Detection and prediction of insider threats to cyber security: a systematic literature review and meta-analysis

Cyber security is vital to the success of today’s digital economy. The major security threats are coming from within, as opposed to outside forces. Insider threat detection and prediction are important mitigation techniques. This study addresses the following research questions: 1) what are the research trends in insider threat detection and prediction nowadays? 2) What are the challenges associated with insider threat detection and prediction? 3) What are the best-to-date insider threat detection and prediction algorithms? We conduct a systematic review of 37 articles published in peer-reviewed journals, conference proceedings and edited books for the period of 1950–2015 to address the first two questions. Our survey suggests that game theoretic approach (GTA) is a popular source of insider threat data; the insiders’ online activities are the most widely used features in insider threat detection and prediction; most of the papers use single point estimates of threat likelihood; and graph algorithms are the most widely used tools for detecting and predicting insider threats. The key challenges facing the insider threat detection and prediction system include unbounded patterns, uneven time lags between activities, data nonstationarity, individuality, collusion attacks, high false alarm rates, class imbalance problem, undetected insider attacks, uncertainty, and the large number of free parameters in the model. To identify the best-to-date insider threat detection and prediction algorithms, our meta-analysis study excludes theoretical papers proposing conceptual algorithms from the 37 selected papers resulting in the selection of 13 papers. We rank the insider threat detection and prediction algorithms presented in the 13 selected papers based on the theoretical merits and the transparency of information. To determine the significance of rank sums, we perform “the Friedman two-way analysis of variance by ranks” test and “multiple comparisons between groups or conditions” tests

One does not simply tweet without consequence: a study of the electoral contest in Ashgrove

Twitter is now a fixture of society, an online meeting place for people to air their grievances about human rights and civil liberty, discuss global warming, stalk celebrities and show off their cats. An unedited forum of comments that is a gold mine of free data for those who seek to monitor opinions on everything from mobile phone providers to voting preferences. It is now unusual for modern political candidates not to sustain a social media presence during their campaign in order to connect with their constituency. This study examines Twitter use by candidates in a single electorate—the seat of Ashgrove—during an election campaign in the Australian state of Queensland in March 2012. In particular, it looks at how Twitter user groups drive concept discussions around themes and concepts within the campaign, thereby exerting influence within the domain as part of the election process. Using a theory building approach, the data set made up of 35,000 tweets was analysed using text analytics software to reveal how Twitter can be used as a feedback mechanism for candidates, how user groups drive concept discussions on Twitter, the role of legacy media within this framework, and how the language of Twitter is a unique genre of communication

Technical Sensoriums: A Speculative Investigation into the Entanglement and Convergence of Surveillance and Technology

Surveillance and technology are among the most prevalent phenomena in the developed world, the proliferation of which is abetted by an ever increasing profusion of products and services extending the competencies of these capabilities into new opportunities and markets worldwide. More significantly, this momentum is leading to a convergence of these disparate competencies towards a common techno-surveillant milieu. Yet much of what is written and theoretically understood about these topics (singularly and collectively) fails to provide for a unified accounting that anticipates either the trajectory or the heterogeneous forms of this converging phenomenon. This projects sets out to excavate why our understanding of techno-surveillance is so myopic. Following the evidence, I assert that this short-sightedness is not simply the result of methodological shortcomings. Rather, most researchers of surveillance and technology are blinded by philosophical presumptions (primarily grounded in epistemology) that exclude the kinds of questions (largely ontological) they must ask to go deeper in their investigations. This study examines the archaeological detritus of an early techno-surveillant system, the characteristics of which are typical of the kinds of systems that have come to challenge researchers about the implications of their analyses. Based on this analysis, this study proposes an ontological model, which I call ontigeny that is consistent with the evidence and helps to explain the heterogeneity of techno-surveillance, as well as its potential trajectories

Mathematical models for insider threat mitigation

The world is rapidly undergoing a massive digital transformation where every human will have no choice but to rely on the confidentiality, integrity, and availability of information systems. At the same time, there are increasing numbers of malicious attackers who are ever trying to compromise information systems for financial or political gain. Given the threat landscape and its sophistication, the traditional approach of fortifying the castle will not provide sufficient protection to the information systems. This formidable threat can only be restrained by a new approach, which looks at both inwards and outwards for potential attacks. It is well established that humans are the weakest link when it comes to information security controls although the same humans are considered as the most valued assets. A trusted custodian with malicious intent can inflict an enormous damage to critical information assets. Often these attacks go unnoticed for a considerable period and will have caused irreversible damage to the organisation by the time they are discovered. In the recent past, there have been well publicised data compromises in the media which have damaged the reputations of governments and organisations and in some cases endangered human life. While some of these leaks can be classified as whistleblowing in the public interest, they are very real examples of information compromises in the context of information security. High profile leaks by Edward Snowden and Bradley (Chelsea) Manning, are perfect examples of the potential damage from an insider. Furthermore, most malicious insider activities go unnoticed or unpublicised as a damage control measure by the affected organisations. While there is lots of research and investment going into insider threat prevention, these attacks are on the rise at an alarming rate. A comprehensive study of publicly available insider threat cases, academic literature, and technical reports reveals the need for a multifaceted view of the problem. The insider threat problem can no longer be treated only as a technical data driven problem but requires the analysis of associated factors, a combination of technical and human behavioural aspects going beyond the traditional technology driven approaches. Furthermore, there is no universally agreed comprehensive feature set as the majority of the proposed models are bounded into a single threat scenario or conducted on a specific system. In order to overcome this limitation, this thesis introduces a precise user profile model integrating insider threat related parameters from technical, behavioural, psychological, and organisational paradigms. The proposed user profile model is a combination of: a comprehensive insider threat detection and prediction feature set; a collection of various techniques for feature specific user behaviour comparisons; and a framework for quantifying user behaviour as a numerical value. The unpredictability of malicious attackers and the complexity of malicious actions, necessitates the careful analysis of network, system and user parameters correlated with the insider threat problem. Also, unearthing the hidden evidence requires the analysis of an enormous amount of data generated from heterogeneous input streams. This creates a high dimensional, heterogeneous data analysis problem for distinguishing suspicious users from benign users. This creates the need to identify an appropriate means for data representation and feature extraction. Since traditional graph theory and new approaches in the field of complex networks enable the means of representing high dimensional, heterogeneous data, the feasibility of the use of graphs for data representation and feature extraction are investigated going beyond traditional data mining techniques. Unattributed graphs are introduced to represent users’ device usage data, web access data, and organisational hierarchy. A graph based feature extraction technique based on subgraphs generated on different order of neighbourhoods are introduced. A graph based approach to capture inter-user relationships using web access data is presented. Various insider threat models proposed in the literature including intrusion detection based approaches, system call based approaches, honeypot based approaches and stream mining approaches end up with high false positive rates. More recently machine learning approaches for identifying suspicious users from normal users have increased. However, the application of graph based anomaly detection techniques addressing the insider threat problem is relatively rare in the academic literature as well as uncommon in the commercial world. Therefore, we focused our attention on graph based anomaly detection techniques for differentiating suspicious users from the benign users. This thesis introduces two distinct insider threat detection frameworks. The first is a hybrid insider threat detection framework based on graph theoretic feature extraction mechanism and an unsupervised anomaly detection algorithm. The second is built on an attributed graph clustering mechanism integrated with an outlier ranking mechanism. Finally, a comprehensive theoretical and commercially viable framework for insider threat mitigation integrating user profiling, threat detection, and threat detection is introduced