Automated insider threat detection system using user and role-based profile assessment

© 2007-2012 IEEE. Organizations are experiencing an ever-growing concern of how to identify and defend against insider threats. Those who have authorized access to sensitive organizational data are placed in a position of power that could well be abused and could cause significant damage to an organization. This could range from financial theft and intellectual property theft to the destruction of property and business reputation. Traditional intrusion detection systems are neither designed nor capable of identifying those who act maliciously within an organization. In this paper, we describe an automated system that is capable of detecting insider threats within an organization. We define a tree-structure profiling approach that incorporates the details of activities conducted by each user and each job role and then use this to obtain a consistent representation of features that provide a rich description of the user's behavior. Deviation can be assessed based on the amount of variance that each user exhibits across multiple attributes, compared against their peers. We have performed experimentation using ten synthetic data-driven scenarios and found that the system can identify anomalous behavior that may be indicative of a potential threat. We also show how our detection system can be combined with visual analytics tools to support further investigation by an analyst

An Insider Threat Categorization Framework for Automated Manufacturing Execution System

Insider threats become one of the most dangerous threats in the cyber world as compared to outsider as the insiders have knowledge of assets. In addition, the threats itself considered in-visible and no one can predict what, when and how exactly the threat launched. Based on conducting literature, threat in Automated Manufacturing Execution Systems (AMESs) can be divided into three principle factors. Moreover, there is no standard framework to be referring which exist nowadays to categorize such factors in order to identify insider threats possible features. Therefore, from the conducted literature a standard theoretical categorization of insider threats framework for AMESs has been proposed. Hence, three principle factors, i.e. Human, Systems and Machine have considered as major categorization of insider threats. Consequently, the possible features for each factor identified based on previous researcher recommendations. Therefore, via identifying possible features and categorize it into principle factors or groups, a standard framework could be derived. These frameworks will contribute more benefit specifically in the manufacturing field as a reference to mitigate an insider threat.   Keywords—automated manufacturing execution systems insider threats, factors and features, insider threat categorization framework

Activity Pattern Discovery from Network Captures

Investigating insider threat cases is challenging because activities are conducted with legitimate access that makes distinguishing malicious activities from normal activities difficult. To assist with identifying non-normal activities, we propose using two types of pattern discovery to identify a person\u27s behavioral patterns in network data. The behavioral patterns serve to deemphasize normal behavior so that insider threat investigations can focus attention on potentially more relevant. Results from a controlled experiment demonstrate the highlighting of a suspicious event through the reduction of events belonging to discovered patterns. Abstract © 2016 IEEE

Sleight of Hand: Identifying Concealed Information by Monitoring Mouse-Cursor Movements

Organizational members who conceal information about adverse behaviors present a substantial risk to that organization. Yet the task of identifying who is concealing information is extremely difficult, expensive, error-prone, and time-consuming. We propose a unique methodology for identifying concealed information: measuring people’s mouse-cursor movements in online screening questionnaires. We theoretically explain how mouse-cursor movements captured during a screening questionnaire differ between people concealing information and truth tellers. We empirically evaluate our hypotheses using an experiment during which people conceal information about a questionable act. While people completed the screening questionnaire, we simultaneously collected mouse-cursor movements and electrodermal activity—the primary sensor used for polygraph examinations—as an additional validation of our methodology. We found that mouse-cursor movements can significantly differentiate between people concealing information and people telling the truth. Mouse-cursor movements can also differentiate between people concealing information and truth tellers on a broader set of comparisons relative to electrodermal activity. Both mouse-cursor movements and electrodermal activity have the potential to identify concealed information, yet mouse-cursor movements yielded significantly fewer false positives. Our results demonstrate that analyzing mouse-cursor movements has promise for identifying concealed information. This methodology can be automated and deployed online for mass screening of individuals in a natural setting without the need for human facilitators. Our approach further demonstrates that mouse-cursor movements can provide insight into the cognitive state of computer users

Factors Influencing Support for Insider Threat Behaviours: Anger Rumination, Job Satisfaction, Right-Wing Authoritarianism and Depression/Anxiety

The research on insider threats is largely limited to reactive security measures, with little consideration given to the psychological profile of insider threats and those that support these types of attacks against different industries and government bodies. In two studies, we examined the roles of anger rumination, job satisfaction, depression/anxiety, and right-wing authoritarianism as predictors of insider threats. In Study 1, we considered the role of anger rumination and job satisfaction as predictors of support for insider threat activities as presented through scenarios. As predicted, results indicated that both variables were strong predictors of organisational resentment and insider threat justification, with anger rumination also acting as a predictor of insider threat proclivity. In Study 2, we examined right-wing authoritarianism and depression/anxiety as predictors of insider threats. A multiple regression analysis revealed that right-wing authoritarianism negatively correlated with support for insider threats. There was no significant relationship between either depression and/or anxiety when considering support for insider threat activities. These findings suggest that a lack of authoritarian tendencies may play a role in justifying insider threat behaviours, whereas depression and anxiety do not appear to have a direct influence

Novel Alert Visualization: The Development of a Visual Analytics Prototype for Mitigation of Malicious Insider Cyber Threats

Cyber insider threat is one of the most difficult risks to mitigate in organizations. However, innovative validated visualizations for cyber analysts to better decipher and react to detected anomalies has not been reported in literature or in industry. Attacks caused by malicious insiders can cause millions of dollars in losses to an organization. Though there have been advances in Intrusion Detection Systems (IDSs) over the last three decades, traditional IDSs do not specialize in anomaly identification caused by insiders. There is also a profuse amount of data being presented to cyber analysts when deciphering big data and reacting to data breach incidents using complex information systems. Information visualization is pertinent to the identification and mitigation of malicious cyber insider threats. The main goal of this study was to develop and validate, using Subject Matter Experts (SME), an executive insider threat dashboard visualization prototype. Using the developed prototype, an experimental study was conducted, which aimed to assess the perceived effectiveness in enhancing the analysts’ interface when complex data correlations are presented to mitigate malicious insiders cyber threats. Dashboard-based visualization techniques could be used to give full visibility of network progress and problems in real-time, especially within complex and stressful environments. For instance, in an Emergency Room (ER), there are four main vital signs used for urgent patient triage. Cybersecurity vital signs can give cyber analysts clear focal points during high severity issues. Pilots must expeditiously reference the Heads Up Display (HUD), which presents only key indicators to make critical decisions during unwarranted deviations or an immediate threat. Current dashboard-based visualization techniques have yet to be fully validated within the field of cybersecurity. This study developed a visualization prototype based on SME input utilizing the Delphi method. SMEs validated the perceived effectiveness of several different types of the developed visualization dashboard. Quantitative analysis of SME’s perceived effectiveness via self-reported value and satisfaction data as well as qualitative analysis of feedback provided during the experiments using the prototype developed were performed. This study identified critical cyber visualization variables and identified visualization techniques. The identifications were then used to develop QUICK.v™ a prototype to be used when mitigating potentially malicious cyber insider threats. The perceived effectiveness of QUICK.v™ was then validated. Insights from this study can aid organizations in enhancing cybersecurity dashboard visualizations by depicting only critical cybersecurity vital signs

Exploring Data Security Management Strategies for Preventing Data Breaches

Insider threat continues to pose a risk to organizations, and in some cases, the country at large. Data breach events continue to show the insider threat risk has not subsided. This qualitative case study sought to explore the data security management strategies used by database and system administrators to prevent data breaches by malicious insiders. The study population consisted of database administrators and system administrators from a government contracting agency in the northeastern region of the United States. The general systems theory, developed by Von Bertalanffy, was used as the conceptual framework for the research study. The data collection process involved interviewing database and system administrators (n = 8), organizational documents and processes (n = 6), and direct observation of a training meeting (n = 3). By using methodological triangulation and by member checking with interviews and direct observation, efforts were taken to enhance the validity of the findings of this study. Through thematic analysis, 4 major themes emerged from the study: enforcement of organizational security policy through training, use of multifaceted identity and access management techniques, use of security frameworks, and use of strong technical control operations mechanisms. The findings of this study may benefit database and system administrators by enhancing their data security management strategies to prevent data breaches by malicious insiders. Enhanced data security management strategies may contribute to social change by protecting organizational and customer data from malicious insiders that could potentially lead to espionage, identity theft, trade secrets exposure, and cyber extortion