Stopping the Insider at the Gates: Protecting Organizational Assets
Through Graph Mining Pablo Moriano1+,
Jared Pendleton2, Steven Rich3, and L. Jean Camp1 1School of Informatics,
Computing, and Engineering, Indiana University, Bloomington, IN
47408, USA {pmoriano,
ljcamp}@indiana.edu 2Advanced Security Initiatives
Group, Cisco Systems, Inc., Knoxville, TN 37932, USA jarpendl@cisco.com 3Advanced Security Research
Group, Cisco Systems, Inc., Knoxville, TN 37932, USA srich@cisco.com Abstract The increasing threat of insider attacks has resulted
in a correlated increase in incentives to monitor trusted insiders. Measures
of volumes of access, detailed background checks, and statistical characterizations
of employee behaviors are all commonly used to mitigate the insider threat.
These traditional approaches usually rely on supervised learning models or
case studies to determine the critical features or attributes that can be
used as indicators. Such approaches require labeled data for correct
characterization of the threat. Yet regardless of the incentives to detect
the insider threat, the incentives to share detailed labeled data on
successful malicious insiders have proven inadequate. To address this
challenging data environment, we developed an innovative approach that
captures the temporal evolution of user-system interactions, to create an
unsupervised learning framework to detect high-risk insider behaviors. Our
method is based on the analysis of a bipartite graph of user and system
interactions. The graph mining method detects increases in potential insider
threat events following precipitating events, e.g., a limited restructuring.
We apply our method to a dataset that comprises interactions between
engineers and components in a software version control system spanning 22
years, and automatically detect statistically significant events. We find
that there is statistically significant evidence for increasing anomalies in
the committing behavior after precipitating events. Although these findings
do not constitute detection of insider threat events per se, they reinforce
the idea that insider operations can be motivated by the insiders’
environment and detected with the proposed method. We compare our results
with algorithms based on volume-dependent statistics showing that our
proposed framework outperforms those measures. This graph mining method has
potential for early detection of insider threat behavior from user-system
interactions, which could enable quicker mitigation. Keywords: Anomaly detection, insider threat,
bipartite graph, graph mining, community structure, IBM Rational ClearCase. +: Corresponding author: Pablo Moriano Journal
of Wireless Mobile Networks, Ubiquitous Computing, and Dependable
Applications (JoWUA) Vol. 9, No. 1, pp. 4-29, March 2018 [pdf] |