Team for Research in
Ubiquitous Secure Technology

Detecting Anomalous Insiders in Collaborative Information Systems
Yu Chen, Steve Nyemba, Bradley Malin

Citation
Yu Chen, Steve Nyemba, Bradley Malin. "Detecting Anomalous Insiders in Collaborative Information Systems". IEEE Transactions on Dependable and Secure Computing, 9(3):332-344, May 2012.

Abstract
Collaborative information systems (CISs) are deployed within a diverse array of environments that manage sensitive information. Current security mechanisms detect insider threats, but they are ill-suited to monitor systems in which users function in dynamic teams. In this paper, we introduce the community anomaly detection system (CADS), an unsupervised learning framework to detect insider threats based on the access logs of collaborative environments. The framework is based on the observation that typical CIS users tend to form community structures based on the subjects accessed (e.g., patients' records viewed by healthcare providers). CADS consists of two components: 1) relational pattern extraction, which derives community structures and 2) anomaly prediction, which leverages a statistical model to determine when users have sufficiently deviated from communities. We further extend CADS into MetaCADS to account for the semantics of subjects (e.g., patients' diagnoses). To empirically evaluate the framework, we perform an assessment with three months of access logs from a real electronic health record (EHR) system in a large medical center. The results illustrate our models exhibit significant performance gains over state-of-the-art competitors. When the number of illicit users is low, MetaCADS is the best model, but as the number grows, commonly accessed semantics lead to hiding in a crowd, such that CADS is more prudent.

Electronic downloads

Citation formats  
  • HTML
    Yu Chen, Steve Nyemba, Bradley Malin. <a
    href="http://www.truststc.org/pubs/886.html"
    >Detecting Anomalous Insiders in Collaborative
    Information Systems</a>, <i>IEEE Transactions on
    Dependable and Secure Computing</i>, 9(3):332-344, May
    2012.
  • Plain text
    Yu Chen, Steve Nyemba, Bradley Malin. "Detecting
    Anomalous Insiders in Collaborative Information
    Systems". <i>IEEE Transactions on Dependable and
    Secure Computing</i>, 9(3):332-344, May 2012.
  • BibTeX
    @article{ChenNyembaMalin12_DetectingAnomalousInsidersInCollaborativeInformation,
        author = {Yu Chen and Steve Nyemba and Bradley Malin},
        title = {Detecting Anomalous Insiders in Collaborative
                  Information Systems},
        journal = {IEEE Transactions on Dependable and Secure
                  Computing},
        volume = {9},
        number = {3},
        pages = {pp.332-344},
        month = {May},
        year = {2012},
        abstract = {Collaborative information systems (CISs) are
                  deployed within a diverse array of environments
                  that manage sensitive information. Current
                  security mechanisms detect insider threats, but
                  they are ill-suited to monitor systems in which
                  users function in dynamic teams. In this paper, we
                  introduce the community anomaly detection system
                  (CADS), an unsupervised learning framework to
                  detect insider threats based on the access logs of
                  collaborative environments. The framework is based
                  on the observation that typical CIS users tend to
                  form community structures based on the subjects
                  accessed (e.g., patients' records viewed by
                  healthcare providers). CADS consists of two
                  components: 1) relational pattern extraction,
                  which derives community structures and 2) anomaly
                  prediction, which leverages a statistical model to
                  determine when users have sufficiently deviated
                  from communities. We further extend CADS into
                  MetaCADS to account for the semantics of subjects
                  (e.g., patients' diagnoses). To empirically
                  evaluate the framework, we perform an assessment
                  with three months of access logs from a real
                  electronic health record (EHR) system in a large
                  medical center. The results illustrate our models
                  exhibit significant performance gains over
                  state-of-the-art competitors. When the number of
                  illicit users is low, MetaCADS is the best model,
                  but as the number grows, commonly accessed
                  semantics lead to hiding in a crowd, such that
                  CADS is more prudent.},
        URL = {http://www.truststc.org/pubs/886.html}
    }
    

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.