A comparison of system call feature representations for insider threat detection

Abstract

This paper investigates anomaly detection techniques that have been successful for detecting external threats and applies them to the insider threat problem. The "insider threat" involves the actions of a trusted and privileged user who is inappropriately accessing or disseminating sensitive information or otherwise compromising information systems. In contrast, the "external threat" involves the actions of an outsider attempting to compromise or gain access to the information systems. Although approaches for automatically detecting external threat instances have been quite successful (i.e., intrusion detection systems), there is very little similar work for the insider threat. In the past, anomaly detection systems have proven useful for detecting external threat. Anomaly detection at the system call level offers a high degree of information assurance in terms of tamper-resistance and system activity coverage. Therefore, we investigate three system-call-based feature representations: n-grams of system call names, histograms of system call names, and individual system calls with associated parameters. We find that none of these representations consistently performs as well when dealing with the internal threat as previous results show for external threat detection. However, parameter-based features for certain system calls do show some sensitivity to detecting the insider threat, and we plan to explore and enhance this sensitivity in future work.