TWOS: A Dataset of Malicious Insider Threat Behavior Based on a Gamified Competition

In this paper we present open research questions and options for data analysis of our previously designed dataset called TWOS: The Wolf of SUTD. In specified research questions, we illustrate the potential use of the TWOS dataset in multiple areas of cyber security, which does not limit only to malicious insider threat detection but are also related to authorship verification and identification, continuous authentication, and sentiment analysis. For the purpose of investigating the research questions, we present several state-of-the-art features applicable to collected data sources, and thus we provide researchers with a guidance how to start with data analysis. The TWOS dataset was collected during a gamified competition that was devised in order to obtain realistic instances of malicious insider threat. The competition simulated user interactions in/among competing companies, where two types of behaviors (normal and malicious) were incentivized. For the case of malicious behavior, we designed two types of malicious periods that was intended to capture the behavior of two types of insiders – masqueraders and traitors. The game involved the participation of 6 teams consisting of 4 students who competed with each other for a period of 5 days. Their activities were monitored by several data collection agents and producing data for mouse, keyboard, process and file-system monitor, network traffic, emails, and login/logout data sources. In total, we obtained 320 hours of active participation that included 18 hours of masquerader data and at least two instances of traitor data. In addition to expected malicious behaviors, students explored various defensive and offensive strategies such as denial of service attacks and obfuscation techniques, in an effort to get ahead in the competition. The TWOS dataset was made publicly accessible for further research purposes. In this paper we present the TWOS dataset that contains realistic instances of insider threats based on a gamified competition. The competition simulated user interactions in/among competing companies, where two types of behaviors (normal and malicious) were incentivized. For the case of malicious behavior, we designed sessions for two types of insider threats (masqueraders and traitors). The game involved the participation of 6 teams consisting of 4 students who competed with each other for a period of 5 days, while their activities were monitored considering several heterogeneous sources (mouse, keyboard, process and file-system monitor, network traffic, emails and login/logout). In total, we obtained 320 hours of active participation that included 18 hours of masquerader data and at least two instances of traitor data. In addition to expected malicious behaviors, students explored various defensive and offensive strategies such as denial of service attacks and obfuscation techniques, in an effort to get ahead in the competition. Furthermore, we illustrate the potential use of the TWOS dataset in multiple areas of cyber security, which does not limit to malicious insider threat detection, but also areas such as authorship verification and identification, continuous authentication, Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA), 9:1 (March 2018), pp. 54-85 ∗Corresponding author: ST Electronics-SUTD Cyber Security Laboratory, 8 Somapah Road, Building 2 Level 3 S(487372), Tel: +65-6486-7033/44, Web: http://cyberlab.sutd.edu.sg/

[1]  Maureen L. Ambrose,et al.  Sabotage in the workplace: The role of organizational injustice , 2002 .

[2]  RossetSaharon,et al.  KDD-cup 99 , 2000 .

[3]  Malek Ben Salem,et al.  Modeling User Search Behavior for Masquerade Detection , 2011, RAID.

[4]  Ivan Homoliak,et al.  Detekce Útoků v Síťovém Provozu ; Intrusion Detection in Network Traffic , 2016 .

[5]  Hemant S. Patel A process monitor , 1986 .

[6]  Oliver Brdiczka,et al.  Proactive Insider Threat Detection through Graph Learning and Psychological Context , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[7]  Michele Maasberg,et al.  The Dark Side of the Insider: Detecting the Insider Threat through Examination of Dark Triad Personality Traits , 2015, 2015 48th Hawaii International Conference on System Sciences.

[8]  Roy A. Maxion,et al.  Masquerade detection using truncated command lines , 2002, Proceedings International Conference on Dependable Systems and Networks.

[9]  D. Paulhus,et al.  The Dark Triad of personality: Narcissism, Machiavellianism, and psychopathy , 2002 .

[10]  Hiromitsu Yamada,et al.  Optical Character Recognition , 1999 .

[11]  Amos Azaria,et al.  Behavioral Analysis of Insider Threat: A Survey and Bootstrapped Prediction in Imbalanced Data , 2014, IEEE Transactions on Computational Social Systems.

[12]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[13]  Ivan Homoliak,et al.  Advanced Security Network Metrics , 2014 .

[14]  Eric D. Shaw,et al.  The role of behavioral research and profiling in malicious cyber insider investigations , 2006, Digit. Investig..

[15]  Terran Lane,et al.  An Application of Machine Learning to Anomaly Detection , 1999 .

[16]  Mudita Singhal,et al.  Detecting Insider Threat from Enterprise Social and Online Activity Data , 2015, MIST@CCS.

[17]  Athul Harilal,et al.  TWOS: A Dataset of Malicious Insider Threat Behavior Based on a Gamified Competition , 2017, MIST@CCS.

[18]  Damon L. Woodard,et al.  Biometric Authentication and Identification using Keystroke Dynamics: A Survey , 2012 .

[19]  Ruth Ben'ary,et al.  Touch typing in ten lessons : a home-study course with complete instructions in the fundamentals of touch typewriting and introducing the basic combinations method , 1963 .

[20]  Barrie McCombs Microsoft outlook. , 2008, Canadian journal of rural medicine : the official journal of the Society of Rural Physicians of Canada = Journal canadien de la medecine rurale : le journal officiel de la Societe de medecine rurale du Canada.

[21]  Soumik Mondal,et al.  A study on continuous authentication using a combination of keystroke and mouse biometrics , 2017, Neurocomputing.

[22]  Oliver Brdiczka,et al.  Multi-Domain Information Fusion for Insider Threat Detection , 2013, 2013 IEEE Security and Privacy Workshops.

[23]  Frank L. Greitzer,et al.  Methods and Metrics for Evaluating Analytic Insider Threat Tools , 2013, 2013 IEEE Security and Privacy Workshops.

[24]  Ali E. Abdallah,et al.  Detection and prediction of insider threats to cyber security: a systematic literature review and meta-analysis , 2016 .

[25]  Zhongmin Cai,et al.  Feature Analysis of Mouse Dynamics in Identity Authentication and Monitoring , 2009, 2009 IEEE International Conference on Communications.

[26]  Malek Ben Salem,et al.  A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[27]  Andrew W. Moore,et al.  Discriminators for use in flow-based classification , 2013 .

[28]  Pascal Bouvry,et al.  Amazon Elastic Compute Cloud (EC2) vs. In-House HPC Platform: A Cost Analysis , 2016, 2016 IEEE 9th International Conference on Cloud Computing (CLOUD).

[29]  Undisclosed Undisclosed,et al.  Towards Building a Masquerade Detection Method Based on User File System Navigation , 2011 .

[30]  E. Cole,et al.  Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft , 2005 .

[31]  Dawn M. Cappelli,et al.  The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes , 2012 .

[32]  Saul Greenberg,et al.  USING UNIX: COLLECTED TRACES OF 168 USERS , 1988 .

[33]  Frank Linton,et al.  OWL: A Recommender System for Organization-Wide Learning , 2000, J. Educ. Technol. Soc..

[34]  Tarek Menacere,et al.  Detecting insider threats through language change. , 2013, Law and human behavior.

[35]  Roy A. Maxion,et al.  Comparing anomaly-detection algorithms for keystroke dynamics , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[36]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[37]  Wafa Ben Jaballah,et al.  A Grey-Box Approach for Detecting Malicious User Interactions in Web Applications , 2016, MIST@CCS.

[38]  Mike Burmester,et al.  Demystifying Insider Threat: Language-Action Cues in Group Dynamics , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[39]  Joshua Glasser,et al.  Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data , 2013, 2013 IEEE Security and Privacy Workshops.

[40]  A. Garg,et al.  Profiling Users in GUI Based Systems for Masquerade Detection , 2006, 2006 IEEE Information Assurance Workshop.

[41]  Malek Ben Salem,et al.  Masquerade Attack Detection Using a Search-Behavior Modeling Approach , 2009 .

[42]  Robert W. Shirey,et al.  Internet Security Glossary, Version 2 , 2007, RFC.

[43]  Ana Fred,et al.  A Behavioural Biometric System Based on Human Computer Interaction , 2004 .

[44]  Luis A. Trejo,et al.  Temporal and Spatial Locality: An Abstraction for Masquerade Detection , 2016, IEEE Transactions on Information Forensics and Security.

[45]  Zenglin Xu,et al.  Detecting Insider Information Theft Using Features from File Access Logs , 2014, ESORICS.