Insider threats detection model for email content using statistical analysis

An insider threat has become one of the most challenging malicious activities in cybersecurity defence systems in a contrast to outsider threats recently. Usually, IP theft, fraud and sabotage against legal information are three well-known types of insider threat. Since an insider threat usually expands and spread internally, no one could predict what, when and how exactly malicious insider launched their attacks. This is with a view of fact that an email becomes one of the primary targets of an internal threat as this medium is widely used by everyone to communicate, share, and exchange confidential information. Therefore, it is extremely important to understand the nature of insider threat behavior beforehand and construct an accurate detection model. Furthermore, every single keyword used in an email can reflect the behavior of an individual and can be used to determine their intentions, such as having a motive to launch an insider threat or not. Henceforth, an innovative approach is proposed in modelling insider threat detection in this work. In addition, various approaches such as scoring, Friedman, linear regression (R2) and correlation coefficient applied to analyse an insider threat relationship between historical insider threats behavior and relevant extracted keywords from email content. Firstly, the email content filtered into three different factors that influence the characteristics of an insider such as motive, opportunity and capability, before calculating the scores for the entire insider’s keywords. Next, the Friedman statistical used to determine the minimum differences between each extracted insider threats keywords that represent different insider threat factors (motive, opportunity, capability). Besides, linear regression applied to estimate the relationship of an insider threat from training keywords and testing keywords with allocating an anomaly score. Finally, the correlation coefficient approach used to determine how strong a relationship is between extracted insider threats keywords and insider threat behavior in this research. The proposed modelling approach has been evaluated using the benchmark dataset known as CERT that comprises a malicious email file. Throughout the experiment, the proposed insider threats detection approach has achieved a higher attack detection rate as well as minimized undetectable insider threats behavior as compared to the previous researcher works

An Insider Threat Categorization Framework for Automated Manufacturing Execution System

Insider threats become one of the most dangerous threats in the cyber world as compared to outsider as the insiders have knowledge of assets. In addition, the threats itself considered in-visible and no one can predict what, when and how exactly the threat launched. Based on conducting literature, threat in Automated Manufacturing Execution Systems (AMESs) can be divided into three principle factors. Moreover, there is no standard framework to be referring which exist nowadays to categorize such factors in order to identify insider threats possible features. Therefore, from the conducted literature a standard theoretical categorization of insider threats framework for AMESs has been proposed. Hence, three principle factors, i.e. Human, Systems and Machine have considered as major categorization of insider threats. Consequently, the possible features for each factor identified based on previous researcher recommendations. Therefore, via identifying possible features and categorize it into principle factors or groups, a standard framework could be derived. These frameworks will contribute more benefit specifically in the manufacturing field as a reference to mitigate an insider threat.   Keywords—automated manufacturing execution systems insider threats, factors and features, insider threat categorization framework