Mathematical models for insider threat mitigation

The world is rapidly undergoing a massive digital transformation where every human will have no choice but to rely on the confidentiality, integrity, and availability of information systems. At the same time, there are increasing numbers of malicious attackers who are ever trying to compromise information systems for financial or political gain. Given the threat landscape and its sophistication, the traditional approach of fortifying the castle will not provide sufficient protection to the information systems. This formidable threat can only be restrained by a new approach, which looks at both inwards and outwards for potential attacks. It is well established that humans are the weakest link when it comes to information security controls although the same humans are considered as the most valued assets. A trusted custodian with malicious intent can inflict an enormous damage to critical information assets. Often these attacks go unnoticed for a considerable period and will have caused irreversible damage to the organisation by the time they are discovered. In the recent past, there have been well publicised data compromises in the media which have damaged the reputations of governments and organisations and in some cases endangered human life. While some of these leaks can be classified as whistleblowing in the public interest, they are very real examples of information compromises in the context of information security. High profile leaks by Edward Snowden and Bradley (Chelsea) Manning, are perfect examples of the potential damage from an insider. Furthermore, most malicious insider activities go unnoticed or unpublicised as a damage control measure by the affected organisations. While there is lots of research and investment going into insider threat prevention, these attacks are on the rise at an alarming rate. A comprehensive study of publicly available insider threat cases, academic literature, and technical reports reveals the need for a multifaceted view of the problem. The insider threat problem can no longer be treated only as a technical data driven problem but requires the analysis of associated factors, a combination of technical and human behavioural aspects going beyond the traditional technology driven approaches. Furthermore, there is no universally agreed comprehensive feature set as the majority of the proposed models are bounded into a single threat scenario or conducted on a specific system. In order to overcome this limitation, this thesis introduces a precise user profile model integrating insider threat related parameters from technical, behavioural, psychological, and organisational paradigms. The proposed user profile model is a combination of: a comprehensive insider threat detection and prediction feature set; a collection of various techniques for feature specific user behaviour comparisons; and a framework for quantifying user behaviour as a numerical value. The unpredictability of malicious attackers and the complexity of malicious actions, necessitates the careful analysis of network, system and user parameters correlated with the insider threat problem. Also, unearthing the hidden evidence requires the analysis of an enormous amount of data generated from heterogeneous input streams. This creates a high dimensional, heterogeneous data analysis problem for distinguishing suspicious users from benign users. This creates the need to identify an appropriate means for data representation and feature extraction. Since traditional graph theory and new approaches in the field of complex networks enable the means of representing high dimensional, heterogeneous data, the feasibility of the use of graphs for data representation and feature extraction are investigated going beyond traditional data mining techniques. Unattributed graphs are introduced to represent users’ device usage data, web access data, and organisational hierarchy. A graph based feature extraction technique based on subgraphs generated on different order of neighbourhoods are introduced. A graph based approach to capture inter-user relationships using web access data is presented. Various insider threat models proposed in the literature including intrusion detection based approaches, system call based approaches, honeypot based approaches and stream mining approaches end up with high false positive rates. More recently machine learning approaches for identifying suspicious users from normal users have increased. However, the application of graph based anomaly detection techniques addressing the insider threat problem is relatively rare in the academic literature as well as uncommon in the commercial world. Therefore, we focused our attention on graph based anomaly detection techniques for differentiating suspicious users from the benign users. This thesis introduces two distinct insider threat detection frameworks. The first is a hybrid insider threat detection framework based on graph theoretic feature extraction mechanism and an unsupervised anomaly detection algorithm. The second is built on an attributed graph clustering mechanism integrated with an outlier ranking mechanism. Finally, a comprehensive theoretical and commercially viable framework for insider threat mitigation integrating user profiling, threat detection, and threat detection is introduced

Portunes: analyzing multi-domain insider threats

The insider threat is an important problem in securing information systems. Skilful insiders use attack vectors that yield the greatest chance of success, and thus do not limit themselves to a restricted set of attacks. They may use access rights to the facility where the system of interest resides, as well as existing relationships with employees. To secure a system, security professionals should therefore consider attacks that include non-digital aspects such as key sharing or exploiting trust relationships among employees. In this paper, we present Portunes, a framework for security design and audit, which incorporates three security domains: (1) the security of the computer system itself (the digital domain), (2) the security of the location where the system is deployed (the physical domain) and (3) the security awareness of the employees that use the system (the social domain). The framework consists of a model, a formal language and a logic. It allows security professionals to formally model elements from the three domains in a single framework, and to analyze possible attack scenarios. The logic enables formal specification of the attack scenarios in terms of state and transition properties

Intrusion Detection System using Bayesian Network Modeling

Computer Network Security has become a critical and important issue due to ever increasing cyber-crimes. Cybercrimes are spanning from simple piracy crimes to information theft in international terrorism. Defence security agencies and other militarily related organizations are highly concerned about the confidentiality and access control of the stored data. Therefore, it is really important to investigate on Intrusion Detection System (IDS) to detect and prevent cybercrimes to protect these systems. This research proposes a novel distributed IDS to detect and prevent attacks such as denial service, probes, user to root and remote to user attacks. In this work, we propose an IDS based on Bayesian network classification modelling technique. Bayesian networks are popular for adaptive learning, modelling diversity network traffic data for meaningful classification details. The proposed model has an anomaly based IDS with an adaptive learning process. Therefore, Bayesian networks have been applied to build a robust and accurate IDS. The proposed IDS has been evaluated against the KDD DAPRA dataset which was designed for network IDS evaluation. The research methodology consists of four different Bayesian networks as classification models, where each of these classifier models are interconnected and communicated to predict on incoming network traffic data. Each designed Bayesian network model is capable of detecting a major category of attack such as denial of service (DoS). However, all four Bayesian networks work together to pass the information of the classification model to calibrate the IDS system. The proposed IDS shows the ability of detecting novel attacks by continuing learning with different datasets. The testing dataset constructed by sampling the original KDD dataset to contain balance number of attacks and normal connections. The experiments show that the proposed system is effective in detecting attacks in the test dataset and is highly accurate in detecting all major attacks recorded in DARPA dataset. The proposed IDS consists with a promising approach for anomaly based intrusion detection in distributed systems. Furthermore, the practical implementation of the proposed IDS system can be utilized to train and detect attacks in live network traffi

Graph Based Framework for Malicious Insider Threat Detection

While most security projects have focused on fending off attacks coming from outside the organizational boundaries, a real threat has arisen from the people who are inside those perimeter protections. \ Insider threats have shown their power by hugely affecting national security, financial stability, and the privacy of many thousands of people. What is in the news is the tip of the iceberg, with much more going on under the radar, and some threats never being detected. We propose a hybrid framework based on graphical analysis and anomaly detection approaches, to combat this severe cyber security threat. Our framework analyzes heterogeneous data in isolating possible malicious users hiding behind others. Empirical results reveal this framework to be effective in distinguishing the majority of users who demonstrate typical behavior from the minority of users who show suspicious behavior.

Adaptive One-Class Ensemble-based Anomaly Detection: An Application to Insider Threats

The malicious insider threat is getting increased concern by organisations, due to the continuously growing number of insider incidents. The absence of previously logged insider threats shapes the insider threat detection mechanism into a one-class anomaly detection approach. A common shortcoming in the existing data mining approaches to detect insider threats is the high number of False Positives (FP) (i.e. normal behaviour predicted as anomalous). To address this shortcoming, in this paper, we propose an anomaly detection framework with two components: one-class modelling component, and progressive update component. To allow the detection of anomalous instances that have a high resemblance with normal instances, the one-class modelling component applies class decomposition on normal class data to create k clusters, then trains an ensemble of k base anomaly detection algorithms (One-class Support Vector Machine or Isolation Forest), having the data in each cluster used to construct one of the k base models. The progressive update component updates each of the k models with sequentially acquired FP chunks; segments of a predetermined capacity of FPs. It includes an oversampling method to generate artificial samples for FPs per chunk, then retrains each model and adapts the decision boundary, with the aim to reduce the number of future FPs. A variety of experiments is carried out, on synthetic data sets generated at Carnegie Mellon University, to test the effectiveness of the proposed framework and its components. The results show that the proposed framework reports the highest F1 measure and less number of FPs compared to the base algorithms, as well as it attains to detect all the insider threats in the data sets