A Framework for Data-Driven Physical Security and Insider Threat Detection

This paper presents PSO, an ontological framework and a methodology for improving physical security and insider threat detection. PSO can facilitate forensic data analysis and proactively mitigate insider threats by leveraging rule-based anomaly detection. In all too many cases, rule-based anomaly detection can detect employee deviations from organizational security policies. In addition, PSO can be considered a security provenance solution because of its ability to fully reconstruct attack patterns. Provenance graphs can be further analyzed to identify deceptive actions and overcome analytical mistakes that can result in bad decision-making, such as false attribution. Moreover, the information can be used to enrich the available intelligence (about intrusion attempts) that can form use cases to detect and remediate limitations in the system, such as loosely-coupled provenance graphs that in many cases indicate weaknesses in the physical security architecture. Ultimately, validation of the framework through use cases demonstrates and proves that PS0 can improve an organization's security posture in terms of physical security and insider threat detection.

[1]  Dawn M. Cappelli,et al.  The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes , 2012 .

[2]  Sadie Creese,et al.  Towards a Conceptual Model and Reasoning Structure for Insider Threat Detection , 2013, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[3]  Roel Wieringa,et al.  External Insider Threat: A Real Security Challenge in Enterprise Value Webs , 2010, 2010 International Conference on Availability, Reliability and Security.

[4]  Li Sun,et al.  Graph Based Framework for Malicious Insider Threat Detection , 2018, HICSS.

[5]  Dimitris Gritzalis,et al.  Proactive insider threat detection through social media: the YouTube case , 2013, WPES.

[6]  Sadie Creese,et al.  Understanding Insider Threat: A Framework for Characterising Attacks , 2014, 2014 IEEE Security and Privacy Workshops.

[7]  Ram Dantu,et al.  Inside the Mind of the Insider: Towards Insider Threat Detection Using Psychophysiological Signals , 2016, J. Internet Serv. Inf. Secur..

[8]  Salvatore J. Stolfo,et al.  Insider Attack and Cyber Security - Beyond the Hacker , 2008, Advances in Information Security.

[9]  William J. Buchanan,et al.  Distance Measurement Methods for Improved Insider Threat Detection , 2018, Secur. Commun. Networks.

[10]  Marcus A. Maloof,et al.  elicit: A System for Detecting Insiders Who Violate Need-to-Know , 2007, RAID.

[11]  Brian Hutchinson,et al.  Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams , 2017, AAAI Workshops.

[12]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[13]  Shambhu J. Upadhyaya,et al.  Towards a Cyber Ontology for Insider Threats in the Financial Sector , 2015, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[14]  Georgios Theodoropoulos,et al.  Insider Threats: Identifying Anomalous Human Behaviour in Heterogeneous Systems Using Beneficial Intelligent Software (Ben-ware) , 2015, MIST@CCS.

[15]  Matthew L Collins,et al.  Insider Threat Indicator Ontology , 2016 .

[16]  Frank L. Greitzer,et al.  SOFIT: Sociotechnical and Organizational Factors for Insider Threat , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[17]  Chanboon Sathitwiriyawong,et al.  Data Center Physical Security Ontology for Automated Evaluation , 2011 .

[18]  B. Panda,et al.  A Knowledge-Base Model for Insider Threat Prediction , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[19]  Ted E. Senator,et al.  Insider Threat Detection in PRODIGAL , 2017, HICSS.

[20]  David A. Mundie,et al.  Toward an Ontology for Insider Threat Research: Varieties of Insider Threat Definitions , 2013, 2013 Third Workshop on Socio-Technical Aspects in Security and Trust.