Team for Research in
Ubiquitous Secure Technology

Citation
You Chen, Bradley Malin. "Detection of anomalous insiders in collaborative environments via relational analysis of access logs". Proceedings of the first ACM conference on Data and application security and privacy, pp. 63-74, 2011.

Abstract
Collaborative information systems (CIS) are deployed within a diverse array of environments, ranging from the Internet to intelligence agencies to healthcare. It is increasingly the case that such systems are applied to manage sensitive information, making them targets for malicious insiders. While sophisticated security mechanisms have been developed to detect insider threats in various file systems, they are neither designed to model nor to monitor collaborative environments in which users function in dynamic teams with complex behavior. In this paper, we introduce a community-based anomaly detection system (CADS), an unsupervised learning framework to detect insider threats based on information recorded in the access logs of collaborative environments. CADS is based on the observation that typical users tend to form community structures, such that users with low affinity to such communities are indicative of anomalous and potentially illicit behavior. The model consists of two primary components: relational pattern extraction and anomaly detection. For relational pattern extraction, CADS infers community structures from CIS access logs, and subsequently derives communities, which serve as the CADS pattern core. CADS then uses a formal statistical model to measure the deviation of users from the inferred communities to predict which users are anomalies. To empirically evaluate the threat detection model, we perform an analysis with six months of access logs from a real electronic health record system in a large medical center, as well as a publicly available dataset for replication purposes. The results illustrate that CADS can distinguish simulated anomalous users in the context of real user behavior with a high degree of certainty and with significant performance gains in comparison to several competing anomaly detection models.

Electronic downloads

• http://dl.acm.org/citation.cfm?doid=1943513.1943524

• HTML

  You Chen, Bradley Malin. <a
  href="http://www.truststc.org/pubs/888.html"
  >Detection of anomalous insiders in collaborative
  environments via relational analysis of access
  logs</a>, Proceedings of the first ACM conference on
  Data and application security and privacy, pp. 63-74, 2011.

• Plain text

  You Chen, Bradley Malin. "Detection of anomalous
  insiders in collaborative environments via relational
  analysis of access logs". Proceedings of the first ACM
  conference on Data and application security and privacy, pp.
  63-74, 2011.

• BibTeX

  @inproceedings{ChenMalin11_DetectionOfAnomalousInsidersInCollaborativeEnvironments,
      author = {You Chen and Bradley Malin},
      title = {Detection of anomalous insiders in collaborative
                environments via relational analysis of access logs},
      booktitle = {Proceedings of the first ACM conference on Data
                and application security and privacy},
      pages = {pp. 63-74},
      year = {2011},
      abstract = {Collaborative information systems (CIS) are
                deployed within a diverse array of environments,
                ranging from the Internet to intelligence agencies
                to healthcare. It is increasingly the case that
                such systems are applied to manage sensitive
                information, making them targets for malicious
                insiders. While sophisticated security mechanisms
                have been developed to detect insider threats in
                various file systems, they are neither designed to
                model nor to monitor collaborative environments in
                which users function in dynamic teams with complex
                behavior. In this paper, we introduce a
                community-based anomaly detection system (CADS),
                an unsupervised learning framework to detect
                insider threats based on information recorded in
                the access logs of collaborative environments.
                CADS is based on the observation that typical
                users tend to form community structures, such that
                users with low affinity to such communities are
                indicative of anomalous and potentially illicit
                behavior. The model consists of two primary
                components: relational pattern extraction and
                anomaly detection. For relational pattern
                extraction, CADS infers community structures from
                CIS access logs, and subsequently derives
                communities, which serve as the CADS pattern core.
                CADS then uses a formal statistical model to
                measure the deviation of users from the inferred
                communities to predict which users are anomalies.
                To empirically evaluate the threat detection
                model, we perform an analysis with six months of
                access logs from a real electronic health record
                system in a large medical center, as well as a
                publicly available dataset for replication
                purposes. The results illustrate that CADS can
                distinguish simulated anomalous users in the
                context of real user behavior with a high degree
                of certainty and with significant performance
                gains in comparison to several competing anomaly
                detection models.},
      URL = {http://www.truststc.org/pubs/888.html}
  }
  

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.