Inside the Insider Threat Minitrack
Permanent URI for this collection
The insider problem is one of the most important problems in computer security, and indeed in all aspects of real-world security. Insiders have compromised many key societal systems and processes in domains such as government, finance, and even science. Many reports of insider attacks describe people trusted with access to sensitive information abusing that access to damage that information, compromise the privacy of that information, and collaborate with others (sometimes other insiders) to cause various kinds of failures, losses and serious harm. Indeed, the insider problem is also pernicious in the non-computer world; as the ancient Roman satirist Juvenal said, "Who will guard the guards themselves?"
Any approaches therefore must have not only a technical aspect, but also a non-technical (social, political, legal, cultural, and so forth) approach. Insider attacks may be accidental or arise from conflicting policies that confuse the putative attacker. These unintentional insider attacks are as dangerous as deliberate insider attacks, but must be handled differently due to the lack of maliciousness. Understanding how to cope with unintentional insider attacks effectively is also a complex, difficult problem.
Analyzing and detecting insider threats involve both technical and non-technical approaches across many different disciplines, including human-oriented ones. This minitrack solicits papers emphasizing this cross- cutting work as well as papers that present case studies and experiences in coping with insider attacks or preventing them.
Minitrack topics include, but are not limited to:
- Approaches to detecting, preventing, and ameliorating insider threats
- Analyzing the effect of (potential or actual) insider attacks
- Data on the scope and effect of insider threats and/or attacks
- Minimizing the cost of preventative measures
- Examining the causes of insider attacks
- Multi-disciplinary approaches to the insider problem
- Measuring the effectiveness of remediation technologies and methodologies
- Insider threats and social media
- Case studies of insider threats and attacks, including unintentional attacks
- Human factors and the insider problem
Matt Bishop (Primary Contact)
University of California at Davis
University of Alaska Fairbanks
Jason W. Clark
Software Engineering Institute, Carnegie Mellon University
ItemInsider Threats in Emerging Mobility-as-a-Service Scenarios( 2017-01-04)Mobility as a Service (MaaS) applies the everything-as- \ a-service paradigm of Cloud Computing to transportation: a MaaS \ provider offers to its users the dynamic composition of solutions of \ different travel agencies into a single, consistent interface. \ Traditionally, transits and data on mobility belong to a scattered \ plethora of operators. Thus, we argue that the economic model of \ MaaS is that of federations of providers, each trading its resources to \ coordinate multi-modal solutions for mobility. Such flexibility comes \ with many security and privacy concerns, of which insider threat is \ one of the most prominent. In this paper, we follow a tiered structure \ — from individual operators to markets of federated MaaS providers \ — to classify the potential threats of each tier and propose the \ appropriate countermeasures, in an effort to mitigate the problems.
ItemInsider Threat Detection in PRODIGAL( 2017-01-04)This paper reports on insider threat detection research, during which a prototype system (PRODIGAL) was developed and operated as a testbed for exploring a range of detection and analysis methods. The data and test environment, system components, and the core method of unsupervised detection \ of insider threat leads are presented to document this work and benefit others working in the insider threat domain. \ \ We also discuss a core set of experiments evaluating the prototype’s ability to detect both known and unknown malicious insider behaviors. The experimental results show the ability to detect a large variety of insider threat scenario instances imbedded in real data with no prior knowledge of what scenarios \ are present or when they occur. \ \ We report on an ensemble-based, unsupervised technique for detecting potential insider threat instances. When run over 16 months of real monitored computer usage activity augmented with independently developed and unknown but realistic, insider threat scenarios, this technique robustly achieves results within five percent of the best individual detectors identified after the fact. We discuss factors that contribute to the success of the ensemble method, such as the number and variety of unsupervised detectors and the use of prior knowledge encoded in detectors designed for specific activity patterns. \ \ Finally, the paper describes the architecture of the prototype system, the environment in which we conducted these experiments and that is in the process of being transitioned to operational users.
ItemGraph Based Framework for Malicious Insider Threat Detection( 2017-01-04)While most security projects have focused on fending off attacks coming from outside the organizational boundaries, a real threat has arisen from the people who are inside those perimeter protections. \ Insider threats have shown their power by hugely affecting national security, financial stability, and the privacy of many thousands of people. What is in the news is the tip of the iceberg, with much more going on under the radar, and some threats never being detected. We propose a hybrid framework based on graphical analysis and anomaly detection approaches, to combat this severe cyber security threat. Our framework analyzes heterogeneous data in isolating possible malicious users hiding behind others. Empirical results reveal this framework to be effective in distinguishing the majority of users who demonstrate typical behavior from the minority of users who show suspicious behavior. \
ItemIntroduction to Inside the Insider Threat Minitrack( 2017-01-04)