A Framework for Detecting Insider Threats using
Psychological Triggers
Takayuki Sasaki
Service Platforms Res. Labs.
NEC Corporation
1753 Shimonumabe, Nakahara-Ku, Kawasaki, Kanagawa, Japan
Tel:+81-44-431-7686
Abstract
Malicious insiders are difficult to detect and prevent,
because insiders such as employees have legitimate
rights to access organization¡¯s resources in order to
carry out their responsibilities. To overcome this problem,
we have developed a framework that detects suspicious
insiders using a psychological trigger
that impels malicious insiders to behave suspiciously.
Also, we have proposed an architecture comprising
an announcer, a monitor, and an analyzer. First, the announcer
creates an event (called a ¡°trigger¡±)
that impels malicious insiders to behave suspiciously.
Then the monitors record suspicious actions
such as file/e-mail deletions. Finally, the analyzer
identifies the suspicious insiders by comparing
the number of deletions before/after the trigger. In this
paper, we extend monitoring reaction
from only ¡°data deletion¡± to ¡°stop further malicious
activities¡±. This extension allows a wider variety
of use cases such as ¡°finding private web browsing¡± and
¡°finding use of unnecessary applications¡±.
Also, we extend the architecture so as to monitor servers
as well as clients. The server monitoring
architecture is required in the case of server side data
deletions, i.e., e-mail or file deletions at the
server side. Moreover, we describe the effectiveness of
our approach in such cases.
Keywords: Insider threats detection, sealing of evidences
Journal of Wireless Mobile Networks,
Ubiquitous Computing, and Dependable Applications (JoWUA),
Vol. 3, No. 1/2, pp. 99-119, March 2012
[pdf]