SoK: A Systematic Review of Insider Threat Detection

Due to the subtle nature of the insider threat, government bodies and corporate organizations are forced to face the insider threat that is both malicious and accidental. In this paper, we provide a systematic understanding of the past literature that addresses the issues with insider threat detection. Our review consists of three items. First, we examine the different types of insider threats based on insider characteristics and insider activities. Second, we explore the sensors which make possible detecting insider threats in an automated way, and the public datasets available for research. Finally, the detection approaches used in related studies are examined from the perspective of technology, learning, input category, detection target, and interpretability. In particular, we have covered the state-of-the-art deep learning literature that was not covered in previous surveys.

[1]  Kumar Sricharan,et al.  Multi-source fusion for anomaly detection: using across-domain and across-time peer-group consistency checks , 2014, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[2]  Dimitris Gritzalis,et al.  Proactive insider threat detection through social media: the YouTube case , 2013, WPES.

[3]  Brian Hutchinson,et al.  Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams , 2017, AAAI Workshops.

[4]  Thomas G. Dietterich,et al.  Detecting insider threats in a real corporate database of computer usage activity , 2013, KDD.

[5]  Jason R. C. Nurse,et al.  A New Take on Detecting Insider Threats: Exploring the Use of Hidden Markov Models , 2016, MIST@CCS.

[6]  Bhavani M. Thuraisingham,et al.  Unsupervised Ensemble Based Learning for Insider Threat Detection , 2012, 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing.

[7]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[8]  Xiaosong Zhang,et al.  An Insider Threat Detection Approach Based on Mouse Dynamics and Deep Learning , 2019, Secur. Commun. Networks.

[9]  Sadie Creese,et al.  Automated Insider Threat Detection System Using User and Role-Based Profile Assessment , 2017, IEEE Systems Journal.

[10]  Philip A. Legg,et al.  Visualizing the insider threat: challenges and tools for identifying malicious user activity , 2015, 2015 IEEE Symposium on Visualization for Cyber Security (VizSec).

[11]  Brian D. Davison,et al.  Predicting Sequences of User Actions , 1998 .

[12]  Kyungho Lee,et al.  Detecting Potential Insider Threat: Analyzing Insiders' Sentiment Exposed in Social Media , 2018, Secur. Commun. Networks.

[13]  Dimitris Gritzalis,et al.  An Insider Threat Prediction Model , 2010, TrustBus.

[14]  Mudita Singhal,et al.  Supervised and Unsupervised methods to detect Insider Threat from Enterprise Social and Online Activity Data , 2015, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[15]  George Perkovich,et al.  Toward a global norm against manipulating the integrity of financial data , 2017 .

[16]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[17]  Roy A. Maxion,et al.  Masquerade detection using enriched command lines , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[18]  Thomas G. Dietterich What is machine learning? , 2020, Archives of Disease in Childhood.

[19]  Yanbing Liu,et al.  Insider Threat Detection with Deep Neural Network , 2018, ICCS.

[20]  D. Paulhus,et al.  The Dark Triad of personality: Narcissism, Machiavellianism, and psychopathy , 2002 .

[21]  Lawrence B. Holder,et al.  Graph-Based Data Mining , 2000, IEEE Intell. Syst..

[22]  Lauren Reinerman-Jones,et al.  A Simulation-Based Approach to Development of a New Insider Threat Detection Technique: Active Indicators , 2018 .

[23]  Boleslaw K. Szymanski,et al.  Intrusion detection: a bioinformatics approach , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[24]  Kristopher Kendall,et al.  A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems , 1999 .

[25]  Salvatore J. Stolfo,et al.  One-Class Training for Masquerade Detection , 2003 .

[26]  Lawrence B. Holder,et al.  Insider Threat Detection Using a Graph-Based Approach , 2010 .

[27]  Arun K. Pujari,et al.  Adaptive Naive Bayes method for masquerade detection , 2011, Secur. Commun. Networks.

[28]  Zhihong Tian,et al.  Deep Learning Based Attribute Classification Insider Threat Detection for Data Security , 2018, 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC).

[29]  Lauren Reinerman-Jones,et al.  Cognitive and Affective Eye Tracking Metrics for Detecting Insider Threat: A Study of Simulated Espionage , 2018, Proceedings of the Human Factors and Ergonomics Society Annual Meeting.

[30]  David P. Biros,et al.  An Empirical Validation of Malicious Insider Characteristics , 2016, J. Manag. Inf. Syst..

[31]  L. De Raedt,et al.  Logical Hidden Markov Models , 2011, J. Artif. Intell. Res..

[32]  Lauren Reinerman-Jones,et al.  Eye Tracking Metrics for Insider Threat Detection in a Simulated Work Environment , 2017 .

[33]  Oliver Brdiczka,et al.  Proactive Insider Threat Detection through Graph Learning and Psychological Context , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[34]  Michele Maasberg,et al.  The Dark Side of the Insider: Detecting the Insider Threat through Examination of Dark Triad Personality Traits , 2015, 2015 48th Hawaii International Conference on System Sciences.

[35]  Diane J. Cook,et al.  Online Sequential Prediction via Incremental Parsing: The Active LeZi Algorithm , 2007, IEEE Intelligent Systems.

[36]  Yi Zhang,et al.  Is it time for a career switch? , 2013, WWW.

[37]  Dong Yu,et al.  Deep Learning: Methods and Applications , 2014, Found. Trends Signal Process..

[38]  Vipin Kumar,et al.  Anomaly Detection for Discrete Sequences: A Survey , 2012, IEEE Transactions on Knowledge and Data Engineering.

[39]  Malek Ben Salem,et al.  A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[40]  S. Rothmann,et al.  THE BIG FIVE PERSONALITY DIMENSIONS AND JOB PERFORMANCE , 2003 .

[41]  William DuMouchel,et al.  Computer Intrusion Detection Based on Bayes Factors for Comparing Command Transition Probabilities , 1999 .

[42]  Sadie Creese,et al.  Understanding Insider Threat: A Framework for Characterising Attacks , 2014, 2014 IEEE Security and Privacy Workshops.

[43]  Pilsung Kang,et al.  Insider Threat Detection based on User behavior Model and Novelty Detection Algorithms , 2017 .

[44]  Lovekesh Vig,et al.  LSTM-based Encoder-Decoder for Multi-sensor Anomaly Detection , 2016, ArXiv.

[45]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[46]  Bhavani M. Thuraisingham,et al.  Unsupervised incremental sequence learning for insider threat detection , 2012, 2012 IEEE International Conference on Intelligence and Security Informatics.

[47]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[48]  Kurt C. Wallnau,et al.  Generating Test Data for Insider Threat Detectors , 2014, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[49]  Terry A. Welch,et al.  A Technique for High-Performance Data Compression , 1984, Computer.

[50]  T. Lane,et al.  Sequence Matching and Learning in Anomaly Detection for Computer Security , 1997 .

[51]  Robert F. Mills,et al.  Towards insider threat detection using web server logs , 2009, CSIIRW '09.

[52]  Dawn M. Cappelli,et al.  The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes , 2012 .

[53]  Saul Greenberg,et al.  USING UNIX: COLLECTED TRACES OF 168 USERS , 1988 .

[54]  Matthew L Collins,et al.  Common Sense Guide to Mitigating Insider Threats, Fifth Edition , 2016 .

[55]  Kyung Ho Lee,et al.  Advanced insider threat detection model to apply periodic work atmosphere , 2019, KSII Trans. Internet Inf. Syst..

[56]  Bradley Malin,et al.  Detection of anomalous insiders in collaborative environments via relational analysis of access logs , 2011, CODASPY '11.

[57]  Bhavani M. Thuraisingham,et al.  Insider Threat Detection Using Stream Mining and Graph Mining , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[58]  Yoshua Bengio,et al.  Object Recognition with Gradient-Based Learning , 1999, Shape, Contour and Grouping in Computer Vision.

[59]  J. Rissanen,et al.  Modeling By Shortest Data Description* , 1978, Autom..

[60]  Plamen P. Angelov,et al.  Creating Evolving User Behavior Profiles Automatically , 2012, IEEE Transactions on Knowledge and Data Engineering.

[61]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[62]  Parvez Ahammad,et al.  SoK: Applying Machine Learning in Security - A Survey , 2016, ArXiv.

[63]  Malek Ben Salem,et al.  Masquerade Attack Detection Using a Search-Behavior Modeling Approach , 2009 .

[64]  Mizuki Oka,et al.  Eigen Co-occurrence Matrix Method for Masquerade Detection , 2004 .

[65]  Roy A. Maxion,et al.  Masquerade detection using truncated command lines , 2002, Proceedings International Conference on Dependable Systems and Networks.

[66]  Dushyanth Narayanan,et al.  Fast General Distributed Transactions with Opacity , 2019, SIGMOD Conference.

[67]  Roy A. Maxion,et al.  Masquerade detection augmented with error analysis , 2004, IEEE Transactions on Reliability.

[68]  Yehuda Vardi,et al.  A Hybrid High-Order Markov Chain Model for Computer Intrusion Detection , 2001 .

[69]  Oliver Brdiczka,et al.  A Bayesian Network Model for Predicting Insider Threats , 2013, 2013 IEEE Security and Privacy Workshops.