Leveraging social networks to detect anomalous insider actions in collaborative environments

Collaborative information systems (CIS) enable users to coordinate efficiently over shared tasks. They are often deployed in complex dynamic systems that provide users with broad access privileges, but also leave the system vulnerable to various attacks. Techniques to detect threats originating from beyond the system are relatively mature, but methods to detect insider threats are still evolving. A promising class of insider threat detection models for CIS focus on the communities that manifest between users based on the usage of common subjects in the system. However, current methods detect only when a user's aggregate behavior is intruding, not when specific actions have deviated from expectation. In this paper, we introduce a method called specialized network anomaly detection (SNAD) to detect such events. SNAD assembles the community of users that access a particular subject and assesses if similarities of the community with and without a certain user are sufficiently different. We present a theoretical basis and perform an extensive empirical evaluation with the access logs of two distinct environments: those of a large electronic health record system (6,015 users, 130,457 patients and 1,327,500 accesses) and the editing logs of Wikipedia (2,388,955 revisors, 55,200 articles and 6,482,780 revisions). We compare SNAD with several competing methods and demonstrate it is significantly more effective: on average it achieves 20–30% greater area under an ROC curve.

[1]  Nir Menachemi,et al.  Reviewing the Benefits and Costs of Electronic Health Records and Associated Patient Safety Technologies , 2006, Journal of Medical Systems.

[2]  Lawrence B. Holder,et al.  Applying graph-based anomaly detection approaches to the discovery of insider threats , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[3]  Robin C. Meili,et al.  Can electronic medical record systems transform health care? Potential health benefits, savings, and costs. , 2005, Health affairs.

[4]  Gurvirender P. Tejay,et al.  Developing insider attack detection model: A grounded approach , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[5]  Li Guo,et al.  Survey and Taxonomy of Feature Selection Algorithms in Intrusion Detection System , 2006, Inscrypt.

[6]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[7]  Jure Leskovec,et al.  Governance in Social Media: A Case Study of the Wikipedia Promotion Process , 2010, ICWSM.

[8]  AhnGail-Joon,et al.  A rule-based framework for role-based delegation and revocation , 2003 .

[9]  Coskun Bayrak,et al.  Injecting a permission-based delegation model to secure web-based workflow systems , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[10]  John Riedl,et al.  Item-based collaborative filtering recommendation algorithms , 2001, WWW '01.

[11]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[12]  Bradley Malin,et al.  Learning relational policies from electronic health record access logs , 2011, J. Biomed. Informatics.

[13]  Chun-Yen Chang,et al.  A Collaborative Support Tool for Creativity Learning: Idea Storming Cube , 2007, Seventh IEEE International Conference on Advanced Learning Technologies (ICALT 2007).

[14]  Jimeng Sun,et al.  Neighborhood formation and anomaly detection in bipartite graphs , 2005, Fifth IEEE International Conference on Data Mining (ICDM'05).

[15]  Diane J. Cook,et al.  Graph-based anomaly detection , 2003, KDD '03.

[16]  Anne Wu,et al.  Behavioral changes following the collaborative development of an accounting information system , 2010 .

[17]  Ninghui Li,et al.  Purpose based access control for privacy protection in relational database systems , 2008, The VLDB Journal.

[18]  Thomas R. Gruber,et al.  Collective knowledge systems: Where the Social Web meets the Semantic Web , 2008, J. Web Semant..

[19]  Anand R. Tripathi,et al.  Context-aware role-based access control in pervasive computing systems , 2008, SACMAT '08.

[20]  Christopher Westphal Data Mining for Intelligence, Fraud & Criminal Detection: Advanced Analytics & Information Sharing Technologies , 2008 .

[21]  M. Shyu,et al.  A Novel Anomaly Detection Scheme Based on Principal Component Classifier , 2003 .

[22]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[23]  Young-Woo Seo,et al.  Cost-Sensitive Access Control for Illegitimate Confidential Access by Insiders , 2006, ISI.

[24]  Bradley Malin,et al.  Detection of anomalous insiders in collaborative environments via relational analysis of access logs , 2011, CODASPY '11.

[25]  Xueqi Cheng,et al.  Spectral methods for the detection of network community structure: a comparative analysis , 2010, ArXiv.

[26]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[27]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[28]  Lada A. Adamic,et al.  Friends and neighbors on the Web , 2003, Soc. Networks.