Insider Threat Detection Using Graph-Based Approaches

Abstract

Protecting our nation's cyber infrastructure and securing sensitive information are critical challenges for homeland security and require the research, development and deployment of new technologies that can be transitioned into the field for combating cyber security risks. Particular areas of concern are the deliberate and intended actions associated with malicious exploitation, theft or destruction of data, or the compromise of networks, communications or other IT resources, of which the most harmful and difficult to detect threats are those propagated by an insider. However, current efforts to identify unauthorized access to information, such as what is found in document control and management systems, are limited in scope and capabilities. In order to address this issue, this effort involves performing further research and development on the existing graph-based anomaly detection (GBAD) system. GBAD discovers anomalous instances of structural patterns in data that represent entities, relationships and actions. Input to GBAD is a labeled graph in which entities are represented by labeled vertices and relationships or actions are represented by labeled edges between entities. Using the minimum description length (MDL) principle to identify the normative pattern that minimizes the number of bits needed to describe the input graph after being compressed by the pattern, GBAD implements algorithms for identifying the three possible changes to a graph: modifications, insertions and deletions. Each algorithm discovers those substructures that match the closest to the normative pattern without matching exactly.