Insider Threat Detection Using Graph-Based Approaches

Protecting our nation's cyber infrastructure and securing sensitive information are critical challenges for homeland security and require the research, development and deployment of new technologies that can be transitioned into the field for combating cyber security risks. Particular areas of concern are the deliberate and intended actions associated with malicious exploitation, theft or destruction of data, or the compromise of networks, communications or other IT resources, of which the most harmful and difficult to detect threats are those propagated by an insider. However, current efforts to identify unauthorized access to information, such as what is found in document control and management systems, are limited in scope and capabilities. In order to address this issue, this effort involves performing further research and development on the existing graph-based anomaly detection (GBAD) system. GBAD discovers anomalous instances of structural patterns in data that represent entities, relationships and actions. Input to GBAD is a labeled graph in which entities are represented by labeled vertices and relationships or actions are represented by labeled edges between entities. Using the minimum description length (MDL) principle to identify the normative pattern that minimizes the number of bits needed to describe the input graph after being compressed by the pattern, GBAD implements algorithms for identifying the three possible changes to a graph: modifications, insertions and deletions. Each algorithm discovers those substructures that match the closest to the normative pattern without matching exactly.

[1]  Lawrence B. Holder,et al.  Applying graph-based anomaly detection approaches to the discovery of insider threats , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[2]  A. John MINING GRAPH DATA , 2022 .

[3]  Shou-De Lin,et al.  Unsupervised link discovery in multi-relational data via rarity analysis , 2003, Third IEEE International Conference on Data Mining.

[4]  Lawrence B. Holder,et al.  Anomaly detection in data represented as graphs , 2007, Intell. Data Anal..

[5]  Mark P. Hampton,et al.  Fast spinning into oblivion? Recent developments in money-laundering policies and offshore finance centres , 1999 .

[6]  Lawrence B. Holder,et al.  Graph-based Temporal Mining of Metabolic Pathways with Microarray Data , 2008 .

[7]  Jiawei Han,et al.  gSpan: graph-based substructure pattern mining , 2002, 2002 IEEE International Conference on Data Mining, 2002. Proceedings..

[8]  Deepayan Chakrabarti,et al.  AutoPart: Parameter-Free Graph Partitioning and Outlier Detection , 2004, PKDD.

[9]  Andy Hon Wai Chun An AI Framework for the Automatic Assessment of e-Government Forms , 2008, AI Mag..

[10]  Lawrence B. Holder,et al.  Graph-Based Data Mining , 2000, IEEE Intell. Syst..

[11]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[12]  David D. Jensen,et al.  The case for anomalous link discovery , 2005, SKDD.

[13]  Jimeng Sun,et al.  Relevance search and anomaly detection in bipartite graphs , 2005, SKDD.

[14]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector , 2008 .

[15]  Andreas Buja,et al.  Exploratory Visual Analysis of Graphs in GGOBI , 2004 .

[16]  Lawrence B. Holder,et al.  Mining Graph Data , 2006 .

[17]  Diane J. Cook,et al.  Graph-based anomaly detection , 2003, KDD '03.

[18]  David J. Marchette,et al.  Scan Statistics on Enron Graphs , 2005, Comput. Math. Organ. Theory.

[19]  Lawrence B. Holder,et al.  Graph-Based Data Mining in Dynamic Networks: Empirical Comparison of Compression-Based and Frequency-Based Subgraph Mining , 2008, 2008 IEEE International Conference on Data Mining Workshops.

[20]  Jorma Rissanen,et al.  Stochastic Complexity in Statistical Inquiry , 1989, World Scientific Series in Computer Science.

[21]  William Bricken Simplicity Rather Than Knowledge , 2008, AI Mag..

[22]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[23]  George Karypis,et al.  An efficient algorithm for discovering frequent subgraphs , 2004, IEEE Transactions on Knowledge and Data Engineering.

[24]  Lawrence B. Holder,et al.  Mining for Structural Anomalies in Graph-based Data , 2007, DMIN.

[25]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Government Sector , 2008 .

[26]  Blaine Nelson,et al.  Analyzing Behavioral Features for Email Classification , 2005, CEAS.