Data-Driven Model-Based Detection of Malicious Insiders via Physical Access Logs

The risk posed by insider threats has usually been approached by analyzing the behavior of users solely in the cyber domain. In this paper, we show the viability of using physical movement logs, collected via a building access control system, together with an understanding of the layout of the building housing the system’s assets, to detect malicious insider behavior that manifests itself in the physical domain. In particular, we propose a systematic framework that uses contextual knowledge about the system and its users, learned from historical data gathered from a building access control system, to select suitable models for representing movement behavior. We then explore the online usage of the learned models, together with knowledge about the layout of the building being monitored, to detect malicious insider behavior. Finally, we show the effectiveness of the developed framework using real-life data traces of user movement in railway transit stations.

[1]  Malek Ben Salem,et al.  A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[2]  Weiru Liu,et al.  Detecting anomalies in graphs with numeric labels , 2011, CIKM '11.

[3]  Xun Li Using Complexity Measures of Movement for Automatically Detecting Movement Types of Unknown GPS Trajectories , 2014 .

[4]  Albert-László Barabási,et al.  Limits of Predictability in Human Mobility , 2010, Science.

[5]  Hui Xiong,et al.  A Stochastic Model for Context-Aware Anomaly Detection in Indoor Location Traces , 2012, 2012 IEEE 12th International Conference on Data Mining.

[6]  S M Pincus,et al.  Approximate entropy as a measure of system complexity. , 1991, Proceedings of the National Academy of Sciences of the United States of America.

[7]  Lorie M. Liebrock,et al.  Authentication graphs: Analyzing user behavior within an enterprise network , 2015, Comput. Secur..

[8]  Lawrence B. Holder,et al.  Anomaly detection in data represented as graphs , 2007, Intell. Data Anal..

[9]  Lujo Bauer,et al.  Real life challenges in access-control management , 2009, CHI.

[10]  Anne-Laure Jousselme,et al.  Data-driven detection and context-based classification of maritime anomalies , 2015, 2015 18th International Conference on Information Fusion (Fusion).

[11]  Arpad Gellert,et al.  Person Movement Prediction Using Hidden Markov Models , 2006 .

[12]  Ian Oakley,et al.  Indoor-ALPS: an adaptive indoor location prediction system , 2014, UbiComp.

[13]  Ke Wang,et al.  Contextual verification for false alarm reduction in maritime anomaly detection , 2015, 2015 IEEE International Conference on Big Data (Big Data).

[14]  João Bártolo Gomes,et al.  Next place prediction by understanding mobility patterns , 2015, 2015 IEEE International Conference on Pervasive Computing and Communication Workshops (PerCom Workshops).

[15]  Simon Fong,et al.  Individual Movement Behaviour in Secure Physical Environments: Modeling and Detection of Suspicious Activity , 2012 .