A Framework for Detecting Insider Threats using Psychological Triggers

Malicious insiders are difficult to detect and prevent, because insiders such as employees have legitimate rights to access organization’sresources in orderto carry out their responsibilities. To overcome this problem, we have developed a framework that detects suspicious insiders using a psychological trigger that impels malicious insiders to behave suspiciously. Also, we have proposed an architecture comprising an announcer, a monitor, and an analyzer. First, the announcer creates an event (called a “trigger”) that impels malicious insiders to behave suspiciously. Then the monitors record suspicious actions such as file/e-mail deletions. Finally, the analyzer identifies the suspicious insiders by comparing the number of deletions before/after the trigger. In this paper, we extend monitoring reaction from only “data deletion” to “stop further malicious activities”. This extension allows a wider variety of use cases such as “finding private web browsing” and “finding use of unnecessary applications”. Also, we extend the architecture so as to monitor servers as well as clients. The server monitoring architecture is required in the case of server side data deletions, i.e., e-mail or file deletions at the server side. Moreover, we describe the effectiveness of our approach in such cases.

[1]  Gerhard Schimpf,et al.  Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization , 2000, RBAC '00.

[2]  Gabriel Ghinita,et al.  The optimization of situational awareness for insider threat detection , 2011, CODASPY '11.

[3]  Bernhard Jansen,et al.  Trusted Virtual Domains: Secure Foundations for Business and IT Services , 2005 .

[4]  Bradley Malin,et al.  Detection of anomalous insiders in collaborative environments via relational analysis of access logs , 2011, CODASPY '11.

[5]  Dawn M. Cappelli,et al.  The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures , 2008, Insider Attack and Cyber Security.

[6]  Dawn M. Cappelli,et al.  Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage , 2008 .

[7]  Takayuki Sasaki Towards Detecting Suspicious Insiders by Triggering Digital Data Sealing , 2011, 2011 Third International Conference on Intelligent Networking and Collaborative Systems.

[8]  Aaron Weiss Trusted computing , 2006, NTWK.

[9]  William R. Claycomb,et al.  Detecting insider activity using enhanced directory virtualization , 2010, Insider Threats '10.

[10]  A Min Tjoa,et al.  Towards More Trustable Log Files for Digital Forensics by Means of “Trusted Computing” , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[11]  Elisa Bertino,et al.  Towards mechanisms for detection and prevention of data exfiltration by insiders: keynote talk paper , 2011, ASIACCS '11.

[12]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[13]  B. Burmahl The big picture. , 2000, Health facilities management.

[14]  Minoru Uehara,et al.  Transferring trusted logs across vulnerable paths for digital forensics , 2009, MoMM.

[15]  Lyndsey Franklin,et al.  Predictive Modeling for Insider Threat Mitigation , 2009 .

[16]  Shinsaku Kiyomoto,et al.  On Data Importance Analysis , 2011, 2011 Third International Conference on Intelligent Networking and Collaborative Systems.

[17]  Joachim M. Buhmann,et al.  A probabilistic approach to hybrid role mining , 2009, CCS.

[18]  Takayuki Sasaki,et al.  Content oriented virtual domains for secure information sharing across organizations , 2010, CCSW '10.

[19]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Government Sector , 2008 .

[20]  Lawrence B. Holder,et al.  Graph-based approaches to insider threat detection , 2009, CSIIRW '09.

[21]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[22]  Deborah A. Frincke,et al.  A Risk Management Approach to the "Insider Threat" , 2010, Insider Threats in Cyber Security.