A Multi-Modal Neuro-Physiological Study of Malicious Insider Threats

It has long been recognized that solutions to insider threat are mainly user-centric and several psychological and psychosocial models have been proposed. However, user behavior underlying these malicious acts is still not fully understood, motivating further investigation at the neuro-physiological level. In this work, we conduct a multi-modal study of how users-brain processes malicious and benign activities. In particular, we focus on using Electroencephalogram (EEG) signals that arise from the user's brain activities and eye tracking which can capture spontaneous responses that are unfiltered by the conscious mind. We conduct human study experiments to capture the Electroencephalogram (EEG) signals for a group of 25 participants while performing several computer-based activities in different scenarios. We analyze the EEG signals and the eye tracking data and extract features and evaluate our approach using several classifiers. The results show that our approach achieved an average accuracy of 99.77% in detecting the malicious insider using the EEG data of 256 channels (sensors) and average detection accuracy up to 95.64% using only five channels (sensors). The results show an average detection accuracy up to 83% using the eye movements and pupil behaviors data. In general, our results indicates that human Electroencephalogram (EEG) signals and eye tracking data can reveal valuable knowledge about user's malicious intent and can be used as an effective indicator in designing real-time insider threats monitoring and detection frameworks.

[1]  A. Sahs,et al.  Atlas of pediatric electroencephalography , 1982 .

[2]  Eui Chul Lee,et al.  Monocular Eye Tracking System Using Webcam and Zoom Lens , 2015 .

[3]  Osama Mazhar,et al.  A real-time webcam based Eye Ball Tracking System using MATLAB , 2015, 2015 IEEE 21st International Symposium for Design and Technology in Electronic Packaging (SIITME).

[4]  Bao-Liang Lu,et al.  Emotional state classification from EEG data using machine learning approach , 2014, Neurocomputing.

[5]  Christian W. Probst,et al.  Insiders and Insider Threats - An Overview of Definitions and Mitigation Techniques , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[6]  Christian Kothe,et al.  Towards passive brain–computer interfaces: applying brain–computer interface technology to human–machine systems in general , 2011, Journal of neural engineering.

[7]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[8]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[9]  Ivan Martinovic,et al.  Preventing Lunchtime Attacks: Fighting Insider Threats With Eye Movement Biometrics , 2015, NDSS.

[10]  M. Posner,et al.  The attention system of the human brain. , 1990, Annual review of neuroscience.

[11]  Steven Salzberg,et al.  Programs for Machine Learning , 2004 .

[12]  A. Koeppen,et al.  Principles of Frontal Lobe Function, second ed., Donald T. Stuss, Robert T. Knight (Eds.). Oxford University Press, New York NY (2013), 800, pages, ISBN: 978-0-19-983775-5 , 2014 .

[13]  Justin Werfel,et al.  BCI competition 2003-data set Ia: combining gamma-band power with slow cortical potentials to improve single-trial classification of electroencephalographic signals , 2004, IEEE Transactions on Biomedical Engineering.

[14]  H. Mayberg Brain Activation , 1994, Neurology.

[15]  Xin Yao,et al.  A Survey on Evolutionary Computation Approaches to Feature Selection , 2016, IEEE Transactions on Evolutionary Computation.

[16]  Heinrich Hußmann,et al.  Look into my Eyes! Can you guess my Password? , 2009 .

[17]  Leo Breiman,et al.  Bagging Predictors , 1996, Machine Learning.

[18]  Frank L. Greitzer,et al.  Identifying At-Risk Employees: Modeling Psychosocial Precursors of Potential Insider Threats , 2012, 2012 45th Hawaii International Conference on System Sciences.

[19]  R. Baloh,et al.  Quantitative measurement of saccade amplitude, duration, and velocity , 1975, Neurology.

[20]  Anthony J. Rissling,et al.  Electroencephalography (EEG) and Event‐Related Potentials (ERPs) with Human Participants , 2010, Current protocols in neuroscience.

[21]  E J Snyder,et al.  The electroencephalogram (EEG). , 1990, Biomedical instrumentation & technology.

[22]  Ioannis Rigas,et al.  BioEye 2015: Competition on biometrics via eye movements , 2015, 2015 IEEE 7th International Conference on Biometrics Theory, Applications and Systems (BTAS).

[23]  Evangelos A. Kiountouzis,et al.  The insider threat to information systems and the effectiveness of ISO17799 , 2005, Comput. Secur..

[24]  Claude J. Bajada,et al.  The tract terminations in the temporal lobe: Their location and associated functions , 2017, Cortex.

[25]  Nitesh Saxena,et al.  A Multi-Modal Neuro-Physiological Study of Phishing Detection and Malware Warnings , 2015, CCS.

[26]  Malek Ben Salem,et al.  Masquerade Attack Detection Using a Search-Behavior Modeling Approach , 2009 .

[27]  Elena Gaudioso,et al.  Evaluation of temporal stability of eye tracking algorithms using webcams , 2016, Expert Syst. Appl..

[28]  Dawn M. Cappelli,et al.  Common Sense Guide to Mitigating Insider Threats 4th Edition , 2012 .

[29]  Hassan Takabi,et al.  Toward an Insider Threat Detection Framework Using Honey Permissions , 2015, J. Internet Serv. Inf. Secur..

[30]  Deborah A. Frincke,et al.  Combining Traditional Cyber Security Audit Data with Psychosocial Data: Towards Predictive Modeling for Insider Threat Mitigation , 2010, Insider Threats in Cyber Security.

[31]  Alberto Maria Segre,et al.  Programs for Machine Learning , 1994 .

[32]  Stefan Haufe,et al.  The Berlin Brain–Computer Interface: Non-Medical Uses of BCI Technology , 2010, Front. Neurosci..

[33]  Khalil El-Khatib,et al.  On the Possibility of Insider Threat Detection Using Physiological Signal Monitoring , 2014, SIN.

[34]  Ram Dantu,et al.  Towards Insider Threat Detection Using Psychophysiological Signals , 2015, MIST@CCS.

[35]  N. Altman An Introduction to Kernel and Nearest-Neighbor Nonparametric Regression , 1992 .

[36]  Minfen Shen,et al.  Classification of EEG Signals Under Different Brain Functional States Using RBF Neural Network , 2004, ISNN.

[37]  G. Rizzolatti,et al.  Parietal Lobe: From Action Organization to Intention Understanding , 2005, Science.

[38]  Matthew L Collins,et al.  Common Sense Guide to Mitigating Insider Threats, Fifth Edition , 2016 .

[39]  Anil K. Jain,et al.  Feature Selection: Evaluation, Application, and Small Sample Performance , 1997, IEEE Trans. Pattern Anal. Mach. Intell..

[40]  Ram Dantu,et al.  Inside the Mind of the Insider: Towards Insider Threat Detection Using Psychophysiological Signals , 2016, J. Internet Serv. Inf. Secur..

[41]  Steven L. Salzberg,et al.  Book Review: C4.5: Programs for Machine Learning by J. Ross Quinlan. Morgan Kaufmann Publishers, Inc., 1993 , 1994, Machine Learning.

[42]  K. Rayner,et al.  Measuring word recognition in reading: eye movements and event-related potentials , 2003, Trends in Cognitive Sciences.

[43]  Salvatore J. Stolfo,et al.  Software decoys for insider threat , 2012, ASIACCS '12.

[44]  Paul Thompson,et al.  Weak models for insider threat detection , 2004, SPIE Defense + Commercial Sensing.