Visualizing the insider threat: challenges and tools for identifying malicious user activity

One of the greatest challenges for managing organisational cyber security is the threat that comes from those who operate within the organisation. With entitled access and knowledge of organisational processes, insiders who choose to attack have the potential to cause serious impact, such as financial loss, reputational damage, and in severe cases, could even threaten the existence of the organisation. Security analysts therefore require sophisticated tools that allow them to explore and identify user activity that could be indicative of an imminent threat to the organisation. In this work, we discuss the challenges associated with identifying insider threat activity, along with the tools that can help to combat this problem. We present a visual analytics approach that incorporates multiple views, including a user selection tool that indicates anomalous behaviour, an interactive Principal Component Analysis (iPCA) tool that aids the analyst to assess the reasoning behind the anomaly detection results, and an activity plot that visualizes user and role activity over time. We demonstrate our approach using the Carnegie Mellon University CERT Insider Threat Dataset to show how the visual analytics workflow supports the Information-Seeking mantra.

[1]  Daniel A. Keim,et al.  Finding anomalies in time-series using visual correlation for interactive root cause analysis , 2013, VizSec '13.

[2]  Dawn M. Cappelli,et al.  The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes , 2012 .

[3]  Frank L. Greitzer,et al.  Modeling Human Behavior to Anticipate Insider Attacks , 2011 .

[4]  Sadie Creese,et al.  Visual Analytics of E-mail Sociolinguistics for User Behavioural Analysis , 2014, J. Internet Serv. Inf. Secur..

[5]  Sadie Creese,et al.  Towards a Conceptual Model and Reasoning Structure for Insider Threat Detection , 2013, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[6]  Yiming Yang,et al.  The Enron Corpus: A New Dataset for Email Classi(cid:12)cation Research , 2004 .

[7]  Sadie Creese,et al.  Automated Insider Threat Detection System Using User and Role-Based Profile Assessment , 2017, IEEE Systems Journal.

[8]  Yale Song,et al.  #FluxFlow: Visual Analysis of Anomalous Information Spreading on Social Media , 2014, IEEE Transactions on Visualization and Computer Graphics.

[9]  S. Creese,et al.  Caught in the act of an insider attack: detection and assessment of insider threat , 2015, 2015 IEEE International Symposium on Technologies for Homeland Security (HST).

[10]  Ingo Hotz,et al.  iPCA : An Interactive System for PCA-based Visual Analytics , 2008 .

[11]  Bhavani M. Thuraisingham,et al.  Unsupervised incremental sequence learning for insider threat detection , 2012, 2012 IEEE International Conference on Intelligence and Security Informatics.

[12]  Raffael Marty,et al.  Identifying and Visualizing the Malicious Insider Threat Using Bipartite Graphs , 2011, 2011 44th Hawaii International Conference on System Sciences.

[13]  Oliver Brdiczka,et al.  Proactive Insider Threat Detection through Graph Learning and Psychological Context , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[14]  Lawrence B. Holder,et al.  Insider Threat Detection Using a Graph-Based Approach , 2010 .

[15]  Oliver Brdiczka,et al.  Multi-Domain Information Fusion for Insider Threat Detection , 2013, 2013 IEEE Security and Privacy Workshops.

[16]  Sadie Creese,et al.  Understanding Insider Threat: A Framework for Characterising Attacks , 2014, 2014 IEEE Security and Privacy Workshops.

[17]  Johannes Fuchs,et al.  Monitoring large IP spaces with ClockView , 2011, VizSec '11.

[18]  Min Chen,et al.  Transformation of an Uncertain Video Search Pipeline to a Sketch-Based Visual Analytics Loop , 2013, IEEE Transactions on Visualization and Computer Graphics.

[19]  William Ribarsky,et al.  iPCA: An Interactive System for PCA‐based Visual Analytics , 2009, Comput. Graph. Forum.

[20]  Joshua Glasser,et al.  Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data , 2013, 2013 IEEE Security and Privacy Workshops.

[21]  V. Devita,et al.  We Have Met the Enemy and He Is Us , 2011 .

[22]  Min Chen,et al.  Multiple queries with conditional attributes (QCATs) for anomaly detection and visualization , 2014, VizSEC.

[23]  Thomas G. Dietterich,et al.  Detecting insider threats in a real corporate database of computer usage activity , 2013, KDD.