Your search keyword '"Insider threat"' showing total 257 results

1. Textual analysis of traitor-based dataset through semi supervised machine learning

Author

Asif Masood, Malik Muhammad Zaki Murtaza Khan, Faisal Janjua, Imran Rashid, and Haider Abbas

Subjects

Artificial neural network, Computer Networks and Communications, Computer science, business.industry, Decision tree, Insider threat, 020206 networking & telecommunications, 02 engineering and technology, Machine learning, computer.software_genre, Random forest, Insider, Support vector machine, Identification (information), Naive Bayes classifier, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Artificial intelligence, business, computer, Software

Abstract

Insider threats are one of the most challenging and growing security threats which the government agencies, organizations, and institutions face. In such scenarios, malicious (red) activities are performed by the authorized individuals within the company. Because of which, an insider threat has become a taxing and difficult task to identify among other attacks. Along with other monitoring parameters; email logs play a vital role in many research areas such as stalking Insider Threat involving Collaborating Traitors, Textual Analysis, and Social Media exploration. This paper presents a semi-supervised machine learning framework which embraces the pre-processing and classification techniques together for unlabeled dataset i.e. emails. Enron Corporation dataset has been used for experiments and TWOS for evaluation of the proposed framework. Initially, dataset is transformed into vector form using Term Frequency–Inverse Document Frequency (TF–IDF). Thereafter, K-Means is used to classify emails based on message content. Finally, Machine Learning algorithm Decision Tree (DT) is applied to classify the malicious activities. The proposed framework has also been tested with other algorithms such as Logistic Regression (LR), Naive Bayes (NB), KNN, Support Vector Machine (SVM), Random Forest (RF) and Neural Network (NN). However, Decision Tree (DT) combined with pre-processing steps has given the desired results with 99.96% Accuracy and 0.994 AUC for identification of malicious content.

Published

2021

2. Ethical leadership and employee information security policy (ISP) violation: exploring dual-mediation paths

Author

Xin (Robert) Luo, Merrill Warkentin, Feng Xu, and Botong Xue

Subjects

ComputingMilieux_THECOMPUTINGPROFESSION, business.industry, 05 social sciences, Insider threat, 02 engineering and technology, Information security, Organizational commitment, Public relations, Social learning, Ethical leadership, Social exchange theory, 020204 information systems, 0502 economics and business, Mediation, 0202 electrical engineering, electronic engineering, information engineering, business, Psychology, Social learning theory, 050203 business & management

Abstract

PurposeA growing number of studies have investigated the effect of ethical leadership on behavioral outcome of employees. However, considering the important role of ethics in IS security, the security literature lacks a theoretical and empirical investigation of the relationship between ethical leadership and employees' security behavior, such as information security policy (ISP) violation. Drawing on social learning and social exchange theories, this paper empirically tests the impact of ethical leadership on employees' ISP violation intention through both information security climate (i.e. from a moral manager's perspective) and affective commitment (i.e. from a moral person's perspective).Design/methodology/approachThe research was developed based on social learning theory and social exchange theory. To measure the variables in the model, the authors used and adapted measurement items from previous studies. The authors conducted a scenario-based survey with 339 valid responses to test and validate the research model.FindingsResults indicated that information security climate fully mediates the relationship between ethical leadership and ISP violation intention. The authors also found that information security climate enhances the negative effect of affective commitment on ISP violation intention.Originality/valueThis research contributes to the literature of information security by introducing the role of ethical leadership and integrating two theories into our research model. This study also calls attention to how information security climate and affective commitment mediate the relationship between ethical leadership and employees' ISP violation intention. The theory-driven study provides important pragmatic guidance for enhancing the understanding of the importance of ethical leadership in information systems security research.

Published

2021

3. Experimental Investigation of Technical and Human Factors Related to Phishing Susceptibility

Author

James D. Lee, Kathryn B. Laskey, Wanru Li, Frank L. Greitzer, and Justin Purl

Subjects

021110 strategic, defence & security studies, 05 social sciences, Applied psychology, 0211 other engineering and technologies, General Engineering, Insider threat, 02 engineering and technology, Audit, Impulsivity, Phishing, Age and gender, medicine, Research studies, 0501 psychology and cognitive sciences, medicine.symptom, Psychology, 050107 human factors

Abstract

This article reports on a simulated phishing experiment targeting 6,938 faculty and staff at George Mason University. The three-week phishing campaign employed three types of phishing exploits and examined demographic, linked workstation/network monitoring audit data, and a variety of behavioral and psychological factors measured via pre- and post-campaign surveys. While earlier research studies have reported disparate effects of gender and age, the present results suggest that these effects are not significant or are of limited strength and that other underlying factors may be more important. Specifically, significant differences in phishing susceptibility were obtained for different email contexts and based on whether individuals have been successfully phished before (these people were more likely to succumb to subsequent phishing emails in our study). Further, participants who responded to phishing exploits scored higher on impulsivity than the non-clickers. Also, participants whose survey responses indicated that they had more appropriate online “security hygiene habits,” such as checking the legitimacy of links, were less likely to be successfully phished in our campaign. Participants whose post-campaign survey responses indicated that they were suspicious of a phishing email message in our campaign were far less likely to click on the phishing link than those who were not suspicious. Similar results were obtained for judgments of pertinence of the email. Participants who indicated that they thought about the negative consequences of clicking the link were less likely to do so than participants who did not think about the negative consequences. Implications for effective training and awareness are discussed.

Published

2021

4. Anomaly Detection for Insider Threats Using Unsupervised Ensembles

Author

Duc C. Le and Nur Zincir-Heywood

Subjects

Computer Networks and Communications, Computer science, business.industry, Insider threat, 020206 networking & telecommunications, Computational intelligence, 02 engineering and technology, Machine learning, computer.software_genre, Data modeling, Insider, Robustness (computer science), 0202 electrical engineering, electronic engineering, information engineering, Unsupervised learning, Anomaly detection, Artificial intelligence, Electrical and Electronic Engineering, Hidden Markov model, business, computer

Abstract

Insider threat represents a major cybersecurity challenge to companies, organizations, and government agencies. Insider threat detection involves many challenges, including unbalanced data, limited ground truth, and possible user behavior changes. This research presents an unsupervised learning based anomaly detection approach for insider threat detection. We employ four unsupervised learning methods with different working principles, and explore various representations of data with temporal information. Furthermore, different computational intelligence schemes are explored to combine these models to create anomaly detection ensembles for improving the detection performance. Evaluation results show that the approach allows learning from unlabelled data under challenging conditions for insider threat detection. Insider threats are detected with high detection and low false positive rates. For example, 60% of malicious insiders are detected under 0.1% investigation budget, and all malicious insiders are detected at less than 5% investigation budget. Furthermore, we explore the ability of the proposed approach to generalize for detecting new anomalous behaviors in different datasets, i.e., robustness. Finally, results demonstrate that a voting-based ensemble of anomaly detection can be used to improve detection performance as well as the robustness. Comparisons with the state-of-the-art confirm the effectiveness of the proposed approach.

Published

2021

5. Formal approach to thwart against insider attacks: A bio-inspired auto-resilient policy regulation framework

Author

Usman Rauf, Mohamed Shehab, Nafees Qamar, and Sheema Sameen

Subjects

Computer Networks and Communications, Computer science, business.industry, Insider threat, 020206 networking & telecommunications, Access control, 02 engineering and technology, Data breach, Formal methods, Computer security, computer.software_genre, Insider, Hardware and Architecture, Analytics, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, computer, Privilege escalation, Software

Abstract

The ever-growing number of cyber crimes and incidents (i.e., data breaches, privilege escalation, and masquerade attacks) indicates that traditional cyber defense mechanisms designed to manage access control and understand human behavioral intent are unable to protect large organizations against organized malicious attacks. The existing state-of-the-art solutions, extensively rely on human decision making and correlation-based analysis, to understand the anomalous intent of an insider. This consequently leads to data breaches, hence making insider threats one of the biggest challenges faced by the cybersecurity community today. To deal with these issues, new access control architectures and models must focus on the integration of threat analytics, auto-resiliency, and fast response time to mitigate an ongoing threat in a timely manner. In this article, to address these issues and limitations, we propose an integrated access control policy regulation framework, designed on biological principles. The proposed framework provides the ground to efficiently integrate Threat Analytics with Policy Regulation Mechanism against insider threats. Another major contribution of this article is to model access control policy regulation mechanism as an auto-regulatory state transition system, which could autonomously change its state (policy configuration) in real-time against an emergent insider threat. As the last step, with the help of formal methods, we rigorously verify, evaluate, and test the performance of our proposed systems on a real-life threat test dataset.

Published

2021

6. Organizational science and cybersecurity: abundant opportunities for research at the interface

Author

Stephen J. Zaccaro, David J. Howard, Clay Posey, Rebecca J. Bennett, Reeshad S. Dalal, and Bradley J. Brummel

Subjects

Cybersecurity, ComputingMilieux_LEGALASPECTSOFCOMPUTING, 02 engineering and technology, computer.software_genre, Phishing, Computer security, Security information and event management, Key performance indicators, 020204 information systems, 0502 economics and business, 0202 electrical engineering, electronic engineering, information engineering, Social engineering, Business and International Management, Security operations center, General Psychology, Applied Psychology, Original Paper, ComputingMilieux_THECOMPUTINGPROFESSION, Information security, Social engineering (security), 05 social sciences, Insider threat, General Business, Management and Accounting, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Incident response, Conceptual framework, Multiteam system, ComputingMilieux_COMPUTERSANDSOCIETY, Industrial and organizational psychology, Psychology, computer, 050203 business & management

Abstract

Cybersecurity is an ever-present problem for organizations, but organizational science has barely begun to enter the arena of cybersecurity research. As a result, the “human factor” in cybersecurity research is much less studied than its technological counterpart. The current manuscript serves as an introduction and invitation to cybersecurity research by organizational scientists. We define cybersecurity, provide definitions of key cybersecurity constructs relevant to employee behavior, illuminate the unique opportunities available to organizational scientists in the cybersecurity arena (e.g., publication venues that reach new audiences, novel sources of external funding), and provide overall conceptual frameworks of the antecedents of employees’ cybersecurity behavior. In so doing, we emphasize both end-users of cybersecurity in organizations and employees focused specifically on cybersecurity work. We provide an expansive agenda for future organizational science research on cybersecurity—and we describe the benefits such research can provide not only to cybersecurity but also to basic research in organizational science itself. We end by providing a list of potential objections to the proposed research along with our responses to these objections. It is our hope that the current manuscript will catalyze research at the interface of organizational science and cybersecurity.

Published

2021

7. Real-Time Abnormal Insider Event Detection on Enterprise Resource Planning Systems via Predictive Auto-Regression Model

Author

Jongmin Yu, Jinhong Yang, Hyeontaek Oh, and Minkyung Kim

Subjects

auto-regression model, General Computer Science, enterprise threat prediction, Event (computing), business.industry, Computer science, 020208 electrical & electronic engineering, General Engineering, Resource Management System, Insider threat, 02 engineering and technology, Insider, Data modeling, TK1-9971, Enterprise resource planning system, Resource (project management), Risk analysis (engineering), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, General Materials Science, Resource management, Electrical engineering. Electronics. Nuclear engineering, business, Enterprise resource planning

Abstract

With the development of information and communication technology and the globalisation of enterprises, many companies are being operated through an electrical resource management system called Enterprise Resource Planning (ERP) system. An ERP system enables efficient and centralised resource management for enterprises. However, since many enterprise resources are being managed by the system, the threatening behaviour by an insider is one of the most significant risks in operating ERP systems. It is much stealthier and fatal compared with the threat from an outsider since it is considered as normal events that accessing the enterprise resource of insiders. Conventional insider threat detection methods have aimed to detect particular events manually defined by system administrators. Those approaches are not robust to the variation of event patterns, and they can not be used when the predefined cases are not given. In this paper, we present a real-time abnormal insider event detection method using the Predictive Auto-regression Model (PAM). Compared with the conventional approaches, the proposed method compiles a prediction model using normal events and identifies threat when the likelihood of prediction results is lower than a threshold. Experiments are conducted using a dataset including events defined as a sequence of ERP system logs. The logs are captured in a practical situation of an enterprise. The results demonstrate that the proposed method can successfully identify abnormal events of on ERP systems.

Published

2021

8. Insider Threat Modeling: An Adversarial Risk Analysis Approach

Author

Chaitanya Joshi, David Ríos Insua, Jesus Aliaga, Ministerio de Economía y Competitividad (España), Ministerio de Ciencia, Innovación y Universidades (España), European Commission, and AXA

Subjects

FOS: Computer and information sciences, Risk analysis, Computer Science - Cryptography and Security, 021103 operations research, Computer Networks and Communications, Computer science, 0211 other engineering and technologies, Adversarial risk analysis, Data security, Organizational culture, Insider threat, 02 engineering and technology, Computer security, computer.software_genre, Insider, Risk analysis (business), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Safety, Risk, Reliability and Quality, Cryptography and Security (cs.CR), computer, Game theory, 91A40, 62C10

Abstract

Insider threats entail major security issues in many organizations. Game theoretic models of insider threats so far proposed do not take into account important factors such as the organizational culture and whether the attacker was detected or not. They also fail to model defensive mechanisms already put in place by an organization to mitigate insider attacks. We propose two new models which incorporate these settings and, hence, are more realistic, and use adversarial risk analysis to find their solutions. Our models and solutions are general and can be applied to most insider threat scenarios. A data security example illustrates the discussion., The work of CJ was supported by the Strategic Investment funding provided by the University of Waikato. The work of DRI is supported by the AXA-ICMAT Chair on Adversarial Risk Analysis, the Spanish Ministry of Economy and Innovation program MTM2017-86875-C3-1-R and project MTM2015-72907-EXP. Work supported by the EU’s Horizon 2020 project 740920 CYBECO (Supporting Cyberinsurance from a Behavioural Choice Perspective).

Published

2021

9. A Structured Control Selection Methodology for Insider Threat Mitigation

Author

Anirban Sengupta, Puloma Roy, and Chandan Mazumdar

Subjects

business.industry, Computer science, Control (management), Authorization, Insider threat, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, Asset (computer security), Security controls, Insider, Software, Enterprise system, 0202 electrical engineering, electronic engineering, information engineering, Selection (linguistics), General Earth and Planetary Sciences, 020201 artificial intelligence & image processing, business, computer, General Environmental Science

Abstract

An insider is a person or software that possesses positive authorization to access the asset(s) of an enterprise. In recent years, security incidents perpetrated by enterprise insiders have increased considerably. Enterprises attempt to mitigate such threats by implementing controls intuitively, on an ad-hoc basis. However, such intuitive control implementation is both time-consuming, as well as prone to errors, leading to insecure enterprise systems. The paper attempts to address this issue by proposing a structured methodology for the selection of relevant security controls. The technique is to model insider threats and security controls, and match their constituent components against each other. The proposed methodology has been illustrated with suitable examples.

Published

2021

10. An Analysis of Complexity of Insider Attacks to Databases

Author

Gokhan Kul, Shambhu Upadhyaya, and Andrew Hughes

Subjects

SQL, General Computer Science, Database, Computer science, Targeted threat, Insider threat, 02 engineering and technology, Construct (python library), computer.software_genre, Management Information Systems, Insider, Adversarial system, 020204 information systems, Threat model, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, computer, Time complexity, computer.programming_language

Abstract

Insider attacks are one of the most dangerous threats to an organization. Unfortunately, they are very difficult to foresee, detect, and defend against due to the trust and responsibilities placed on the employees. In this article, we first define the notion of user intent and construct a model for a common scenario that poses a very high risk for sensitive data stored in the organization’s database. We show that the complexity of identifying pseudo-intents of a user in this scenario is coNP-Complete, and launching a harvester insider attack within the boundaries of the defined threat model takes linear time while a targeted threat model is an NP-Complete problem. We also discuss the general defense mechanisms against the modeled threats and show that countering the harvester insider attack takes quadratic time while countering the targeted insider attack can take linear to quadratic time, depending on the strategy chosen. We analyze the adversarial behavior and show that launching an attack with minimum risk is also an NP-Complete problem. Finally, we perform timing experiments with the defense mechanisms on SQL query workloads collected from a national bank to test the feasibility of using these systems in real time.

Published

2020

11. Malicious changeload for the resilience evaluation of self-adaptive authorisation infrastructures

Author

Christopher Bailey and Rogério de Lemos

Subjects

Software_OPERATINGSYSTEMS, QA76.76, Computer Networks and Communications, Computer science, business.industry, Authorization, Insider threat, 020206 networking & telecommunications, Access control, Self adaptive, 02 engineering and technology, Computer security, computer.software_genre, QA76, Insider, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Hardware and Architecture, Order (exchange), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Resilience (network), business, computer, Software

Abstract

Self-adaptive systems are able to modify their behaviour and/or structure in response to changes that occur to the system, its environment, or even its goals. In terms of authorisation infrastructures, self-adaptation has shown to be a promising solution for enforcing access control policies and subject access privileges when mitigating insider threat. This paper describes the resilience evaluation of a self-adaptive authorisation infrastructure by simulating a case study related to insider threats. As part of this evaluation, a malicious changeload has been formally defined in order to describe scenarios of abuse in access control. This malicious changeload was then used to stimulate self-adaptation within a federated authorisation infrastructure. The evaluation confirmed the resilience of a self-adaptive authorisation infrastructure in handling abuse of access under repeatable conditions by consistently mitigating abuse under normal and high loads. The evaluation has also shown that self-adaptation had a minimal impact on the authorisation infrastructure, even when adapting authorisation policies while mitigating abuse of access.

Published

2020

12. Redefining insider threats: a distinction between insider hazards and insider threats

Author

Tom Sauer and Mathias Reveraert

Subjects

021110 strategic, defence & security studies, Conceptualization, Strategy and Management, Politics, 05 social sciences, Perspective (graphical), 0211 other engineering and technologies, Insider threat, 02 engineering and technology, Privilege (computing), Hazard, Insider, Harm, Political science, 050501 criminology, Privileged access, Law, Safety Research, 0505 law, Law and economics

Abstract

This article suggests a new definition of insiders and insider threats. It refrains from applying a harm-oriented perspective that concentrates on the insider’s intention to cause harm because it defines the insider threat either too narrow or too broad. Instead, a privilege-oriented perspective is applied that focuses on the insider’s intention to misuse his privileged access to or knowledge about the organizational assets. Because existing privilege-oriented definitions refrain from making an explicit and clear-cut division between intentional and unintentional misuse of privilege, a new conceptualization is suggested that distinguishes insider hazards from insider threats. If the insider unintentionally misuses his insider privilege, it concerns an insider hazard. If the insider intentionally misuses his insider privilege, it is regarded as an insider threat.

Published

2020

13. 'Real' Insider Threat: Toxic Workplace Behavior in the Intelligence Community

Author

Greta E. Creech

Subjects

021110 strategic, defence & security studies, Court case, Law, Political science, 05 social sciences, Political Science and International Relations, 0211 other engineering and technologies, Insider threat, Toxic workplace, 02 engineering and technology, 050601 international relations, Revelation, 0506 political science

Abstract

The court case concluding in March 2020, involving former Intelligence Community (IC) software engineer Joshua Schulte, was a blunt revelation of the toxic dynamic inside one Central Intelligence A...

Published

2020

14. Operationalising a framework for organisational vulnerability to intentional insider threat: the OVIT as a valid and reliable diagnostic tool

Author

Luke van der Laan and Justine Bedford

Subjects

021110 strategic, defence & security studies, 010504 meteorology & atmospheric sciences, business.industry, Strategy and Management, 0211 other engineering and technologies, General Engineering, Exploratory research, Vulnerability, General Social Sciences, Construct validity, Validity, Insider threat, 02 engineering and technology, 01 natural sciences, Exploratory factor analysis, Risk analysis (engineering), Safety, Risk, Reliability and Quality, Psychology, business, Reliability (statistics), Risk management, 0105 earth and related environmental sciences

Abstract

There are several models and frameworks that assist in understanding insider threat. However, practical limitations in operationalising these models include them being overly complex, too subjective, cumbersome, or lacking dimensionality. In response, this study looks to operationalise a practice-based framework for determining organisational vulnerability to intentional insider threat. The study reports on an Exploratory Factor Analysis (EFA) to determine the validity and reliability of the Organisational Vulnerability to Intentional Insider Threat (OVIT) diagnostic tool. The EFA results (construct validity and reliability statistics) show promise for the use of the OVIT in operationalising intentional insider threat detection. Limitations of the study are presented and future research progressing this exploratory study are encouraged.

Published

2020

15. An improved feature extraction algorithm for insider threat using hidden Markov model on user behavior detection

Author

Myung-Mook Han and Xiao-Yun Ye

Subjects

0209 industrial biotechnology, Information Systems and Management, Computer Networks and Communications, Computer science, business.industry, Insider threat, Pattern recognition, 02 engineering and technology, Viterbi algorithm, Management Information Systems, symbols.namesake, 020901 industrial engineering & automation, Management of Technology and Innovation, 0202 electrical engineering, electronic engineering, information engineering, symbols, 020201 artificial intelligence & image processing, Anomaly detection, Artificial intelligence, Hidden Markov model, business, Feature extraction algorithm, Software, Information Systems

Abstract

Purpose By using a new feature extraction method on the Cert data set and using a hidden Markov model (HMM) to model and analyze the behavior of users to distinguish whether the behavior is normal within a continuous period. Design/methodology/approach Feature extraction of five parts of the time series by rules and sorting in chronological order. Use the obtained features to calculate the probability parameters required by the HMM model and establish a behavior model for each user. When the user has abnormal behavior, the model will return a very low probability value to distinguish between normal and abnormal information. Findings Generally, HMM parameters are obtained by supervised learning and unsupervised learning, but the hidden state cannot be clearly defined. When the hidden state is determined according to the data set, the accuracy of the model will be improved. Originality/value This paper proposes a new feature extraction method and analysis mode, which determines the shape of the hidden state according to the situation of the data set, making subsequent HMM modeling simple and efficient and in turn improving the accuracy of user behavior detection.

Published

2020

16. Discovering 'Insider IT Sabotage' based on human behaviour

Author

Jan H. P. Eloff and Antonia Michael

Subjects

021110 strategic, defence & security studies, Information Systems and Management, Learning classifier system, Computer Networks and Communications, Computer science, Process (engineering), media_common.quotation_subject, 0211 other engineering and technologies, Insider threat, 02 engineering and technology, Computer security, computer.software_genre, Management Information Systems, Insider, Harm, Management of Technology and Innovation, 0202 electrical engineering, electronic engineering, information engineering, Isolation (psychology), 020201 artificial intelligence & image processing, Quality (business), Suspicious behaviour, computer, Software, Information Systems, media_common

Abstract

Purpose Malicious activities conducted by disgruntled employees via an email platform can cause profound damage to an organization such as financial and reputational losses. This threat is known as an “Insider IT Sabotage” threat. This involves employees misusing their access rights to harm the organization. Events leading up to the attack are not technical but rather behavioural. The problem is that owing to the high volume and complexity of emails, the risk of insider IT sabotage cannot be diminished with rule-based approaches. Design/methodology/approach Malicious human behaviours that insiders within the insider IT sabotage category would possess are studied and mapped to phrases that would appear in email communications. A large email data set is classified according to behavioural characteristics of these employees. Machine learning algorithms are used to identify occurrences of this insider threat type. The accuracy of these approaches is measured. Findings It is shown in this paper that suspicious behaviour of disgruntled employees can be discovered, by means of machine intelligence techniques. The output of the machine learning classifier depends mainly on the depth and quality of the phrases and behaviour analysis, cleansing and number of email attributes examined. This process of labelling content in isolation could be improved if other attributes of the email data are included, such that a confidence score can be computed for each user. Originality/value This research presents a novel approach to show that the creation of a prototype that can automate the detection of insider IT sabotage within email systems to mitigate the risk within organizations.

Published

2020

17. Are your IT staff ready for the pandemic-driven insider threat?

Author

Phil Chapman

Subjects

021110 strategic, defence & security studies, Government, Information Systems and Management, ComputingMilieux_THECOMPUTINGPROFESSION, Computer Networks and Communications, business.industry, Soft skills, 0211 other engineering and technologies, Insider threat, 02 engineering and technology, Public relations, Phase (combat), Phishing, Article, Workforce, Pandemic, Apprenticeship, Safety, Risk, Reliability and Quality, business

Abstract

As this article is being written it's mid-March. The situation likely will have changed significantly by the time you read this, as it does by the day and even the hour. The World Health Organisation (WHO) has declared Covid-19 to be a global pandemic and the UK Government has stepped up its response from the ‘contain’ to the ‘delay’ phase. Public spaces and transport are noticeably quieter and many workplaces are getting emptier as staff members work from home. The Covid-19 pandemic and consequent lockdowns are hitting businesses hard. And as workforces move to remote working, IT departments are under pressure. At the same time, cyber criminals are exploiting the pandemic, with rises in phishing and other forms of attacks. The cyber security workforce, already suffering a skills crisis, may lack the soft skills required to effectively tackle these issues, many of which could be solved if the industry didn't rely so heavily on recruiting graduates and rather looked towards hiring apprentices, argues Phil Chapman of Firebrand Training.

Published

2020

18. Analyzing Data Granularity Levels for Insider Threat Detection Using Machine Learning

Author

Nur Zincir-Heywood, Malcolm I. Heywood, and Duc C. Le

Subjects

Ground truth, Government, Computer Networks and Communications, business.industry, Computer science, Insider threat, 020206 networking & telecommunications, 02 engineering and technology, Machine learning, computer.software_genre, Insider, Action (philosophy), 0202 electrical engineering, electronic engineering, information engineering, Data analysis, Artificial intelligence, False positive rate, Electrical and Electronic Engineering, Set (psychology), business, computer

Abstract

Malicious insider attacks represent one of the most damaging threats to networked systems of companies and government agencies. There is a unique set of challenges that come with insider threat detection in terms of hugely unbalanced data, limited ground truth, as well as behaviour drifts and shifts. This work proposes and evaluates a machine learning based system for user-centered insider threat detection. Using machine learning, analysis of data is performed on multiple levels of granularity under realistic conditions for identifying not only malicious behaviours, but also malicious insiders. Detailed analysis of popular insider threat scenarios with different performance measures are presented to facilitate the realistic estimation of system performance. Evaluation results show that the machine learning based detection system can learn from limited ground truth and detect new malicious insiders in unseen data with a high accuracy. Specifically, up to 85% of malicious insiders are detected at only 0.78% false positive rate. The system is also able to quickly detect the malicious behaviours, as low as 14 minutes after the first malicious action. Comprehensive result reporting allows the system to provide valuable insights to analysts in investigating insider threat cases.

Published

2020

19. A Review of Probabilistic Opinion Pooling Algorithms with Application to Insider Threat Detection

Author

Dennis M. Buede, Ronald F. A. Woodaman, and Jared A. Beekman

Subjects

Computer science, business.industry, 05 social sciences, Pooling, Probabilistic logic, General Decision Sciences, Insider threat, 02 engineering and technology, Machine learning, computer.software_genre, Data modeling, Set (abstract data type), 0502 economics and business, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Artificial intelligence, 050207 economics, business, computer

Abstract

We retrospectively explore the effectiveness of various probabilistic opinion pools against a set of insider threat detection modeling data from a recently completed, multiyear, sponsored research effort. We explored four opinion pools: the linear opinion pool (likely the most popular), the beta-transformed linear opinion pool, the geometric opinion pool, and a multiplicative method based on odds called Bordley’s formula. The data for our study came from our recent work in the inference of insider threats for our research sponsor. In this work, we created a multimodeling inference enterprise modeling (MIEM) process to either predict threats within a population or, given the threats, predict how well the enterprise system can detect those threats. As part of larger research challenges designed by the research sponsor, we applied the MIEM process quarterly to respond to a sequence of varying challenge problems (CPs). Via MIEM, we developed multiple, independent computation forecast models. These models generated certainty intervals to answer CP questions. These intervals were fused into a single interval for each question via an expert panel prior to submission. The sponsors scored the responses against ground truth. In this paper, we (a) ask which pooling functions work best on these data and consider why, and (b) compare this performance to the actual submissions to determine if one of the pooling functions performed better than our judgment-based fusion.

Published

2020

20. Empirical Detection Techniques of Insider Threat Incidents

Author

Taher Al-Shehari and Rakan A. Alsowail

Subjects

General Computer Science, 10-question model, information security, Computer science, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, Insider, Domain (software engineering), 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, Privileged access, 021110 strategic, defence & security studies, General Engineering, Insider threat, rigorous literature review, Information security, Feature (computer vision), Insider attack, 020201 artificial intelligence & image processing, lcsh:Electrical engineering. Electronics. Nuclear engineering, lcsh:TK1-9971, computer, insider attack detection

Abstract

Vital organizations have faced increasing challenges of how to defend against insider threats that may cause a severe damage to their assets. The nature of insider threats is more challenging than external threats, as insiders have a privileged access to sensitive assets of an organization. In fact, there are several studies that reviewed the insider threat detection approaches from taxonomical and theoretical perspectives. However, the protection against insider threat incidents requires empirical defense solutions. Hence, our study uniquely focuses on empirical detection approaches that are validated with empirical results. We propose a 10-question model that highlights different prospective of empirical detection approaches. Significant factors are also proposed to reveal the extent to which the detection approaches are effective against insider threat incidents (e.g., feature domains, protection coverage, classification techniques, simulated scenarios, performance and accuracy metrics, etc.). The objective of this paper is to enhance researchers' efforts in the domain of insider attack by systemizing the detection techniques in comparable manner. It also highlights the challenges and gaps for further research to institute more effective solutions that can predict, detect, and prevent emerging attack incidents. Some recommendations for future research directions are also presented.

Published

2020

21. A Review of Insider Threat Detection Approaches With IoT Perspective

Author

Aram Kim, Jinho Ryu, Kyungho Lee, and Junhyoung Oh

Subjects

General Computer Science, Computer science, Literature based, 02 engineering and technology, Computer security, computer.software_genre, Insider, 0202 electrical engineering, electronic engineering, information engineering, dataset, General Materials Science, survey, Government, business.industry, General Engineering, Insider threat, 020206 networking & telecommunications, Application layer, Research objectives, Internet-of-Things, 020201 artificial intelligence & image processing, lcsh:Electrical engineering. Electronics. Nuclear engineering, Internet of Things, business, computer, Insider threat detection, lcsh:TK1-9971

Abstract

Security professionals, government agencies, and corporate organizations have found an inherent need to prevent or mitigate attacks from insider threats. Accordingly, active research on insider threat detection has been conducted to prevent and mitigate adverse effects such as leakage of valuable information that may be caused by insiders. Along with the growth of Internet-of-Things (IoT), new security challenges arise in the existing security frameworks. Attack surfaces are significantly enlarged which could cause a severe risk in terms of company insider threat management. In this work, we provide a generalization of aspects of insider threats with IoT and analyze the surveyed literature based on both private and public sources. We then examine data sources considering IoT environments based on the characteristics and the structure of IoT (perceptual, network, and application layers). The result of reviewing the study shows that using the data source of the network and application layer is more suitable than the perceptual layer in the IoT environment. We also categorized each layer’s data sources according to their features, and we investigated research objectives and methods for each category. Finally, the potential for utilization and limitations under the IoT environment are presented at the end of each layer examination.

Published

2020

22. Mitigating Insider Threat By Profiling Users Based On Mouse Usage Pattern: Ensemble Learning And Frequency Domain Analysis

Author

Emin Anarim and Metehan Yildirim

Subjects

Profiling (computer programming), 021110 strategic, defence & security studies, Computer Networks and Communications, business.industry, Computer science, 0211 other engineering and technologies, Insider threat, Word error rate, Cryptography, 02 engineering and technology, computer.software_genre, Machine learning, Ensemble learning, Session (web analytics), Frequency domain, Malware, Artificial intelligence, Safety, Risk, Reliability and Quality, business, computer, Software, Information Systems

Abstract

Exploring novel security layers in academia and industry is always a concern due to the types of malware developing currently. Adding a widely applicable security layer into existing ones in terms of verification can be achieved by profiling users by their behaviors. A great candidate may be mouse dynamics. The nature of behavioral biometry based on mouse dynamics contains less sensitive data and still can perform well enough. We present a verification model based on assigning legality scores to individual mouse actions and aggregate these scores to assign a legality probability to the whole session while investigating frequency domain features of movement sequences. How the combinational schemes can improve the performance of the overall system is also investigated. The publicly known Balabit Dataset which contains 10 users’ training and test sessions is used for evaluation. The classifiers are trained with only training sessions and evaluated on test sessions. After extensive several experiments, equal error rate with a value of 7.46% and area under the receiver operating characteristic curve with a value of 96.47% are achieved.

Published

2022

23. Data-driven Model-based Detection of Malicious Insiders via Physical Access Logs

Author

William H. Sanders, Binbin Chen, Ahmed Fawaz, Carmen Cheh, Uttam Thakore, and William G. Temple

Subjects

021103 operations research, business.industry, Computer science, 0211 other engineering and technologies, Cyber-physical system, Insider threat, 020207 software engineering, Access control, 02 engineering and technology, Intrusion detection system, Computer security, computer.software_genre, Computer Science Applications, Data-driven, Insider, Domain (software engineering), Modeling and Simulation, 0202 electrical engineering, electronic engineering, information engineering, Physical access, business, computer

Abstract

The risk posed by insider threats has usually been approached by analyzing the behavior of users solely in the cyber domain. In this article, we show the viability of using physical movement logs, collected via a building access control system, together with an understanding of the layout of the building housing the system’s assets, to detect malicious insider behavior that manifests itself in the physical domain. In particular, we propose a systematic framework that uses contextual knowledge about the system and its users, learned from historical data gathered from a building access control system, to select suitable models for representing movement behavior. We suggest two different models of movement behavior in this article and evaluate their ability to represent normal user movement. We then explore the online usage of the learned models, together with knowledge about the layout of the building being monitored, to detect malicious insider behavior. Finally, we show the effectiveness of the developed framework using real-life data traces of user movement in railway transit stations.

Published

2019

24. NATO Human View Executable Architectures for Critical Infrastructure Analysis

Author

William B. Leonard, Brian K. Smith, Hugh R. Medal, Kelly Griendling, and Johnathon Huff

Subjects

Critical infrastructure security, Computer science, 05 social sciences, 0211 other engineering and technologies, General Engineering, Insider threat, 02 engineering and technology, computer.file_format, Computer security, computer.software_genre, Electrical grid, Critical infrastructure, Insider, 021105 building & construction, 0502 economics and business, Systems architecture, Executable, computer, Social network analysis, 050203 business & management

Abstract

Engineering managers are responsible for the secure operation of critical infrastructure systems and need tools and methods to identify and mitigate potential insider threats such as physic...

Published

2019

25. Human factors in information leakage: mitigation strategies for information sharing integrity

Author

Ming-Lang Tseng, Kim Hua Tan, Wai Peng Wong, and Hwee Chin Tan

Subjects

Knowledge management, business.industry, Mechanism (biology), Strategy and Management, Information sharing, Corporate governance, 05 social sciences, Insider threat, 02 engineering and technology, Information security culture, Industrial and Manufacturing Engineering, Computer Science Applications, Management Information Systems, Conceptual framework, Multinational corporation, 0502 economics and business, Industrial relations, Information leakage, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Business, 050203 business & management

Abstract

Purpose The purpose of this paper is to explore the human factors triggering information leakage and investigate how companies mitigate insider threat for information sharing integrity. Design/methodology/approach The methodology employed is multiple case studies approach with in-depth interviews with five multinational enterprises (MNEs)/multinational corporations (MNCs). Findings The findings reveal that information leakage can be approached with human governance mechanism such as organizational ethical climate and information security culture. Besides, higher frequency of leakages negatively affects information sharing integrity. Moreover, this paper also contributes to a research framework which could be a guide to overcome information leakage issue in information sharing. Research limitations/implications The current study involved MNCs/MNEs operating in Malaysia, while companies in other countries may have different ethical climate and information sharing culture. Thus, for future research, it will be good to replicate the study in a larger geographic region to verify the findings and insights of this research. Practical implications This research contributes to the industry and business that are striving toward solving the mounting problem of information leakage by raising awareness of human factors and to take appropriate mitigating governance strategies to pre-empt information leakage. This paper also contributes to a novel theoretical model that characterizes the iniquities of humans in sharing information, and suggests measures which could be a guide to avert disruptive leakages. Originality/value This paper is likely an unprecedented research in molding human governance in the domain of information sharing and its Achilles’ heel which is information leakage.

Published

2019

26. Hybrid Deep-Learning-Based Anomaly Detection Scheme for Suspicious Flow Detection in SDN: A Social Multimedia Perspective

Author

Neeraj Kumar, Joel J. P. C. Rodrigues, Sahil Garg, and Kuljeet Kaur

Subjects

business.industry, Computer science, Quality of service, Deep learning, Reliability (computer networking), Insider threat, 02 engineering and technology, User requirements document, Computer Science Applications, Support vector machine, Analytics, Signal Processing, Scalability, 0202 electrical engineering, electronic engineering, information engineering, Media Technology, 020201 artificial intelligence & image processing, Anomaly detection, Artificial intelligence, Electrical and Electronic Engineering, business, Secure transmission, Computer network

Abstract

The continuous development and usage of multi-media-based applications and services have contributed to the exponential growth of social multimedia traffic. In this context, secure transmission of data plays a critical role in realizing all of the key requirements of social multimedia networks such as reliability, scalability, quality of information, and quality of service (QoS). Thus, a trust-based paradigm for multimedia analytics is highly desired to meet the increasing user requirements and deliver more timely and actionable insights. In this regard, software-defined networks (SDNs) play a vital role; however, several factors such as as-runtime security, and energy-aware networking limit its capabilities to facilitate efficient network control and management. Thus, with the view to enhance the reliability of the SDN, a hybrid deep-learning-based anomaly detection scheme for suspicious flow detection in the context of social multimedia is proposed. It consists of the following two modules: 1) an anomaly detection module that leverages improved restricted Boltzmann machine and gradient descent-based support vector machine to detect the abnormal activities, and 2) an end-to-end data delivery module to satisfy strict QoS requirements of the SDN, that is, high bandwidth and low latency. Finally, the proposed scheme has been experimentally evaluated on both real-time and benchmark datasets to prove its effectiveness and efficiency in terms of anomaly detection and data delivery essential for social multimedia. Further, a large-scale analysis over a Carnegie Mellon University (CMU)-based insider threat dataset has been conducted to identify its performance in terms of detecting malicious events such as-Identity theft, profile cloning, confidential data collection, etc.

Published

2019

27. Design and Implementation of a Comprehensive Insider Threat Ontology

Author

Justin Purl, James D. Lee, Abbas K. Zaidi, and Frank L. Greitzer

Subjects

Knowledge management, business.industry, Computer science, Insider threat, 020206 networking & telecommunications, 02 engineering and technology, Ontology language, Ontology (information science), Knowledge base, 0202 electrical engineering, electronic engineering, information engineering, General Earth and Planetary Sciences, 020201 artificial intelligence & image processing, business, Threat assessment, General Environmental Science

Abstract

We describe the development and envisioned use case applications of a comprehensive insider threat ontology—“Sociotechnical and Organizational Factors for Insider Threat” (SOFIT)—that comprises more than 300 indicators of technical, behavioral, and organizational factors. Requirements, design, and engineering development for the Web Ontology Language (OWL) implementation of the SOFIT knowledge base are reviewed; additional relationships among constructs are defined that extend the representation beyond a simple taxonomic hierarchy and that enable inferences for qualitative and quantitative threat assessment. We show how queries may be constructed to support these inferences and threat assessments. Several major application concepts are reviewed to show how the ontology may be used by the insider threat research and operational communities. To this end, the SOFIT knowledge base may be shared with stakeholders to advance research and practice for proactive insider threat mitigation.

Published

2019

28. Insider Threat Identification Using the Simultaneous Neural Learning of Multi-Source Logs

Author

Liu Liu, Chao Chen, Jun Zhang, Yang Xiang, and Olivier Y. de Vel

Subjects

Feature engineering, Leverage (finance), Cybersecurity, General Computer Science, Computer science, 02 engineering and technology, Audit, Machine learning, computer.software_genre, 01 natural sciences, Insider, 0202 electrical engineering, electronic engineering, information engineering, Leverage (statistics), General Materials Science, data analytics, business.industry, insider threats, 010401 analytical chemistry, General Engineering, Insider threat, 020206 networking & telecommunications, word embedding, 0104 chemical sciences, Domain knowledge, Anomaly detection, Artificial intelligence, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, computer, lcsh:TK1-9971

Abstract

Insider threat detection has drawn increasing attention in recent years. In order to capture a malicious insider’s digital footprints that occur scatteredly across a wide range of audit data sources over a long period of time, existing approaches often leverage a scoring mechanism to orchestrate alerts generated from multiple sub-detectors, or require domain knowledge-based feature engineering to conduct a one-off analysis across multiple types of data. These approaches result in a high deployment complexity and incur additional costs for engaging security experts. In this paper, we present a novel approach that works with a variety of security logs. The security logs are transformed into texts in the same format and then arranged as a corpus. Using the model trained by Word2vec with the corpus, we are enabled to approximate the posterior probabilities for insider behaviours. Accordingly, we label the transformed events as suspicious if their behavioural probabilities are smaller than a given threshold, and a user is labelled as malicious if he/she is associated with multiple suspicious events. The experiments are undertaken with the Carnegie Mellon University (CMU) CERT Programs insider threat database v6.2, which not only demonstrate that the proposed approach is effective and scalable in practical applications but also provide a guidance for tuning the parameters and thresholds.

Published

2019

29. G-SIR: An Insider Attack Resilient Geo-Social Access Control Framework

Author

James Joshi, Nathalie Baracaldo, and Balaji Palanisamy

Subjects

021110 strategic, defence & security studies, business.industry, Computer science, Internet privacy, 0211 other engineering and technologies, Insider threat, Access control, Context (language use), 02 engineering and technology, Computer security, computer.software_genre, Insider, Scalability, Social media, Electrical and Electronic Engineering, business, Mobile device, computer, Risk management

Abstract

Insider attacks are among the most dangerous and costly attacks to organizations. These attacks are carried out by individuals who are legitimately authorized to access the system. Preventing insider attacks is a daunting task. The recent proliferation of social media and mobile devices offer new opportunities to collect geo-social information that can help in detecting and deterring insider attacks. In particular, such geo-social information allows us to better understand the context and behavior of users. In this paper, we propose a Geo-Social Insider Threat Resilient Access Control Framework (G-SIR) to deter insider threats by including current and historic geo-social information as part of the access control decision process. We include policy constraints to manage the risks of colluding communities, proximity threats, and suspicious users while leveraging the presence of users around the requester to make an access decision. By examining users’ geo-social behavior, we can detect those users whose access behavior deviates from the expected patterns; such suspicious behaviors can point to potential insider attackers who may deliberately or inadvertently carry out malicious activities. We use such information to establish how trustworthy a user is before granting access. We evaluate the G-SIR framework through extensive simulations and our results show that the proposed approach is efficient, scalable and effective.

Published

2019

30. DeepMIT: A Novel Malicious Insider Threat Detection Framework based on Recurrent Neural Network

Author

Degang Sun, Meichen Liu, Meimei Li, Pengcheng Liu, Xu Wang, and Zhixin Shi

Subjects

050101 languages & linguistics, Computer science, 05 social sciences, Insider threat, 02 engineering and technology, Computer security, computer.software_genre, Insider, Disk formatting, Recurrent neural network, Component (UML), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, Data input, Categorical variable, computer, Block (data storage)

Abstract

Currently, more and more malicious insiders are making threats, and the detection of insider threats is becoming more challenging. The malicious insider often uses legitimate access privileges and mimic normal behaviors to evade detection, which is difficult to be detected via using traditional defensive solutions. In this paper, we propose DeepMIT, a malicious insider threat detection framework, which utilizes Recurrent Neural Network (RNN) to model user behaviors as time sequences and predict the probabilities of anomalies. This framework allows DeepMIT to continue learning, and the detections are made in real time, that is, the anomaly alerts are output as rapidly as data input. Also, our framework conducts further insight of the anomaly scores and provides the contributions to the scores and, thus, significantly helps the operators to understand anomaly scores and take further steps quickly(e.g. Block insider's activity). In addition, DeepMIT utilizes user-attributes (e.g. the personality of the user, the role of the user) as categorical features to identify the user's truly typical behavior, which help detect malicious insiders who mimic normal behaviors. Extensive experimental evaluations over a public insider threat dataset CERT (version 6.2) have demonstrated that DeepMIT has outperformed other existing malicious insider threat solutions.

Published

2021

31. A Multi-Tiered Framework for Insider Threat Prevention

Author

Rakan A. Alsowail and Taher Al-Shehari

Subjects

Information privacy, TK7800-8360, Computer Networks and Communications, information security, Internet privacy, 0211 other engineering and technologies, Context (language use), 02 engineering and technology, insider threat prevention, Insider, Competition (economics), Profiling (information science), Confidentiality, Electrical and Electronic Engineering, 021110 strategic, defence & security studies, data privacy, 021103 operations research, business.industry, Insider threat, Information security, Hardware and Architecture, Control and Systems Engineering, Signal Processing, Business, Electronics, multi-tiered approach

Abstract

As technologies are rapidly evolving and becoming a crucial part of our lives, security and privacy issues have been increasing significantly. Public and private organizations have highly confidential data, such as bank accounts, military and business secrets, etc. Currently, the competition between organizations is significantly higher than before, which triggers sensitive organizations to spend an excessive volume of their budget to keep their assets secured from potential threats. Insider threats are more dangerous than external ones, as insiders have a legitimate access to their organization’s assets. Thus, previous approaches focused on some individual factors to address insider threat problems (e.g., technical profiling), but a broader integrative perspective is needed. In this paper, we propose a unified framework that incorporates various factors of the insider threat context (technical, psychological, behavioral and cognitive). The framework is based on a multi-tiered approach that encompasses pre, in and post-countermeasures to address insider threats in an all-encompassing perspective. It considers multiple factors that surround the lifespan of insiders’ employment, from the pre-joining of insiders to an organization until after they leave. The framework is utilized on real-world insider threat cases. It is also compared with previous work to highlight how our framework extends and complements the existing frameworks. The real value of our framework is that it brings together the various aspects of insider threat problems based on real-world cases and relevant literature. This can therefore act as a platform for general understanding of insider threat problems, and pave the way to model a holistic insider threat prevention system.

Published

2021

32. An Integrated Imbalanced Learning and Deep Neural Network Model for Insider Threat Detection

Author

Zaheera Zainal Abidin, S.N Isnin, Rabiah Ahmed, and Mohammed Nasser Al-Mhiqani

Subjects

General Computer Science, Artificial neural network, Computer science, business.industry, Process (engineering), Deep learning, Public sector, Insider threat, 020206 networking & telecommunications, 02 engineering and technology, Machine learning, computer.software_genre, Domain (software engineering), Insider, Task (project management), 0202 electrical engineering, electronic engineering, information engineering, Artificial intelligence, business, computer

Abstract

The insider threat is a vital security problem concern in both the private and public sectors. A lot of approaches available for detecting and mitigating insider threats. However, the implementation of an effective system for insider threats detection is still a challenging task. In previous work, the Machine Learning (ML) technique was proposed in the insider threats detection domain since it has a promising solution for a better detection mechanism. Nonetheless, the (ML) techniques could be biased and less accurate when the dataset used is hugely imbalanced. Therefore, in this article, an integrated insider threat detection is named (AD-DNN), which is an integration of adaptive synthetic technique (ADASYN) sampling approach and deep neural network technique (DNN). In the proposed model (AD-DNN), the adaptive synthetic (ADASYN) is used to solve the imbalanced data issue and the deep neural network (DNN) for insider threat detection. The proposed model uses the CERT dataset for the evaluation process. The experimental results show that the proposed integrated model improves the overall detection performance of insider threats. A significant impact on the accuracy performance brings a better solution in the proposed model compared with the current insider threats detection system.

Published

2021

33. Motivational Quotes-Based Intelligent Insider Threat Prediction Model

Author

Sunita V. Dhavale

Subjects

05 social sciences, 0202 electrical engineering, electronic engineering, information engineering, Insider threat, 020206 networking & telecommunications, 0501 psychology and cognitive sciences, 02 engineering and technology, Computer security, computer.software_genre, Psychology, computer, 050105 experimental psychology

Abstract

Insiders are considered as the weakest link. The digital records of a person's Facebook likes against motivational quotes can be used for automatic and accurate prediction of sensitive attributes related to their personality traits depression, and their views against company/government policies, etc. Such analysis will help organization to take proactive measures against vulnerable insiders. Insiders managing their impressions differently than their basic personality traits can also be identified. Deep learning models can be utilized to learn and map the association among extracted features and insider behavioral patterns. Further, reinforcement techniques can be used to select appropriate motivational quotes in order to collect additional data required for further analysis. At the same time, the same exposed motivational messages on insider's social platform can aid to improve their psychological health over a time. However, due to implications involved in data collections related to personalization and data collection privacy, the authors have quoted their work in terms of this concept chapter only.

Published

2021

34. Integrating Security Behavior into Attack Simulations

Author

Simon Hacks, Ariadni Michalitsi Psarrou, Ismail Butun, Robert Lagerström, Andrei Buhaiu, and Anna Georgiadou

Subjects

021110 strategic, defence & security studies, Security Behavior, Computer science, 0211 other engineering and technologies, Integration, Insider threat, 02 engineering and technology, Computer security, computer.software_genre, Enterprise system, Work (electrical), 020204 information systems, Component (UML), 0202 electrical engineering, electronic engineering, information engineering, Attack Simulations, computer, Systemvetenskap, informationssystem och informatik, Information Systems

Abstract

The increase of cyber-attacks raised security concerns for critical assets worldwide in the last decade. Leading to more efforts spent towards increasing the cyber security among companies and countries. For the sake of enhancing cyber security, representation and testing of attacks have prime importance in understanding system vulnerabilities. One of the available tools for simulating attacks on systems is the Meta Attack Language (MAL), which allows representing the effects of certain cyber-attacks. However, only understanding the component vulnerabilities is not enough in securing enterprise systems. Another important factor is the "human", which constitutes the biggest "insider threat". For this, Security Behavior Analysis (SBA) helps understanding which system components that might be directly affected by the "human". As such, in this work, the authors present an approach for integrating user actions, so called "security behavior", by mapping SBA to a MAL-based language through MITRE ATT&CK techniques. QC 20220308

Published

2021

35. Towards Process Mining Utilization in Insider Threat Detection from Audit Logs

Author

Ivan Vanat, Tomas Jevocin, Michal Merjavy, Martin Macak, and Barbora Buhnova

Subjects

Computer science, Process mining, Insider threat, 02 engineering and technology, Audit, Computer security, computer.software_genre, Conformance checking, Insider, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Work (electrical), Audit trail, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Conformance testing, computer

Abstract

Nowadays, insider threats are one of the most significant cybersecurity threats. They are much more difficult to detect than external threats since insiders are authorized employees with legitimate access to the organization's resources. Malicious insider knows the organization and can act inconspicuously. Furthermore, threats do not even have to be intentional. Therefore, there can be a complicated background of malicious insider behavior, making it challenging to react adequately to these threats. In this paper, we propose to utilize process mining for insider threat detection using the organization's audit logs. We present the three different types of process mining utilization for insider threat detection from audit logs and discuss their usefulness, namely visual analysis, conformance checking, and declarative conformance checking. Lastly, we give recommendations for future work in this area based on our experience.

Published

2020

36. Temporal Behavior in Network Traffic as a Basis for Insider Threat Detection

Author

Thomas S. Anderson, Jarrod Shingleton, Brett Rajchel, Gurminder Singh, Angela Hu, and John V. Monaco

Subjects

Government, 021103 operations research, Basis (linear algebra), Computer science, 0211 other engineering and technologies, Insider threat, 02 engineering and technology, Computer security, computer.software_genre, Insider, Volume measurement, Scalability, Anomaly detection, computer

Abstract

Insider threats are a costly and dangerous problem for government and non-government organizations alike. Considering an insider’s inherently privileged level of access on a network, the main principle of network defense-keep potential threats and outsiders out-does not apply to insider threats. Current defenses are largely based on the detection of insider threat indicators which are often manually compiled from past events. This approach is limited in scalability, has difficulty generalizing to new threats, and fails to consider the wide range of behaviors within an organization. In this work, we describe a system that detects potential insider threats through the characterization of temporal behavior on a network. Our approach is completely unsupervised, based on the assumption that there are many different behavioral norms within a network. After testing the system on an operational network with over 8,000 hosts, we show through a series of case studies that the approach is effective in detecting behavioral anomalies suitable for follow up by a human analyst.

Published

2020

37. A Parallel and Scalable Framework for Insider Threat Detection

Author

Abdoulaye Diop, Nahid Emad, and Thierry Winter

Subjects

Boosting (machine learning), Computer science, 020209 energy, Distributed computing, Insider threat, Fault tolerance, 02 engineering and technology, Supercomputer, Ensemble learning, Insider, Parallel processing (DSP implementation), Scalability, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing

Abstract

In this article, we propose an innovative method for the detection of insider threats. This method is based on a unite and conquer approach used to combine ensemble learning techniques, which have the particularity of being intrinsically parallel. Furthermore, it showcases multi-level parallelism properties, offers fault tolerance, and is suitable for heterogeneous architectures. To highlight our approach's efficacy, we present a use case of insider threat detection on a parallel platform. This experiment's results showed the benefits of this method relative to its improvement of classification AUC-score and its scalability.

Published

2020

38. DANTE: Predicting Insider Threat using LSTM on system logs

Author

Qicheng Ma and Nidhi Rastogi

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer science, 02 engineering and technology, Machine learning, computer.software_genre, Insider, 03 medical and health sciences, 0302 clinical medicine, Control flow, 0202 electrical engineering, electronic engineering, information engineering, Ground truth, business.industry, Insider threat, System monitoring, Artificial Intelligence (cs.AI), Recurrent neural network, Workflow, 020201 artificial intelligence & image processing, Artificial intelligence, business, Cryptography and Security (cs.CR), computer, Natural language, 030215 immunology

Abstract

Insider threat is one of the most pernicious threat vectors to information and communication technologies (ICT)across the world due to the elevated level of trust and access that an insider is afforded. This type of threat can stem from both malicious users with a motive as well as negligent users who inadvertently reveal details about trade secrets, company information, or even access information to malignant players. In this paper, we propose a novel approach that uses system logs to detect insider behavior using a special recurrent neural network (RNN) model. Ground truth is established using DANTE and used as the baseline for identifying anomalous behavior. For this, system logs are modeled as a natural language sequence and patterns are extracted from these sequences. We create workflows of sequences of actions that follow a natural language logic and control flow. These flows are assigned various categories of behaviors - malignant or benign. Any deviation from these sequences indicates the presence of a threat. We further classify threats into one of the five categories provided in the CERT insider threat dataset. Through experimental evaluation, we show that the proposed model can achieve 99% prediction accuracy., 6 pages

Published

2020

39. The Insider Threat: Reasons, Effects and Mitigation Techniques

Author

Ioanna Kantzavelou, Leandros A. Maglaras, Nestoras Chouliaras, George Kittes, Christos Douligeris, Vasileios Vlachos, and Dimitrios Tsiostas

Subjects

021110 strategic, defence & security studies, Computer science, media_common.quotation_subject, 0211 other engineering and technologies, Insider threat, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, Insider, 0202 electrical engineering, electronic engineering, information engineering, computer, Reputation, media_common

Abstract

The insider threat is increasingly becoming extremely important for companies, organizations and even governments. A malicious, or even a careless, insider can cause severe damage to the resources and the reputation of an organization. In this article, we provide an overview of the basic characteristics of insider cyber-security threats and we present current approaches and controls of mitigating such threats.

Published

2020

40. An Investigation of Insider Threat Mitigation Based on EEG Signal Classification

Author

Man-Sung Yim, Jung Hwan Kim, and Chul Min Kim

Subjects

Scheme (programming language), Support Vector Machine, insider threat, Computer science, 020209 energy, 02 engineering and technology, Electroencephalography, Machine learning, computer.software_genre, lcsh:Chemical technology, Biochemistry, Article, Analytical Chemistry, Insider, 03 medical and health sciences, 0302 clinical medicine, 0202 electrical engineering, electronic engineering, information engineering, medicine, Selection (linguistics), Humans, lcsh:TP1-1185, Electrical and Electronic Engineering, Instrumentation, computer.programming_language, implicit intention, medicine.diagnostic_test, business.industry, Insider threat, Bayes Theorem, Signal Processing, Computer-Assisted, nuclear security, Atomic and Molecular Physics, and Optics, machine learning, Nuclear Power Plants, Terrorism, Artificial intelligence, business, computer, 030217 neurology & neurosurgery, Algorithms, electroencephalography, subject-wise classification

Abstract

This study proposes a scheme to identify insider threats in nuclear facilities through the detection of malicious intentions of potential insiders using subject-wise classification. Based on electroencephalography (EEG) signals, a classification model was developed to identify whether a subject has a malicious intention under scenarios of being forced to become an insider threat. The model also distinguishes insider threat scenarios from everyday conflict scenarios. To support model development, 21-channel EEG signals were measured on 25 healthy subjects, and sets of features were extracted from the time, time&ndash, frequency, frequency and nonlinear domains. To select the best use of the available features, automatic selection was performed by random-forest-based algorithms. The k-nearest neighbor, support vector machine with radial kernel, na&iuml, ve Bayes, and multilayer perceptron algorithms were applied for the classification. By using EEG signals obtained while contemplating becoming an insider threat, the subject-wise model identified malicious intentions with 78.57% accuracy. The model also distinguished insider threat scenarios from everyday conflict scenarios with 93.47% accuracy. These findings could be utilized to support the development of insider threat mitigation systems along with existing trustworthiness assessments in the nuclear industry.

Published

2020

41. Data Augmentation for Insider Threat Detection with GAN

Author

Yanbing Liu, Yanan Cao, Yuan Fangfang, Yanmin Shang, and Jianlong Tan

Subjects

Computer science, Insider threat, Sample (statistics), 02 engineering and technology, Overfitting, computer.software_genre, Data modeling, Insider, Adversarial system, ComputingMethodologies_PATTERNRECOGNITION, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Data mining, Focus (optics), computer, Generator (mathematics)

Abstract

In insider threat detection domain, the datasets are highly imbalanced, where the number of user's normal behavior is higher than that of insider's anomalous behavior. A direct approach to handle the class imbalance problem is using data augmentation on the minority class. Existing data augmentation methods mainly produce synthetic samples according with the linear operation based on samples of the minority class. Hence, these methods just focus on local information which leads to the unitarily of the synthetic samples, resulting in overfitting. To enrich the diversity of the synthetic samples, we propose a deep adversarial insider threat detection (DAITD) framework using the Generative Adversarial Networks (GAN) to approximate the true anomalous behavior distribution. Specifically, we first obtain anomalous user behavior representations from the anomalous behavior data (minority class), and then use the generator of the GAN to model the actual anomalous behavior distribution, use the discriminator of the GAN to distinguish whether the synthetic sample from the generator is real or not. In this way, our method is able to generate high quality synthetic samples that are close to the anomalous user behavior. Experimental results show that the DAITD framework outperforms other comparative inside threat detection algorithms.

Published

2020

42. rProfiler -- Assessing Insider Influence on Enterprise Assets

Author

Sachin Lodha and Manish Shukla

Subjects

Power graph analysis, Risk analysis (engineering), Work (electrical), Computer science, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Graph (abstract data type), Insider threat, Profiling (information science), Insider attack, 02 engineering and technology, Domain (software engineering), Insider

Abstract

Insider threat is a well-recognized problem in the cyber-security domain. There is good amount of research on detecting and predicting an insider attack. However, none of them addresses the influence of an insider over other individuals, and the spread of impact due to direct and indirect access to enterprise assets by having such influence. In this work, we propose a graph-based influence profiling solution called rProfiler that analyzes the data from multiple sources to determine the influence spread and calculate the probability of loss of data from an affected device using pertinent graph features. We also highlight multiple enterprise scenarios that may benefit from this work.

Published

2020

43. Towards an Explainable Approach for Insider Threat Detection: Constraint Network Learning

Author

Gregory Provan, Satyanarayana Vuppala, Riccardo Orizio, and Stylianos Basagiannis

Subjects

Constraint learning, business.industry, Computer science, 05 social sciences, Insider threat, 050109 social psychology, 02 engineering and technology, Computer security, computer.software_genre, Insider, Constraint (information theory), Identification (information), 020204 information systems, Information technology management, 0202 electrical engineering, electronic engineering, information engineering, 0501 psychology and cognitive sciences, Confidentiality, business, computer, Security operations center

Abstract

Insider threats are considered a major threat to information and communication technology (ICT) systems creating an important source of vulnerabilities from a security perspective. The technical knowledge that insiders have about the ICT systems, such as its IT infrastructure, the high load of data generated by other employees of the company which hides insiders' activities, their access rights as well as the confidentiality of the data of which they have access to, creates the perfect scenario for a powerful yet undetected attack. State of the art techniques and security operations center tools struggle to come up with effective solutions to recognise these threats. Therefore, in this paper, we propose a novel artificial intelligence based constraint learning technique to help their detection. The approach creates an optimized constraint network representing the nominal behaviour of an employee and detects threatening events when their associated costs are above a certain threshold. The threshold is learnt alongside with the constraint network model. The proposed approach is based on detection models able to provide human interpretable feedback regarding the detection performed. These information are crucial in helping system operators to understand why the detection has occurred and to help them acting promptly on the threat. The explanation comes directly from the structure of the detection model and relies on the identification of which constraints are being violated. The approach is tested on the CERT insider threat dataset v4.2 and the results obtained look promising, achieving at least the same accuracy as other state of the art techniques as well as providing the details regarding the broken constraints of the threat. A comparison with state of the art techniques applied on this dataset is also provided, showing the strength of our results.

Published

2020

44. Few-shot Insider Threat Detection

Author

Shuhan Yuan, Hanghang Tong, Panpan Zheng, and Xintao Wu

Subjects

Computer science, Insider threat, 02 engineering and technology, Audit, 010501 environmental sciences, Computer security, computer.software_genre, 01 natural sciences, 020204 information systems, Classifier (linguistics), 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Unsupervised learning, Anomaly detection, computer, 0105 earth and related environmental sciences

Abstract

Insiders cause significant cyber-security threats to organizations. Due to a very limited number of insiders, most of the current studies adopt unsupervised learning approaches to detect insiders by analyzing the audit data that record information about employees' activities. However, in practice, we do observe a small number of insiders. How to make full use of these few observed insiders to improve a classifier for insider threat detection is a key challenge. In this work, we propose a novel framework combining the idea of self-supervised pre-training and metric-based few-shot learning to detect insiders. Experimental results on insider threat datasets demonstrate that our model outperforms the existing anomaly detection approaches by only using a few insiders.

Published

2020

45. Deep Learning and Dempster-Shafer Theory Based Insider Threat Detection

Author

Yan Liu, Wei Shi, Jing Qiu, Feng Jiang, Zhihong Tian, Yanbin Sun, and Zhiyuan Tan

Subjects

Computer Networks and Communications, Computer science, QA75 Electronic computers. Computer science, Context (language use), 02 engineering and technology, Cyber-security, Computer security, computer.software_genre, Filter (software), Insider, Component (UML), Dempster–Shafer theory, Centre for Distributed Computing, Networking and Security, 0202 electrical engineering, electronic engineering, information engineering, Deep learning, Insider threat, Network security, Recurrent neural networks, 005 Computer programming, programs & data, business.industry, Deep learning, Insider threat, 020206 networking & telecommunications, AI and Technologies, Hardware and Architecture, Key (cryptography), 020201 artificial intelligence & image processing, Artificial intelligence, business, computer, Software, Information Systems

Abstract

Organizations’ own personnel now have a greater ability than ever before to misuse their access to critical organizational assets. Insider threat detection is a key component in identifying rare anomalies in context, which is a growing concern for many organizations. Existing perimeter security mechanisms are proving to be ineffective against insider threats. As a prospective filter for the human analysts, a new deep learning based insider threat detection method that uses the Dempster-Shafer theory is proposed to handle both accidental as well as intentional insider threats via organization’s channels of communication in real time. The long short-term memory (LSTM) architecture together with multi-head attention mechanism is applied in this work to detect anomalous network behavior patterns. Furthermore, belief is updated with Dempster’s conditional rule and utilized to fuse evidence to achieve enhanced prediction. The CERT Insider Threat Dataset v6.2 is used to train the behavior model. Through performance evaluation, our proposed method is proven to be effective as an insider threat detection technique.

Published

2020

46. False data injection attacks and the insider threat in smart systems

Author

Gökçe Karacayilmaz, Ercan Nurcan Yilmaz, H. Hüseyin Sayan, Serkan Gönen, and Furkan Üstünsoy

Subjects

Smart system, General Computer Science, Event (computing), Computer science, Process (engineering), Vulnerability, Insider threat, 020206 networking & telecommunications, 02 engineering and technology, Industrial control system, Computer security, computer.software_genre, Smart grid, Smart city, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Law, computer

Abstract

Smart networks and smart city systems, which are increasing in use with new approaches every day, are now in the investment plan of each state. At many points, these two concepts combine. Industrial Control Systems (ICS), which constitute the infrastructure of these systems, have opened to external networks due to the requirements of the era. Once smart grids are integrated with smart cities, ICS left its isolated structure. This process has emerged more security vulnerabilities. In this study, False Data Injection (FDI) attack was carried out to change the memory address values of Programmable Logic Controller (PLC)s which is an important component of ICS. Initially, the feasibility of the attack was examined. Thereafter, in the event of an attack, the effect on the systems was revealed. Eventually, important software and hardware solution suggestions to prevent the attack are mentioned. Thus, in the possible cyber attacks that may occur, it is aimed to recover critical systems with minimum damage and make them to be operational as soon as possible. It is considered that this study will make important contributions to other studies regarding ICS security. (c) 2020 Elsevier Ltd. All rights reserved.

Published

2020

47. Impact and key challenges of insider threats on organizations and critical businesses

Author

Neetesh Saxena, Patrick Ojo, Emma Hayes, Elisa Bertino, Kim-Kwang Raymond Choo, and Peter Burnap

Subjects

Underpinning, insider threat, Computer Networks and Communications, 0211 other engineering and technologies, lcsh:TK7800-8360, 02 engineering and technology, cyber kill chain, Critical infrastructure, Insider, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, 021110 strategic, defence & security studies, business.industry, lcsh:Electronics, Insider threat, attack vectors, Public relations, Private sector, Identification (information), Hardware and Architecture, Control and Systems Engineering, Kill chain, Signal Processing, Key (cryptography), business

Abstract

The insider threat has consistently been identified as a key threat to organizations and governments. Understanding the nature of insider threats and the related threat landscape can help in forming mitigation strategies, including non-technical means. In this paper, we survey and highlight challenges associated with the identification and detection of insider threats in both public and private sector organizations, especially those part of a nation’s critical infrastructure. We explore the utility of the cyber kill chain to understand insider threats, as well as understanding the underpinning human behavior and psychological factors. The existing defense techniques are discussed and critically analyzed, and improvements are suggested, in line with the current state-of-the-art cyber security requirements. Finally, open problems related to the insider threat are identified and future research directions are discussed.

Published

2020

48. Tracking the Insider Attacker: A Blockchain Traceability System for Insider Threats

Author

Bangzhou Xin, Kangyi Ding, Xiaosong Zhang, Teng Hu, Xiaolei Liu, and Ting Chen

Subjects

blockchain, Blockchain, insider threat, Traceability, Computer science, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, lcsh:Chemical technology, Biochemistry, Article, Analytical Chemistry, Insider, differential privacy, 0202 electrical engineering, electronic engineering, information engineering, Differential privacy, Confidentiality, lcsh:TP1-1185, Electrical and Electronic Engineering, Instrumentation, traceability system, 021110 strategic, defence & security studies, Insider threat, Atomic and Molecular Physics, and Optics, Forensic science, Information leakage, Insider attack, 020201 artificial intelligence & image processing, computer

Abstract

The insider threats have always been one of the most severe challenges to cybersecurity. It can lead to the destruction of the organisation&rsquo, s internal network system and information leakage, which seriously threaten the confidentiality, integrity and availability of data. To make matters worse, since the attacker has authorized access to the internal network, they can launch the attack from the inside and erase their attack trace, which makes it challenging to track and forensics. A blockchain traceability system for insider threats is proposed in this paper to mitigate the issue. First, this paper constructs an insider threat model of the internal network from a different perspective: insider attack forensics and prevent insider attacker from escaping. Then, we analyze why it is difficult to track attackers and obtain evidence when an insider threat has occurred. After that, the blockchain traceability system is designed in terms of data structure, transaction structure, block structure, consensus algorithm, data storage algorithm, and query algorithm, while using differential privacy to protect user privacy. We deployed this blockchain traceability system and conducted experiments, and the results show that it can achieve the goal of mitigating insider threats.

Published

2020

49. The Visual Analytics Approach for Analyzing Trajectories of Critical Infrastructure Employers

Author

Evgenia Novikova, Ivan Murenin, and Igor Kotenko

Subjects

Visual analytics, Control and Optimization, Computer science, Energy Engineering and Power Technology, Access control, 02 engineering and technology, visual analytics, lcsh:Technology, Critical infrastructure, Resource (project management), 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, Engineering (miscellaneous), Gantt chart, route patterns, Renewable Energy, Sustainability and the Environment, business.industry, lcsh:T, Insider threat, 020207 software engineering, data mining, Data science, moving entities, anomaly detection, self-organizing Kohonen maps, Gantt chart-based visualization, heat maps, Visualization, Analytics, business, Energy (miscellaneous)

Abstract

Employees of different critical infrastructures, including energy systems, are considered to be a security resource, and understanding their behavior patterns may leverage user and entity behavior analytics and improve organization capabilities in information threat detection such as insider threat and targeted attacks. Such behavior patterns are particularly critical for power stations and other energy companies. The paper presents a visual analytics approach to the exploratory analysis of the employees’ routes extracted from the logs of the access control system. Key elements of the approach are interactive self-organizing Kohonen maps used to detect groups of employees with similar movement trajectories, and heat maps highlighting possible anomalies in their movement. The spatiotemporal patterns of the routes are presented using a Gantt chart-based visualization model named BandView. The paper also discusses the results of efficiency assessment of the proposed analysis and visualization models. The assessment procedure was implemented using artificially generated and real-world data. It is demonstrated that the suggested approach may significantly increase the efficiency of the exploratory analysis especially under the condition when no prior information on existing employees’ moving routine is available.

Published

2020

50. Research on Behavior-Based Data Leakage Incidents for the Sustainable Growth of an Organization

Author

Jaesoo Kim, Jawon Kim, and Hangbae Chang

Subjects

lcsh:GE1-350, insider threat, Renewable Energy, Sustainability and the Environment, Computer science, lcsh:Environmental effects of industries and plants, 05 social sciences, Geography, Planning and Development, lcsh:TJ807-830, lcsh:Renewable energy sources, Insider threat, 02 engineering and technology, Management, Monitoring, Policy and Law, security data analysis, Computer security, computer.software_genre, data leakage, lcsh:TD194-195, 0502 economics and business, 0202 electrical engineering, electronic engineering, information engineering, 050211 marketing, 020201 artificial intelligence & image processing, Sustainable growth rate, computer, lcsh:Environmental sciences, Leakage (electronics)

Abstract

With the continuously increasing number of data leakage security incidents caused by organization insiders, current security activities cannot predict a data leakage. Because such security incidents are extremely harmful and difficult to detect, predicting security incidents would be the most effective preventative method. However, current insider security controls and systems detect and identify unusual behaviors to prevent security incidents but produce many false-positives. To solve these problems, the present study collects and analyzes data leaks by insiders in advance, analyzes information leaks that can predict security incidents, and evaluates risk based on behavior. To this end, data leakage behaviors by insiders are analyzed through an analysis of previous studies and the implementation of an in-depth interview method. Statistical verification of the analyzed data leakage behavior is performed to determine the validity and derive the levels of leakage risk for each behavior. In addition, by applying the N-gram analysis method to derive a data leakage scenario, the levels of risk are clarified to reduce false-positives and over detection (i.e., the limitations of existing data leakage prevention systems) and make preemptive security activities possible.

Published

2020