Specializing network analysis to detect anomalous insider actions

Specializing network analysis to detect anomalous insider actions
You Chen, Steve Nyemba, Wen Zhang, Bradley Malin

Citation
You Chen, Steve Nyemba, Wen Zhang, Bradley Malin. "Specializing network analysis to detect anomalous insider actions". Security Informatics, February 2012.

Abstract
Collaborative information systems (CIS) enable users to coordinate efficiently over shared tasks in complex distributed environments. For flexibility, they provide users with broad access privileges, which, as a side-effect, leave such systems vulnerable to various attacks. Some of the more damaging malicious activities stem from internal misuse, where users are authorized to access system resources. A promising class of insider threat detection models for CIS focuses on mining access patterns from audit logs, however, current models are limited in that they assume organizations have significant resources to generate label cases for training classifiers or assume the user has committed a large number of actions that deviate from "normal" behavior. In lieu of the previous assumptions, we introduce an approach that detects when specific actions of an insider deviate from expectation in the context of collaborative behavior. Specifically, in this paper, we introduce a specialized network anomaly detection model, or SNAD, to detect such events. This approach assesses the extent to which a user influences the similarity of the group of users that access a particular record in the CIS. From a theoretical perspective, we show that the proposed model is appropriate for detecting insider actions in dynamic collaborative systems. From an empirical perspective, we perform an extensive evaluation of SNAD with the access logs of two distinct environments: the patient record access logs a large electronic health record system (6,015 users, 130,457 patients and 1,327,500 accesses) and the editing logs of Wikipedia (2,394,385 revisors, 55,200 articles and 6,482,780 revisions). We compare our model with several competing methods and demonstrate SNAD is significantly more effective: on average it achieves 20-30% greater area under an ROC curve.

Electronic downloads

codaspy_chen.pdf · application/pdf · 1506 kbytes

Citation formats

HTML

You Chen, Steve Nyemba, Wen Zhang, Bradley Malin. <a
href="http://www.truststc.org/pubs/887.html"
>Specializing network analysis to detect anomalous
insider actions</a>, <i>Security
Informatics</i>, February 2012.

Plain text

You Chen, Steve Nyemba, Wen Zhang, Bradley Malin.
"Specializing network analysis to detect anomalous
insider actions". <i>Security
Informatics</i>, February 2012.

BibTeX

@article{ChenNyembaZhangMalin12_SpecializingNetworkAnalysisToDetectAnomalousInsiderActions,
    author = {You Chen and Steve Nyemba and Wen Zhang and
              Bradley Malin},
    title = {Specializing network analysis to detect anomalous
              insider actions},
    journal = {Security Informatics},
    month = {February},
    year = {2012},
    abstract = {Collaborative information systems (CIS) enable
              users to coordinate efficiently over shared tasks
              in complex distributed environments. For
              flexibility, they provide users with broad access
              privileges, which, as a side-effect, leave such
              systems vulnerable to various attacks. Some of the
              more damaging malicious activities stem from
              internal misuse, where users are authorized to
              access system resources. A promising class of
              insider threat detection models for CIS focuses on
              mining access patterns from audit logs, however,
              current models are limited in that they assume
              organizations have significant resources to
              generate label cases for training classifiers or
              assume the user has committed a large number of
              actions that deviate from "normal" behavior. In
              lieu of the previous assumptions, we introduce an
              approach that detects when specific actions of an
              insider deviate from expectation in the context of
              collaborative behavior. Specifically, in this
              paper, we introduce a specialized network anomaly
              detection model, or SNAD, to detect such events.
              This approach assesses the extent to which a user
              influences the similarity of the group of users
              that access a particular record in the CIS. From a
              theoretical perspective, we show that the proposed
              model is appropriate for detecting insider actions
              in dynamic collaborative systems. From an
              empirical perspective, we perform an extensive
              evaluation of SNAD with the access logs of two
              distinct environments: the patient record access
              logs a large electronic health record system
              (6,015 users, 130,457 patients and 1,327,500
              accesses) and the editing logs of Wikipedia
              (2,394,385 revisors, 55,200 articles and 6,482,780
              revisions). We compare our model with several
              competing methods and demonstrate SNAD is
              significantly more effective: on average it
              achieves 20-30% greater area under an ROC curve. },
    URL = {http://www.truststc.org/pubs/887.html}
}

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.