Team for Research in
Ubiquitous Secure Technology

Detection of anomalous insiders in collaborative environments via relational analysis of access logs
You Chen, Bradley Malin

Citation
You Chen, Bradley Malin. "Detection of anomalous insiders in collaborative environments via relational analysis of access logs". Proceedings of the first ACM conference on Data and application security and privacy, pp. 63-74, 2011.

Abstract
Collaborative information systems (CIS) are deployed within a diverse array of environments, ranging from the Internet to intelligence agencies to healthcare. It is increasingly the case that such systems are applied to manage sensitive information, making them targets for malicious insiders. While sophisticated security mechanisms have been developed to detect insider threats in various file systems, they are neither designed to model nor to monitor collaborative environments in which users function in dynamic teams with complex behavior. In this paper, we introduce a community-based anomaly detection system (CADS), an unsupervised learning framework to detect insider threats based on information recorded in the access logs of collaborative environments. CADS is based on the observation that typical users tend to form community structures, such that users with low affinity to such communities are indicative of anomalous and potentially illicit behavior. The model consists of two primary components: relational pattern extraction and anomaly detection. For relational pattern extraction, CADS infers community structures from CIS access logs, and subsequently derives communities, which serve as the CADS pattern core. CADS then uses a formal statistical model to measure the deviation of users from the inferred communities to predict which users are anomalies. To empirically evaluate the threat detection model, we perform an analysis with six months of access logs from a real electronic health record system in a large medical center, as well as a publicly available dataset for replication purposes. The results illustrate that CADS can distinguish simulated anomalous users in the context of real user behavior with a high degree of certainty and with significant performance gains in comparison to several competing anomaly detection models.

Electronic downloads

Citation formats  
  • HTML
    You Chen, Bradley Malin. <a
    href="http://www.truststc.org/pubs/888.html"
    >Detection of anomalous insiders in collaborative
    environments via relational analysis of access
    logs</a>, Proceedings of the first ACM conference on
    Data and application security and privacy, pp. 63-74, 2011.
  • Plain text
    You Chen, Bradley Malin. "Detection of anomalous
    insiders in collaborative environments via relational
    analysis of access logs". Proceedings of the first ACM
    conference on Data and application security and privacy, pp.
    63-74, 2011.
  • BibTeX
    @inproceedings{ChenMalin11_DetectionOfAnomalousInsidersInCollaborativeEnvironments,
        author = {You Chen and Bradley Malin},
        title = {Detection of anomalous insiders in collaborative
                  environments via relational analysis of access logs},
        booktitle = {Proceedings of the first ACM conference on Data
                  and application security and privacy},
        pages = {pp. 63-74},
        year = {2011},
        abstract = {Collaborative information systems (CIS) are
                  deployed within a diverse array of environments,
                  ranging from the Internet to intelligence agencies
                  to healthcare. It is increasingly the case that
                  such systems are applied to manage sensitive
                  information, making them targets for malicious
                  insiders. While sophisticated security mechanisms
                  have been developed to detect insider threats in
                  various file systems, they are neither designed to
                  model nor to monitor collaborative environments in
                  which users function in dynamic teams with complex
                  behavior. In this paper, we introduce a
                  community-based anomaly detection system (CADS),
                  an unsupervised learning framework to detect
                  insider threats based on information recorded in
                  the access logs of collaborative environments.
                  CADS is based on the observation that typical
                  users tend to form community structures, such that
                  users with low affinity to such communities are
                  indicative of anomalous and potentially illicit
                  behavior. The model consists of two primary
                  components: relational pattern extraction and
                  anomaly detection. For relational pattern
                  extraction, CADS infers community structures from
                  CIS access logs, and subsequently derives
                  communities, which serve as the CADS pattern core.
                  CADS then uses a formal statistical model to
                  measure the deviation of users from the inferred
                  communities to predict which users are anomalies.
                  To empirically evaluate the threat detection
                  model, we perform an analysis with six months of
                  access logs from a real electronic health record
                  system in a large medical center, as well as a
                  publicly available dataset for replication
                  purposes. The results illustrate that CADS can
                  distinguish simulated anomalous users in the
                  context of real user behavior with a high degree
                  of certainty and with significant performance
                  gains in comparison to several competing anomaly
                  detection models.},
        URL = {http://www.truststc.org/pubs/888.html}
    }
    

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.