The Visual Display of Quantitative Information

This paper surveys proposed solutions for the problem of insider attack detection appearing in the computer security research literature. We distinguish between masqueraders and traitors as two distinct cases of insider attack. After describing the challenges of this problem and highlighting current approaches and techniques pursued by the research community for insider attack detection, we suggest directions for future research.

/pdf/a-survey-of-insider-attack-detection-research-3l4ib14f5f.pdf

A Survey of Insider Attack Detection Research

A method and system for detecting anomalous action within a computer network is provided herein. The method starts with collecting raw data from at least one probe sensor that is associated with at least one router, switch or at least one server which are part of the computer network. Next, the raw data is being parsed and analyzed and meta-data is created from the raw data. Computer network actions are being identified based on existing knowledge about network protocols. The meta-data is associated with entities by analyzing the identified network actions and correlating between different computer network actions. Finally, creating at least one statistical model of the respective computer network said model including network actions' behavior pattern and online or batch detection of anomalous network actions associated with entities based on the statistical models.

A method for detecting anomaly action within a computer network

Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: generating simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; and determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity.

Methods, systems, and media for detecting covert malware

Information communications technology systems are facing an increasing number of cyber security threats, the majority of which are originated by insiders. As insiders reside behind the enterprise-level security defence mechanisms and often have privileged access to the network, detecting and preventing insider threats is a complex and challenging problem. In fact, many schemes and systems have been proposed to address insider threats from different perspectives, such as intent, type of threat, or available audit data source. This survey attempts to line up these works together with only three most common types of insider namely traitor, masquerader, and unintentional perpetrator, while reviewing the countermeasures from a data analytics perspective. Uniquely, this survey takes into account the early stage threats which may lead to a malicious insider rising up. When direct and indirect threats are put on the same page, all the relevant works can be categorised as host, network, or contextual data-based according to audit data source and each work is reviewed for its capability against insider threats, how the information is extracted from the engaged data sources, and what the decision-making algorithm is. The works are also compared and contrasted. Finally, some issues are raised based on the observations from the reviewed works and new research gaps and challenges identified.

Detecting and Preventing Cyber Insider Threats: A Survey

Methods, systems, and computer program products for insider threat detection are provided. Embodiments detect insiders who act on documents and/or files to which they have access but whose activity is inappropriate or uncharacteristic of them based on their identity, past activity, and/or organizational context. Embodiments work by monitoring the network to detect network activity associated with a set of network protocols; processing the detected activity to generate information-use events; generating contextual information associated with users of the network; and processing the information-use events based on the generated contextual information to generate alerts and threat scores for users of the network. Embodiments provide several information-misuse detectors that are used to examine generated information-use events in view of collected contextual information to detect volumetric anomalies, suspicious and/or evasive behavior. Embodiments provide a user threat ranking system and a user interface to examine user threat scores and analyze user activity.

Insider threat detection

Malicious insiders do great harm and avoid detection by using their legitimate privileges to steal information that is often outside the scope of their duties. Based on information from public cases, consultation with domain experts, and analysis of a massive collection of information-use events and contextual information, we developed an approach for detecting insiders who operate outside the scope of their duties and thus violate need-to-know. Based on the approach, we built and evaluated elicit, a system designed to help analysts investigate insider threats. Empirical results suggest that, for a specified decision threshold of .5, elicit achieves a detection rate of .84 and a false-positive rate of .015, flagging per day only 23 users of 1, 548 for further scrutiny. It achieved an area under an roc curve of .92.

/pdf/elicit-a-system-for-detecting-insiders-who-violate-need-to-4s2yxxqizo.pdf

ELICIT: a system for detecting insiders who violate need-to-know

MITRE researchers designed a prototype system for identifying insider threats, which prompted a team of engineers and social scientists to experimentally study how malicious insiders use information differently from a benign baseline group. This research provides new insight into how malicious insiders behave.

Detecting Insider Theft of Trade Secrets

The massive volume of intrusion detection system (IDS) alarms generated on large networks, and the resulting need for labor-intensive security analysis of the text-based IDS alarm logs, has recently brought into question the cost-effectiveness of IDSs. In particular, when host-based IDSs are used to monitor an organization's internal networks, the majority of the resulting alarms represent legitimate, automated system administration. Because of the absence of ground truth about known attacks, we propose an unsupervised, anomaly-based method for automatically distinguishing alarms that are potentially generated by malicious insider attacks, from the repetitive and temporally structured legitimate system-administration alarms. The majority of previous work in this area has used heuristic and statistical filtering techniques to discard a relatively large proportion of alarms in the final presentation to the security analyst, which is a potentially dangerous practice. Instead, we demonstrate the use of a typicality measure to visualize the apparent risk associated with alarms, while retaining information about the temporal context of the entire alarm stream for the analyst to view. The relevance of the statistical method is examined by comparing the results to a set of analyst-curated alarms from an operational environment.

Statistical profiling and visualization for detection of malicious insider attacks on computer networks

Systems, methods, and computer program products for passively attributing anonymous network events to their associated users are provided herein. Embodiments include filtering network events over a pre-determined time interval to generate a filtered event list. In an embodiment, event attribution includes attributing an anonymous network event to a user associated with a nearest-neighbor event relative to the anonymous network event. In another embodiment, event attribution includes attributing an anonymous network event to a user associated with an event in the filtered event list, wherein that user maximizes an event attribution function. In a further embodiment, event attribution includes determining a first potential attribution user for an anonymous network event based on a nearest-neighbor attribution approach; determining a second potential attribution user for the anonymous network event based on an event attribution function approach; and comparing the first and second potential attribution users to determine the attribution of the anonymous event.

Gregory D. Stephens

Papers

Insider threat detection

ELICIT: a system for detecting insiders who violate need-to-know

Detecting Insider Theft of Trade Secrets

Statistical profiling and visualization for detection of malicious insider attacks on computer networks

Passively attributing anonymous network events to their associated users