Supervised and Unsupervised methods to detect Insider Threat from Enterprise Social and Online Activity Data

Insider threat is a significant security risk for organizations, and detection of insider threat is of paramount concern to organizations. In this paper, we attempt to discover insider threat by analyzing enterprise social and online activity data of employees. To this end, we process and extract relevant features that are possibly indicative of insider threat behavior. This includes features extracted from social data including email communication patterns and content, and online activity data such as web browsing patterns, email frequency, and file and machine access patterns. Subsequently, we take two approaches to detect insider threat: (i) an unsupervised approach where we identify statistically abnormal behavior with respect to these features using state-of-the-art anomaly detection methods, and (ii) a supervised approach where we use labels indicating when employees quit the company as a proxy for insider threat activity to design a classifier. We test our approach on a real world data set with artificially injected insider threat events. We obtain a ROC score of 0.77 for the unsupervised approach, and a classification accuracy of 73.4% for the supervised approach. These results indicate that our proposed approaches are fairly successful in identifying insider threat events. Finally, we build a visualization dashboard that enables managers and HR personnel to quickly identify employees with high threat risk scores which will enable them to take suitable preventive measures and limit security risk.

[1]  Frank L. Greitzer,et al.  Identifying at-risk employees: A behavioral model for predicting potential insider threats , 2010 .

[2]  Steven Furnell,et al.  Insider Threat Prediction Tool: Evaluating the probability of IT misuse , 2002, Comput. Secur..

[3]  Zhi-Hua Zhou,et al.  Isolation Forest , 2008, 2008 Eighth IEEE International Conference on Data Mining.

[4]  Kumar Sricharan,et al.  Multi-source fusion for anomaly detection: using across-domain and across-time peer-group consistency checks , 2014, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[5]  Julian E. Orr,et al.  Ethnography and Organizational Learning: In Pursuit of Learning at Work , 1995 .

[6]  Dimitris Gritzalis,et al.  An Insider Threat Prediction Model , 2010, TrustBus.

[7]  Joshua Glasser,et al.  Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data , 2013, 2013 IEEE Security and Privacy Workshops.

[8]  Miguel Soriano,et al.  Trust, Privacy and Security in Digital Business , 2010, Lecture Notes in Computer Science.

[9]  Yi Zhang,et al.  Is it time for a career switch? , 2013, WWW.

[10]  Ted E. Senator,et al.  Context-Aware Insider Threat Detection , 2013, AAAI 2013.

[11]  Gilbert L. Peterson,et al.  A Scenario-Based Approach to Mitigating the Insider Threat , 2011 .

[12]  Hung Q. Ngo,et al.  A Data-Centric Approach to Insider Attack Detection in Database Systems , 2010, RAID.

[13]  Jie Gao,et al.  Modeling Attrition in Organizations from Email Communication , 2013, 2013 International Conference on Social Computing.

[14]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[15]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[16]  Mudita Singhal,et al.  Detecting Insider Threat from Enterprise Social and Online Activity Data , 2015, MIST@CCS.

[17]  Matthew Crosby,et al.  Association for the Advancement of Artificial Intelligence , 2014 .

[18]  Oliver Brdiczka,et al.  Multi-Domain Information Fusion for Insider Threat Detection , 2013, 2013 IEEE Security and Privacy Workshops.

[19]  Navdeep Singh,et al.  A Survey of Intrusion Detection Techniques , 2013 .

[20]  Lawrence B. Holder,et al.  Insider Threat Detection Using a Graph-Based Approach , 2010 .

[21]  Ted E. Senator,et al.  Detecting Unknown Insider Threat Scenarios , 2014, 2014 IEEE Security and Privacy Workshops.