Terminator: a data-level hybrid framework for intellectual property theft detection and prevention

Recently, high profile data breach incidents have highlighted the importance of insider Intellectual Property(IP) theft research. Matching the patterns of known attack (filtering-based or rule-based) and finding the deviation from normal behavior (anomaly-based) are two typical approaches to prevent insiders from stealing sensitive information. On the one hand, filtering-based or rule-based solutions provide accurate identification of known attacks, and thus they are suitable for IP theft prevention, but they cannot handle the insiders with in-depth knowledge of the protective measures. On the other hand, anomaly-based solutions can find unknown attacks but typically have a high false-positive rate, which limits their applicability to practice. Nowadays, more and more researchers believe that the insider attack could be improved when combining known attack pattern matching with anomaly detection technologies. Therefore, in this paper, we introduce a Data-level Hybrid Framework, dubbed as Terminator, which enabling both detection and prevention. Terminator integrates a prevention module with an anomaly detection module and uses feedback to improve the module for detection or prevention. Different from previous anomaly-based methods that could only detect anomalous activities, Terminator could detect the stealing actions proactively and take real-time actions on these actions. The effectiveness of Terminator is demonstrated by its excellent performances on a collected dataset, involving detailed information in a real-world insider network and attack data simulated by impersonating the genuine users.