Exploring an agent as an economic insider threat solution

The insider threat is a security problem that is well-known and has a long history, yet it still remains an invisible enemy. Insiders know the security processes and have accesses that allow them to easily cover their tracks. In recent years the idea of monitoring separately for these threats has come into its own. However, the tools currently in use have disadvantages and one of the most effective techniques of human review is costly. This paper explores the development of an intelligent agent that uses already in-place computing material for inference as an inexpensive monitoring tool for insider threats. Design Science Research (DSR) is a methodology used to explore and develop an IT artifact, such as for this intelligent agent research. This methodology allows for a structure that can guide a deep search method for problems that may not be possible to solve or could add to a phenomenological instantiation

Using Genetic Algorithm to Minimize False Alarms in Insider Threats Detection of Information Misuse in Windows Environment

Insider threats detection problem has always been one of the most difficult challenges for organizations and research community. Effective behavioral categorization of users plays a vital role for the success of any detection mechanisms. It also helps to reduce false alarms in case of insider threats. In order to achieve this, a fuzzy classifier has been implemented along with genetic algorithm (GA) to enhance the efficiency of a fuzzy classifier. It also enhances the functionality of all other modules to achieve better results in terms of false alarms. A scenario driven approach along with mathematical evaluation verifies the effectiveness of the modified framework. It has been tested for the enterprises having critical nature of business. Other organizations can adopt it in accordance with their specific nature of business, need, and operational processes. The results prove that accurate classification and detection of users were achieved by adopting the modified framework which in turn minimizes false alarms

Design and Analysis of a Dynamically Configured Log-based Distributed Security Event Detection Methodology

Military and defense organizations rely upon the security of data stored in, and communicated through, their cyber infrastructure to fulfill their mission objectives. It is essential to identify threats to the cyber infrastructure in a timely manner, so that mission risks can be recognized and mitigated. Centralized event logging and correlation is a proven method for identifying threats to cyber resources. However, centralized event logging is inflexible and does not scale well, because it consumes excessive network bandwidth and imposes significant storage and processing requirements on the central event log server. In this paper, we present a flexible, distributed event correlation system designed to overcome these limitations by distributing the event correlation workload across the network of event-producing systems. To demonstrate the utility of the methodology, we model and simulate centralized, decentralized, and hybrid log analysis environments over three accountability levels and compare their performance in terms of detection capability, network bandwidth utilization, database query efficiency, and configurability. The results show that when compared to centralized event correlation, dynamically configured distributed event correlation provides increased flexibility, a significant reduction in network traffic in low and medium accountability environments, and a decrease in database query execution time in the high-accountability case

Sleight of Hand: Identifying Concealed Information by Monitoring Mouse-Cursor Movements

Organizational members who conceal information about adverse behaviors present a substantial risk to that organization. Yet the task of identifying who is concealing information is extremely difficult, expensive, error-prone, and time-consuming. We propose a unique methodology for identifying concealed information: measuring people’s mouse-cursor movements in online screening questionnaires. We theoretically explain how mouse-cursor movements captured during a screening questionnaire differ between people concealing information and truth tellers. We empirically evaluate our hypotheses using an experiment during which people conceal information about a questionable act. While people completed the screening questionnaire, we simultaneously collected mouse-cursor movements and electrodermal activity—the primary sensor used for polygraph examinations—as an additional validation of our methodology. We found that mouse-cursor movements can significantly differentiate between people concealing information and people telling the truth. Mouse-cursor movements can also differentiate between people concealing information and truth tellers on a broader set of comparisons relative to electrodermal activity. Both mouse-cursor movements and electrodermal activity have the potential to identify concealed information, yet mouse-cursor movements yielded significantly fewer false positives. Our results demonstrate that analyzing mouse-cursor movements has promise for identifying concealed information. This methodology can be automated and deployed online for mass screening of individuals in a natural setting without the need for human facilitators. Our approach further demonstrates that mouse-cursor movements can provide insight into the cognitive state of computer users

VISTA:an inclusive insider threat taxonomy, with mitigation strategies

Insiders have the potential to do a great deal of damage, given their legitimate access to organisational assets and the trust they enjoy. Organisations can only mitigate insider threats if they understand what the different kinds of insider threats are, and what tailored measures can be used to mitigate the threat posed by each of them. Here, we derive VISTA (inclusiVe InSider Threat tAxonomy) based on an extensive literature review and a survey with C-suite executives to ensure that the VISTA taxonomy is not only scientifically grounded, but also meets the needs of organisations and their executives. To this end, we map each VISTA category of insider threat to tailored mitigations that can be deployed to reduce the threat

Detection and prediction of insider threats to cyber security: a systematic literature review and meta-analysis

Cyber security is vital to the success of today’s digital economy. The major security threats are coming from within, as opposed to outside forces. Insider threat detection and prediction are important mitigation techniques. This study addresses the following research questions: 1) what are the research trends in insider threat detection and prediction nowadays? 2) What are the challenges associated with insider threat detection and prediction? 3) What are the best-to-date insider threat detection and prediction algorithms? We conduct a systematic review of 37 articles published in peer-reviewed journals, conference proceedings and edited books for the period of 1950–2015 to address the first two questions. Our survey suggests that game theoretic approach (GTA) is a popular source of insider threat data; the insiders’ online activities are the most widely used features in insider threat detection and prediction; most of the papers use single point estimates of threat likelihood; and graph algorithms are the most widely used tools for detecting and predicting insider threats. The key challenges facing the insider threat detection and prediction system include unbounded patterns, uneven time lags between activities, data nonstationarity, individuality, collusion attacks, high false alarm rates, class imbalance problem, undetected insider attacks, uncertainty, and the large number of free parameters in the model. To identify the best-to-date insider threat detection and prediction algorithms, our meta-analysis study excludes theoretical papers proposing conceptual algorithms from the 37 selected papers resulting in the selection of 13 papers. We rank the insider threat detection and prediction algorithms presented in the 13 selected papers based on the theoretical merits and the transparency of information. To determine the significance of rank sums, we perform “the Friedman two-way analysis of variance by ranks” test and “multiple comparisons between groups or conditions” tests

Development of a Methodology for Customizing Insider Threat Auditing on a Linux Operating System

Insider threats can pose a great risk to organizations and by their very nature are difficult to protect against. Auditing and system logging are capabilities present in most operating systems and can be used for detecting insider activity. However, current auditing methods are typically applied in a haphazard way, if at all, and are not conducive to contributing to an effective insider threat security policy. This research develops a methodology for designing a customized auditing and logging template for a Linux operating system. An intent-based insider threat risk assessment methodology is presented to create use case scenarios tailored to address an organization’s specific security needs and priorities. These organization specific use cases are verified to be detectable via the Linux auditing and logging subsystems and the results are analyzed to create an effective auditing rule set and logging configuration for the detectable use cases. Results indicate that creating a customized auditing rule set and system logging configuration to detect insider threat activity is possible

Air Force Institute of Technology Research Report 2009

This report summarizes the research activities of the Air Force Institute of Technology’s Graduate School of Engineering and Management. It describes research interests and faculty expertise; lists student theses/dissertations; identifies research sponsors and contributions; and outlines the procedures for contacting the school. Included in the report are: faculty publications, conference presentations, consultations, and funded research projects. Research was conducted in the areas of Aeronautical and Astronautical Engineering, Electrical Engineering and Electro-Optics, Computer Engineering and Computer Science, Systems and Engineering Management, Operational Sciences, Mathematics, Statistics and Engineering Physics