Detecting Anomalous Insiders in Collaborative Information Systems

Collaborative information systems (CISs) are deployed within a diverse array of environments that manage sensitive information. Current security mechanisms detect insider threats, but they are ill-suited to monitor systems in which users function in dynamic teams. In this paper, we introduce the community anomaly detection system (CADS), an unsupervised learning framework to detect insider threats based on the access logs of collaborative environments. The framework is based on the observation that typical CIS users tend to form community structures based on the subjects accessed (e.g., patients' records viewed by healthcare providers). CADS consists of two components: 1) relational pattern extraction, which derives community structures and 2) anomaly prediction, which leverages a statistical model to determine when users have sufficiently deviated from communities. We further extend CADS into MetaCADS to account for the semantics of subjects (e.g., patients' diagnoses). To empirically evaluate the framework, we perform an assessment with three months of access logs from a real electronic health record (EHR) system in a large medical center. The results illustrate our models exhibit significant performance gains over state-of-the-art competitors. When the number of illicit users is low, MetaCADS is the best model, but as the number grows, commonly accessed semantics lead to hiding in a crowd, such that CADS is more prudent.

[1]  Jaideep Vaidya,et al.  RoleMiner: mining roles using subset enumeration , 2006, CCS '06.

[2]  Salvatore J. Stolfo,et al.  Insider Attack and Cyber Security - Beyond the Hacker , 2008, Advances in Information Security.

[3]  Ting Yu,et al.  Towards a dynamic and composable model of trust , 2009, SACMAT '09.

[4]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[5]  Indrajit Ray,et al.  TrustBAC: integrating trust relationships into the RBAC model for access control in open systems , 2006, SACMAT '06.

[6]  Ninghui Li,et al.  Purpose based access control for privacy protection in relational database systems , 2008, The VLDB Journal.

[7]  Cristina V. Lopes,et al.  Modeling trust in collaborative information systems , 2007, 2007 International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom 2007).

[8]  M. Newman Properties of highly clustered networks. , 2003, Physical review. E, Statistical, nonlinear, and soft matter physics.

[9]  Bradley Malin,et al.  Detection of anomalous insiders in collaborative environments via relational analysis of access logs , 2011, CODASPY '11.

[10]  Lada A. Adamic,et al.  Friends and neighbors on the Web , 2003, Soc. Networks.

[11]  Hsinchun Chen,et al.  COPLINK: managing law enforcement data and knowledge , 2003, CACM.

[12]  Michael Huth,et al.  Towards an Access-Control Framework for Countering Insider Threats , 2010, Insider Threats in Cyber Security.

[13]  Vijayalakshmi Atluri,et al.  Migrating to optimal RBAC with minimal perturbation , 2008, SACMAT '08.

[14]  Aleksandar Lazarevic,et al.  Incremental Local Outlier Detection for Data Streams , 2007, 2007 IEEE Symposium on Computational Intelligence and Data Mining.

[15]  Thomas R. Gruber,et al.  Collective knowledge systems: Where the Social Web meets the Semantic Web , 2008, J. Web Semant..

[16]  Jorge Lobo,et al.  Mining roles with semantic meanings , 2008, SACMAT '08.

[17]  Anand R. Tripathi,et al.  Context-aware role-based access control in pervasive computing systems , 2008, SACMAT '08.

[18]  Jure Leskovec,et al.  Community Structure in Large Networks: Natural Cluster Sizes and the Absence of Large Well-Defined Clusters , 2008, Internet Math..

[19]  Hsinchun Chen,et al.  Intelligence and security informatics for homeland security: information, communication, and transportation , 2004, IEEE Transactions on Intelligent Transportation Systems.

[20]  Carl A. Gunter,et al.  Experience-Based Access Management: A Life-Cycle Framework for Identity and Access Management Systems , 2011, IEEE Security & Privacy.

[21]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[22]  Lillian Røstad,et al.  A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[23]  Jure Leskovec,et al.  Statistical properties of community structure in large social and information networks , 2008, WWW.

[24]  Jay F. Nunamaker,et al.  A Study of Collaborative Group Work With and Without Computer-Based Support , 1990, Inf. Syst. Res..

[25]  Jimeng Sun,et al.  Neighborhood formation and anomaly detection in bipartite graphs , 2005, Fifth IEEE International Conference on Data Mining (ICDM'05).

[26]  Ted E. Senator,et al.  Countering terrorism through information technology , 2004, CACM.

[27]  Flemming Nielson,et al.  Where Can an Insider Attack? , 2006, Formal Aspects in Security and Trust.

[28]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[29]  V. Rao Vemuri,et al.  Use of K-Nearest Neighbor classifier for intrusion detection , 2002, Comput. Secur..

[30]  Victoria Bellotti,et al.  Walking away from the desktop computer: distributed collaboration and mobility in a product design team , 1996, CSCW '96.

[31]  Nir Menachemi,et al.  Reviewing the Benefits and Costs of Electronic Health Records and Associated Patient Safety Technologies , 2006, Journal of Medical Systems.

[32]  Jian Tang,et al.  Enhancing Effectiveness of Outlier Detections for Low Density Patterns , 2002, PAKDD.

[33]  Kenji Yamanishi,et al.  Network anomaly detection based on Eigen equation compression , 2009, KDD.

[34]  Dario A. Giuse,et al.  Supporting Communication in an Integrated Patient Record System , 2003, AMIA.

[35]  Jonathon Shlens,et al.  A Tutorial on Principal Component Analysis , 2014, ArXiv.

[36]  Wen Zhang,et al.  Role Prediction Using Electronic Medical Record System Audits , 2011, HealthSec.

[37]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[38]  Dov Dori,et al.  Situation-Based Access Control: Privacy management via modeling of patient data access scenarios , 2008, J. Biomed. Informatics.

[39]  Jihoon Kim,et al.  Using statistical and machine learning to help institutions detect suspicious access to electronic health records , 2011, J. Am. Medical Informatics Assoc..

[40]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[41]  Wen Zhang,et al.  Leveraging social networks to detect anomalous insider actions in collaborative environments , 2011, Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics.

[42]  Santosh S. Vempala,et al.  On clusterings-good, bad and spectral , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[43]  Jeffrey B. Lotspiech,et al.  Anonymous trust: digital rights management using broadcast encryption , 2004, Proceedings of the IEEE.

[44]  Diane J. Cook,et al.  Graph-based anomaly detection , 2003, KDD '03.

[45]  Anne Wu,et al.  Behavioral changes following the collaborative development of an accounting information system , 2010 .

[46]  Imad M. Abbadi,et al.  Preventing information leakage between collaborating organisations , 2008, ICEC.

[47]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[48]  Hervé Pingaud,et al.  Collaborative information system design , 2006, AIM Conference.

[49]  Lawrence B. Holder,et al.  Applying graph-based anomaly detection approaches to the discovery of insider threats , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[50]  Xiaoqian Jiang,et al.  Anomaly and signature filtering improve classifier performance for detection of suspicious access to EHRs. , 2011, AMIA ... Annual Symposium proceedings. AMIA Symposium.

[51]  M. Shyu,et al.  A Novel Anomaly Detection Scheme Based on Principal Component Classifier , 2003 .

[52]  Luis von Ahn Games with a Purpose , 2006, Computer.

[53]  Jitendra Malik,et al.  Normalized cuts and image segmentation , 1997, Proceedings of IEEE Computer Society Conference on Computer Vision and Pattern Recognition.

[54]  Bradley Malin,et al.  Learning relational policies from electronic health record access logs , 2011, J. Biomed. Informatics.

[55]  Chun-Yen Chang,et al.  A Collaborative Support Tool for Creativity Learning: Idea Storming Cube , 2007, Seventh IEEE International Conference on Advanced Learning Technologies (ICALT 2007).