Simulation and Analysis of Insider Attacks

An insider is an individual (usually an employee, contractor, or business partner) that has been trusted with access to an organization\u27s systems and sensitive data for legitimate purposes. A malicious insider abuses this access in a way that negatively impacts the company, such as exposing, modifying, or defacing software and data. Many algorithms, strategies, and analyses have been developed with the intent of detecting and/or preventing insider attacks. In an academic setting, these tools and approaches show great promise. To be sure of their effectiveness, however, these analyses need to be tested. While real data is available on insider attacks (including logs of actions taken by the insider), the real data is limited in its usefulness. If the analysis being tested passes or fails in detecting the insider attack, how much can be attributed to the analysis\u27s precision, the circumstances of the attack, or just luck? The ability to test an analysis against a wide range of data with circumstances that vary in complexity and circumstance would allow insight into strengths and weaknesses of the analysis. Data for multiples tests would also help in ruling out luck in the results. To address this, I\u27ve built an insider attack simulator that generates test scenarios for analyses. Specifically, it generates logs of employee actions with both insider attacks and false positives hidden within the logs. This simulator allows for customization of the actions that are logged, the average behavior of individuals, the departments within the simulated company, and the abnormal events (including insider attacks) that take place. This thesis will discuss the nature of insider threats, the benefits of a simulator, how to customize the simulation, and how one can gain insight into analyses using logs generated by the simulator