aggregate information to adjust their detection sensitivities. Experimental results from our studies show that this approach results in reduced false alarm probability as well as an increased ability to detect attacks by colluding insiders.

[1]  Hung Q. Ngo,et al.  A Data-Centric Approach to Insider Attack Detection in Database Systems , 2010, RAID.

[2]  Malek Ben Salem,et al.  Monitoring Technologies for Mitigating Insider Threats , 2010, Insider Threats in Cyber Security.

[3]  Chih-Jen Lin,et al.  A Practical Guide to Support Vector Classication , 2008 .

[4]  Sara Matzner,et al.  Analysis and Detection of Malicious Insiders , 2005 .

[5]  Boleslaw K. Szymanski,et al.  Recursive data mining for masquerade detection and author identification , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[6]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[7]  Salvatore J. Stolfo,et al.  One-Class Training for Masquerade Detection , 2003 .

[8]  Marcus A. Maloof,et al.  elicit: A System for Detecting Insiders Who Violate Need-to-Know , 2007, RAID.

[9]  Stephen H. Conrad,et al.  Building A System For Insider Security , 2009, IEEE Security & Privacy.

[10]  Malik Yousef,et al.  One-Class SVMs for Document Classification , 2002, J. Mach. Learn. Res..

[11]  L. Kruger,et al.  A Filtering Approach To Anomaly and Masquerade Detection , .

[12]  Shari Lawrence Pfleeger,et al.  Insiders Behaving Badly: Addressing Bad Actors and Their Actions , 2010, IEEE Transactions on Information Forensics and Security.

[13]  Malek Ben Salem,et al.  Designing Host and Network Sensors to Mitigate the Insider Threat , 2009, IEEE Security & Privacy.

[14]  Malek Ben Salem,et al.  A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[15]  Bernhard Schölkopf,et al.  Estimating the Support of a High-Dimensional Distribution , 2001, Neural Computation.

[16]  David Selby,et al.  Insider attack and real-time data mining of user behavior , 2007, IBM J. Res. Dev..