Detecting insider threat within institutions using CERT dataset and different ML techniques

The reason of countries development in industrial and commercial enterprises fields in those countries. The security of a particular country depends on its security institutions, the confidentiality of its employees, their information, the target's information, and information about the forensic evidence for those targets. One of the most important and critical problems in such institutions is the problem of discovering an insider threat that causes loss, damage, or theft the information to hostile or competing parties. This threat is represented by a person who represents one of the employees of the institution, the goal of that person is to steal information or destroy it for the benefit of another institution's desires. The difficulty in detecting this type of threat is due to the difficulty of analyzing the behavior of people within the organization according to their physiological characteristics. In this research, CERT dataset that produced by the University of Carnegie Mellon University has been used in this investigation to detect insider threat. The dataset has been preprocessed. Five effective features were selected to apply three ML techniques Random Forest, Naïve Bayes, and 1 Nearest Neighbor. The results obtained and listed sequentially as 89.75917519%, 91.96650826%, and 94.68205476% with an error rate of 10.24082481%, 8.03349174%, and 5.317945236%

Graph Based Framework for Malicious Insider Threat Detection

While most security projects have focused on fending off attacks coming from outside the organizational boundaries, a real threat has arisen from the people who are inside those perimeter protections. \ Insider threats have shown their power by hugely affecting national security, financial stability, and the privacy of many thousands of people. What is in the news is the tip of the iceberg, with much more going on under the radar, and some threats never being detected. We propose a hybrid framework based on graphical analysis and anomaly detection approaches, to combat this severe cyber security threat. Our framework analyzes heterogeneous data in isolating possible malicious users hiding behind others. Empirical results reveal this framework to be effective in distinguishing the majority of users who demonstrate typical behavior from the minority of users who show suspicious behavior.

Adaptive One-Class Ensemble-based Anomaly Detection: An Application to Insider Threats

The malicious insider threat is getting increased concern by organisations, due to the continuously growing number of insider incidents. The absence of previously logged insider threats shapes the insider threat detection mechanism into a one-class anomaly detection approach. A common shortcoming in the existing data mining approaches to detect insider threats is the high number of False Positives (FP) (i.e. normal behaviour predicted as anomalous). To address this shortcoming, in this paper, we propose an anomaly detection framework with two components: one-class modelling component, and progressive update component. To allow the detection of anomalous instances that have a high resemblance with normal instances, the one-class modelling component applies class decomposition on normal class data to create k clusters, then trains an ensemble of k base anomaly detection algorithms (One-class Support Vector Machine or Isolation Forest), having the data in each cluster used to construct one of the k base models. The progressive update component updates each of the k models with sequentially acquired FP chunks; segments of a predetermined capacity of FPs. It includes an oversampling method to generate artificial samples for FPs per chunk, then retrains each model and adapts the decision boundary, with the aim to reduce the number of future FPs. A variety of experiments is carried out, on synthetic data sets generated at Carnegie Mellon University, to test the effectiveness of the proposed framework and its components. The results show that the proposed framework reports the highest F1 measure and less number of FPs compared to the base algorithms, as well as it attains to detect all the insider threats in the data sets

A PREDICTIVE USER BEHAVIOUR ANALYTIC MODEL FOR INSIDER THREATS IN CYBERSPACE

Insider threat in cyberspace is a recurring problem since the user activities in a cyber network are often unpredictable. Most existing solutions are not flexible and adaptable to detect sudden change in user’s behaviour in streaming data, which led to a high false alarm rates and low detection rates. In this study, a model that is capable of adapting to the changing pattern in structured cyberspace data streams in order to detect malicious insider activities in cyberspace was proposed. The Computer Emergency Response Team (CERT) dataset was used as the data source in this study. Extracted features from the dataset were normalized using Min-Max normalization. Standard scaler techniques and mutual information gain technique were used to determine the best features for classification. A hybrid detection model was formulated using the synergism of Convolutional Neural Network (CNN) and Gated Recurrent Unit (GRU) models. Model simulation was performed using python programming language. Performance evaluation was carried out by assessing and comparing the performance of the proposed model with a selected existing model using accuracy, precision and sensitivity as performance metrics. The result of the simulation showed that the developed model has an increase of 1.48% of detection accuracy, 4.21% of precision and 1.25% sensitivity over the existing model. This indicated that the developed hybrid approach was able to learn from sequences of user actions in a time and frequency domain and improves the detection rate of insider threats in cyberspace

Role based behavior analysis

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Nos nossos dias, o sucesso de uma empresa depende da sua agilidade e capacidade de se adaptar a condições que se alteram rapidamente. Dois requisitos para esse sucesso são trabalhadores proactivos e uma infra-estrutura ágil de Tecnologias de Informacão/Sistemas de Informação (TI/SI) que os consiga suportar. No entanto, isto nem sempre sucede. Os requisitos dos utilizadores ao nível da rede podem nao ser completamente conhecidos, o que causa atrasos nas mudanças de local e reorganizações. Além disso, se não houver um conhecimento preciso dos requisitos, a infraestrutura de TI/SI poderá ser utilizada de forma ineficiente, com excessos em algumas áreas e deficiências noutras. Finalmente, incentivar a proactividade não implica acesso completo e sem restrições, uma vez que pode deixar os sistemas vulneráveis a ameaças externas e internas. O objectivo do trabalho descrito nesta tese é desenvolver um sistema que consiga caracterizar o comportamento dos utilizadores do ponto de vista da rede. Propomos uma arquitectura de sistema modular para extrair informação de fluxos de rede etiquetados. O processo é iniciado com a criação de perfis de utilizador a partir da sua informação de fluxos de rede. Depois, perfis com características semelhantes são agrupados automaticamente, originando perfis de grupo. Finalmente, os perfis individuais são comprados com os perfis de grupo, e os que diferem significativamente são marcados como anomalias para análise detalhada posterior. Considerando esta arquitectura, propomos um modelo para descrever o comportamento de rede dos utilizadores e dos grupos. Propomos ainda métodos de visualização que permitem inspeccionar rapidamente toda a informação contida no modelo. O sistema e modelo foram avaliados utilizando um conjunto de dados reais obtidos de um operador de telecomunicações. Os resultados confirmam que os grupos projectam com precisão comportamento semelhante. Além disso, as anomalias foram as esperadas, considerando a população subjacente. Com a informação que este sistema consegue extrair dos dados em bruto, as necessidades de rede dos utilizadores podem sem supridas mais eficazmente, os utilizadores suspeitos são assinalados para posterior análise, conferindo uma vantagem competitiva a qualquer empresa que use este sistema.In our days, the success of a corporation hinges on its agility and ability to adapt to fast changing conditions. Proactive workers and an agile IT/IS infrastructure that can support them is a requirement for this success. Unfortunately, this is not always the case. The user’s network requirements may not be fully understood, which slows down relocation and reorganization. Also, if there is no grasp on the real requirements, the IT/IS infrastructure may not be efficiently used, with waste in some areas and deficiencies in others. Finally, enabling proactivity does not mean full unrestricted access, since this may leave the systems vulnerable to outsider and insider threats. The purpose of the work described on this thesis is to develop a system that can characterize user network behavior. We propose a modular system architecture to extract information from tagged network flows. The system process begins by creating user profiles from their network flows’ information. Then, similar profiles are automatically grouped into clusters, creating role profiles. Finally, the individual profiles are compared against the roles, and the ones that differ significantly are flagged as anomalies for further inspection. Considering this architecture, we propose a model to describe user and role network behavior. We also propose visualization methods to quickly inspect all the information contained in the model. The system and model were evaluated using a real dataset from a large telecommunications operator. The results confirm that the roles accurately map similar behavior. The anomaly results were also expected, considering the underlying population. With the knowledge that the system can extract from the raw data, the users network needs can be better fulfilled, the anomalous users flagged for inspection, giving an edge in agility for any company that uses it