Formalising policies for insider-threat detection:
A tripwire grammar

Ioannis Agrafiotis
+, Arnau Erola, Michael Goldsmith, and Sadie Creese

University of Oxford, Parks Rd, Oxford OX1 3QD, United Kingdom

{ioannis.agrafiotis, arnau.erola, michael.goldsmith, sadie.creese} 




The threat that organisations face from within is growing significantly, as it has been widely demonstrated by the harm that insiders have caused recently. For many years the security community has invested in barriers and perimeters, of increasing sophistication, designed to keep those with malign intent outside of the organisationsí information infrastructures. But assuming that one can keep the threat out of an organisation is simply not a practical stance to adopt. In our research we are concerning ourselves with how technology might be deployed to help with the detection of insider threats both automatically and in support of human-led mechanisms. This paper describes our recent research into how we might support threat detection when actions taken can be immediately determined as of concern. In particular we capture actions that fall into one of two categories: those that violate a policy which is specifically crafted to describe behaviours that should be avoided; or those that exhibit behaviours which follow a pattern of a known insider-threat attack. We view these concerning actions as something that we can design and implement tripwires within a system to detect. We then orchestrate these tripwires in conjunction with an anomaly detection system. We present a review of the security policies organisation apply and a grammar to describe tripwires. We further validate our grammar by formalising the most common tripwires for both categories. Our aim is to provide a single framework for unambiguously capturing tripwires, alongside a library of existing ones in use. Therefore, tripwires may be used to map experiences regardless of the heterogeneity of the security tools and practices deployed.


Keywords: Insider-threat detection, Security policies, Validation, Grammar.


+: Corresponding author: Ioannis Agrafiotis
Wolfson Building, University of Oxford, Parks Rd, Oxford OX1 3QD, United Kingdom,
Tel: +44-1865-610805, Email:


Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA)
Vol. 8, No. 1, pp. 26-43, March 2017 [pdf]