The Wolf Of SUTD (TWOS): A Dataset of Malicious Insider

Threat Behavior Based on a Gamified Competition

Athul Harilal1+, Flavio Toffalini1, Ivan Homoliak1,

John Castellanos1, Juan Guarnizo1, Soumik Mondal1, and Martín Ochoa2
 

1Singapore University of Technology and Design, Singapore

{athul harilal, ivan homoliak, mondal soumik}@sutd.edu.sg

{flavio toffalini, john castellanos, juan guarnizo}@mymail.sutd.edu.sg


2Department of Applied Mathematics and Computer Science,

Universidad del Rosario, Bogotá, Colombia

martin.ochoa@urosario.edu.co

  

Abstract

 

In this paper we present open research questions and options for data analysis of our previously designed dataset called TWOS: The Wolf of SUTD. In specified research questions, we illustrate the potential use of the TWOS dataset in multiple areas of cyber security, which does not limit only to malicious insider threat detection but are also related to authorship verification and identification, continuous authentication, and sentiment analysis. For the purpose of investigating the research questions, we present several state-of-the-art features applicable to collected data sources, and thus we provide researchers with a guidance how to start with data analysis. The TWOS dataset was collected during a gamified competition that was devised in order to obtain realistic instances of malicious insider threat. The competition simulated user interactions in/among competing companies, where two types of behaviors (normal and malicious) were incentivized. For the case of malicious behavior, we designed two types of malicious periods that was intended to capture the behavior of two types of insiders – masqueraders and traitors. The game involved the participation of 6 teams consisting of 4 students who competed with each other for a period of 5 days. Their activities were monitored by several data collection agents and producing data for mouse, keyboard, process and file-system monitor, network traffic, emails, and login/logout data sources. In total, we obtained 320 hours of active participation that included 18 hours of masquerader data and at least two instances of traitor data. In addition to expected malicious behaviors, students explored various defensive and offensive strategies such as denial of service attacks and obfuscation techniques, in an effort to get ahead in the competition. The TWOS dataset was made publicly accessible for further research purposes. In this paper we present the TWOS dataset that contains realistic instances of insider threats based on a gamified competition. The competition simulated user interactions in/among competing companies, where two types of behaviors (normal and malicious) were incentivized. For the case of malicious behavior, we designed sessions for two types of insider threats (masqueraders and traitors). The game involved the participation of 6 teams consisting of 4 students who competed with each other for a period of 5 days, while their activities were monitored considering several heterogeneous sources (mouse, keyboard, process and file-system monitor, network traffic, emails and login/logout). In total, we obtained 320 hours of active participation that included 18 hours of masquerader data and at least two instances of traitor data. In addition to expected malicious behaviors, students explored various defensive and offensive strategies such as denial of service attacks and obfuscation techniques, in an effort to get ahead in the competition. Furthermore, we illustrate the potential use of the TWOS dataset in multiple areas of cyber security, which does not limit to malicious insider threat detection, but also areas such as authorship verification and identification, continuous authentication, and sentiment analysis. We also present several state-of-the-art features that can be extracted from different data sources in order to guide researchers in the analysis of the dataset. The TWOS dataset is publicly accessible for further research purposes.

 

Keywords: malicious insider threat, masquerader, traitor, multiplayer game, user behavior monitoring,

feature extraction, authorship verification, continuous authentication, sentiment analysis.

 

+: Corresponding author: Athul Harilal,

ST Electronics-SUTD Cyber Security Laboratory, 8 Somapah Road, Building 2 Level 3 S(487372),

Tel: +65 6486 7033/44, Web: http://cyberlab.sutd.edu.sg/

 

Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA)

Vol. 9, No. 1, pp. 54-85, March 2018 [pdf]