Detection of anomalous insiders in collaborative environments via relational analysis of access logs

Collaborative information systems (CIS) are deployed within a diverse array of environments, ranging from the Internet to intelligence agencies to healthcare. It is increasingly the case that such systems are applied to manage sensitive information, making them targets for malicious insiders. While sophisticated security mechanisms have been developed to detect insider threats in various file systems, they are neither designed to model nor to monitor collaborative environments in which users function in dynamic teams with complex behavior. In this paper, we introduce a community-based anomaly detection system (CADS), an unsupervised learning framework to detect insider threats based on information recorded in the access logs of collaborative environments. CADS is based on the observation that typical users tend to form community structures, such that users with low affinity to such communities are indicative of anomalous and potentially illicit behavior. The model consists of two primary components: relational pattern extraction and anomaly detection. For relational pattern extraction, CADS infers community structures from CIS access logs, and subsequently derives communities, which serve as the CADS pattern core. CADS then uses a formal statistical model to measure the deviation of users from the inferred communities to predict which users are anomalies. To empirically evaluate the threat detection model, we perform an analysis with six months of access logs from a real electronic health record system in a large medical center, as well as a publicly available dataset for replication purposes. The results illustrate that CADS can distinguish simulated anomalous users in the context of real user behavior with a high degree of certainty and with significant performance gains in comparison to several competing anomaly detection models.

[1]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[2]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[3]  Jaideep Vaidya,et al.  RoleMiner: mining roles using subset enumeration , 2006, CCS '06.

[4]  Aleksandar Lazarevic,et al.  Incremental Local Outlier Detection for Data Streams , 2007, 2007 IEEE Symposium on Computational Intelligence and Data Mining.

[5]  Bülent Yener,et al.  Graph Theoretic and Spectral Analysis of Enron Email Data , 2005, Comput. Math. Organ. Theory.

[6]  Gail-Joon Ahn,et al.  Role-Based Privilege Management Using Attribute Certificates and Delegation , 2004, TrustBus.

[7]  Lada A. Adamic,et al.  Friends and neighbors on the Web , 2003, Soc. Networks.

[8]  Ted E. Senator,et al.  Countering terrorism through information technology , 2004, CACM.

[9]  Victoria Bellotti,et al.  Walking away from the desktop computer: distributed collaboration and mobility in a product design team , 1996, CSCW '96.

[10]  Sushil Jajodia,et al.  Detecting Novel Network Intrusions Using Bayes Estimators , 2001, SDM.

[11]  M. Shyu,et al.  A Novel Anomaly Detection Scheme Based on Principal Component Classifier , 2003 .

[12]  Luis von Ahn Games with a Purpose , 2006, Computer.

[13]  Jitendra Malik,et al.  Normalized cuts and image segmentation , 1997, Proceedings of IEEE Computer Society Conference on Computer Vision and Pattern Recognition.

[14]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[15]  V. Rao Vemuri,et al.  Use of K-Nearest Neighbor classifier for intrusion detection , 2002, Comput. Secur..

[16]  M. V. Velzen,et al.  Self-organizing maps , 2007 .

[17]  A. Moore,et al.  Dynamic social network analysis using latent space models , 2005, SKDD.

[18]  Nir Menachemi,et al.  Reviewing the Benefits and Costs of Electronic Health Records and Associated Patient Safety Technologies , 2006, Journal of Medical Systems.

[19]  Jian Tang,et al.  Enhancing Effectiveness of Outlier Detections for Low Density Patterns , 2002, PAKDD.

[20]  Thomas R. Gruber,et al.  Collective knowledge systems: Where the Social Web meets the Semantic Web , 2008, J. Web Semant..

[21]  Jorge Lobo,et al.  Mining roles with semantic meanings , 2008, SACMAT '08.

[22]  Santosh S. Vempala,et al.  On clusterings-good, bad and spectral , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[23]  Cristina V. Lopes,et al.  Modeling trust in collaborative information systems , 2007, 2007 International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom 2007).

[24]  Zengyou He,et al.  Discovering cluster-based local outliers , 2003, Pattern Recognit. Lett..

[25]  J. A. Hartigan,et al.  A k-means clustering algorithm , 1979 .

[26]  Anne Wu,et al.  Behavioral changes following the collaborative development of an accounting information system , 2010 .

[27]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[28]  Hugo Liu,et al.  Social Network Profiles as Taste Performances , 2007, J. Comput. Mediat. Commun..

[29]  Klaas Sikkel A Group-based Authorization Model for Cooperative Systems , 1997, ECSCW.

[30]  J. Schaefer,et al.  Collaborative Management of Chronic Illness , 1997, Annals of Internal Medicine.

[31]  Jure Leskovec,et al.  Statistical properties of community structure in large social and information networks , 2008, WWW.

[32]  Kathleen M. Carley,et al.  Research Paper: A Longitudinal Social Network Analysis of the Editorial Boards of Medical Informatics and Bioinformatics Journals , 2007, J. Am. Medical Informatics Assoc..

[33]  Micah Adler,et al.  Clustering Relational Data Using Attribute and Link Information , 2003 .

[34]  Jure Leskovec,et al.  Community Structure in Large Networks: Natural Cluster Sizes and the Absence of Large Well-Defined Clusters , 2008, Internet Math..

[35]  Steve Benford,et al.  An access control framework for multi-user collaborative environments , 1999, GROUP.

[36]  Wenjie Hu,et al.  Robust support vector machine with bullet hole image classification , 2002 .

[37]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[38]  Gail-Joon Ahn,et al.  Authorization management for role-based collaboration , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[39]  Chun-Yen Chang,et al.  A Collaborative Support Tool for Creativity Learning: Idea Storming Cube , 2007, Seventh IEEE International Conference on Advanced Learning Technologies (ICALT 2007).

[40]  Dario A. Giuse,et al.  Supporting Communication in an Integrated Patient Record System , 2003, AMIA.

[41]  Hervé Pingaud,et al.  Collaborative information system design , 2006, AIM Conference.