RT Journal Article
JF 2013 IEEE Security and Privacy Workshops
YR 2013
VO 00
SP 45
TI Multi-Domain Information Fusion for Insider Threat Detection
A1 Hoda Eldardiry,
A1 Evgeniy Bart,
A1 Juan Liu,
A1 John Hanley,
A1 Bob Price,
A1 Oliver Brdiczka,
K1 information fusion
K1 Insider threat detection
K1 anomaly detection
AB Malicious insiders pose significant threats to information security, and yet the capability of detecting malicious insiders is very limited. Insider threat detection is known to be a difficult problem, presenting many research challenges. In this paper we report our effort on detecting malicious insiders from large amounts of work practice data. We propose novel approaches to detect two types of insider activities: (1) blend-in anomalies, where malicious insiders try to behave similar to a group they do not belong to, and (2) unusual change anomalies, where malicious insiders exhibit changes in their behavior that are dissimilar to their peers' behavioral changes. Our first contribution focuses on detecting blend-in malicious insiders. We propose a novel approach by examining various activity domains, and detecting behavioral inconsistencies across these domains. Our second contribution is a method for detecting insiders with unusual changes in behavior. The key strength of this proposed approach is that it avoids flagging common changes that can be mistakenly detected by typical temporal anomaly detection mechanisms. Our third contribution is a method that combines anomaly indicators from multiple sources of information.
PB IEEE Computer Society, [URL:http://www.computer.org]
LA English
DO 10.1109/SPW.2013.14
LK http://doi.ieeecomputersociety.org/10.1109/SPW.2013.14