Uncovering insider threats from the digital footprints of individuals
Autor: | Shimei Pan, Ching-Yung Lin, Danny Soroker, Yinglong Xia, Jui-Hsin Lai, Justin D. Weisz, Julie MacNaught, Anni R. Coden, Wan-Yi Lin, Keith Houck, Jie Lu, Jeff Boston, Michael A. Tanenblatt, Steve Wood |
---|---|
Rok vydání: | 2016 |
Předmět: |
020203 distributed computing
Copying General Computer Science Workstation Computer science business.industry Bayesian network 02 engineering and technology Computer security computer.software_genre Insider law.invention Analytics law Scalability 0202 electrical engineering electronic engineering information engineering Digital footprint 020201 artificial intelligence & image processing Anomaly detection business computer |
Zdroj: | IBM Journal of Research and Development. 60:8:1-8:11 |
ISSN: | 0018-8646 |
DOI: | 10.1147/jrd.2016.2568538 |
Popis: | We present a system to detect anomalous and ultimately malevolent behavior of people from their digital footprint within an institution. Tripwire approaches based on single features cannot adequately distinguish between normal unpredictable activities and truly counterproductive behavior. For example, a sequence of copying and sending small amounts of data can easily elude a pure single-feature tripwire approach. Here, we combine semantic knowledge with data mining methods. Our system uses a multi-layer architecture in which many aspects of a person's behavior are quantified and then fused using a large-scale anomaly detection Markovian Bayesian network. Evaluation results are based on data for 5,500 assumed to be non-malicious people collected from their activities on their workstations inside a corporation. An outside team augmented this data, with some of the 5,500 individuals (the perpetrators) acting in a malicious fashion. Our system represents the 5,500 people in a ranked list, with people most likely to act maliciously at the top. Our system identifies the perpetrators within the top 2% of the ranked list, while a purely statistical method ranks them within the top 25%. Our scalable infrastructure allows for plug-and-play of different analytics and maintains provenance of results. |
Databáze: | OpenAIRE |
Externí odkaz: |