Role-based differentiation for insider detection algorithms

Insider Threats '10 Pub Date : 2010-10-08 DOI:10.1145/1866886.1866897

Suraj Nellikar, D. Nicol, Jai J. Choi

{"title":"Role-based differentiation for insider detection algorithms","authors":"Suraj Nellikar, D. Nicol, Jai J. Choi","doi":"10.1145/1866886.1866897","DOIUrl":null,"url":null,"abstract":"Insider threat problems are widespread in industry today, resulting in large losses of intellectual property. Reputable reports assert that attacks from within an organization are on the rise, making detection of insider-based attacks a top priority. This paper evaluates the effectiveness of using role-based differentiation of user behavior as a tool in detecting insider attack behavior. This differentiation is natural in contexts where role-based access control (RBAC) mechanisms are in place. Using synthetically generated traffic (which puts placement and intensity of insider behavior under experimental control), we train five different algorithms on \"normal\" behavior with and without RBAC differentiation, and measure the accuracy of detecting malicious behavior with, and without RBAC, as a function of insider behavior. We find that in some contexts RBAC differentiation significantly reduces these errors. However, in our experiments two of the five algorithms had statistically significant increases in false positives under RBAC as opposed to non-RBAC. However, these increases are small compared to the very large gain in detection capability that RBAC brings, and we conclude that RBAC is very much worth considering as a tool for insider threat detection.","PeriodicalId":249095,"journal":{"name":"Insider Threats '10","volume":"63 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Insider Threats '10","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1866886.1866897","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

Insider threat problems are widespread in industry today, resulting in large losses of intellectual property. Reputable reports assert that attacks from within an organization are on the rise, making detection of insider-based attacks a top priority. This paper evaluates the effectiveness of using role-based differentiation of user behavior as a tool in detecting insider attack behavior. This differentiation is natural in contexts where role-based access control (RBAC) mechanisms are in place. Using synthetically generated traffic (which puts placement and intensity of insider behavior under experimental control), we train five different algorithms on "normal" behavior with and without RBAC differentiation, and measure the accuracy of detecting malicious behavior with, and without RBAC, as a function of insider behavior. We find that in some contexts RBAC differentiation significantly reduces these errors. However, in our experiments two of the five algorithms had statistically significant increases in false positives under RBAC as opposed to non-RBAC. However, these increases are small compared to the very large gain in detection capability that RBAC brings, and we conclude that RBAC is very much worth considering as a tool for insider threat detection.

查看原文本刊更多论文

基于角色的内部检测算法的区分

如今，内部威胁问题在工业中普遍存在，导致大量知识产权损失。信誉良好的报告断言，来自组织内部的攻击正在上升，因此检测基于内部的攻击是当务之急。本文评估了使用基于角色的用户行为区分作为检测内部攻击行为的工具的有效性。在采用基于角色的访问控制(RBAC)机制的环境中，这种区别是很自然的。使用合成生成的流量(将内部行为的位置和强度置于实验控制之下)，我们在有和没有RBAC区分的“正常”行为上训练了五种不同的算法，并测量了有和没有RBAC检测恶意行为的准确性，作为内部行为的函数。我们发现，在某些情况下，RBAC分化显著减少了这些错误。然而，在我们的实验中，与非RBAC相比，RBAC下五种算法中的两种在统计上显著增加了假阳性。然而，与RBAC带来的检测能力的巨大增长相比，这些增长很小，我们得出的结论是，RBAC非常值得考虑作为内部威胁检测的工具。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Insider Threats '10

自引率

0.00%

发文量