Towards
a User and Role-based Sequential Behavioural Analysis Tool Ioannis Agrafiotis+,
Philip Legg, Michael Goldsmith, and Sadie Creese Cyber Security Centre, Department of Computer Science,
University of Oxford, UK. Abstract Insider threat is recognised to be a significant
problem and of great concern to both corporations and governments alike.
Traditional intrusion detection systems are known to be ineffective due to the
extensive knowledge and capability that insiders typically have regarding the
organisational setup. Instead, more sophisticated measures are required to
analyse the actions performed by those within the organisation, to assess
whether their actions suggest that they pose a threat. In this paper, we
propose a proof-of-concept that focuses on the use of activity trees to
establish sequential-based analysis of employee behaviour. This concept
combines the notions of previously-proposed techniques such as attack trees
and behaviour trees. For a given employee, we define a tree that can
represent all sequences of their observed behaviours. Over time, branches are
either appended or created to reflect the new observations that are made on
how the employee acts. We also incorporate a similarity measure to establish
how different branches compare against each other. Attacks can be defined as
where the similarity measure between a newly-observed branch and all existing
branches is below a given acceptance criteria. The approach would allow an
analyst to observe chains of events that result in low probability activities
that could be deemed as unusual and therefore may be malicious. We
demonstrate our proof-of-concept using third-party synthetic employee
activity logs, to illustrate the practicalities of delivering this form of
protective monitoring. Keywords: Insider
threat, Anomaly detection, Attack trees +: Corresponding author: Ioannis Agrafiotis OX1
3QD, UK, Tel: +44-(0)1865-273838, Email: ioannis.agrafiotis@cs.ox.ac.uk Journal of Internet Services and Information Security (JISIS), 4(4): 127-137, November 2014 [pdf] |