Abstract
Insiders are often legal users who are authorized to access system and data. If they misuse their privileges, it would bring great threat to system security. In practice, we could not have any knowledge about fraud pattern in advance, and most malicious behaviors are often in accordance with security rules; thus, it is difficult to predefine regulations for preventing all kinds of frauds. In this paper, we propose a data-driven evaluation model to detect malicious insiders, which audits user behaviors from both parallel and incremental aspects. Users are grouped together according to their positions and responsibilities, based on which the normal pattern is learned. For each user, a routine behavior pattern is also learned for historical assessment. Then, users are evaluated against both group patterns and routine patterns by probabilistic methods. The deviation degree is adopted as an evidence to justify an anomaly. We also recognize the abnormal activities that often make a user behavior much deviate, which can help an administrator revisit security policies or update activity weights in assessment. At last, experiments are performed on several real dataset.
Highlights
A malicious insider refers to an employee, a contractor or a business partner who has or had been authorized access to an organization information system and intentionally exceeds or misuses his/her privilege in a manner that negatively affects the confidentiality, integrity or availability of an information system [1]
An auditor can justify the sensitive tasks for anomaly audit, and a behavior vector is created against the sensitive tasks for each user
We have proposed a set of metrics to evaluate a user behavior from several aspects, such as parallel overall metric, parallel local metric and historical metric, etc., which should be taken into account so as to find those users who deviate much from several normal patterns
Summary
A malicious insider refers to an employee, a contractor or a business partner who has or had been authorized access to an organization information system and intentionally exceeds or misuses his/her privilege in a manner that negatively affects the confidentiality, integrity or availability of an information system [1]. It may involve fraud, theft of commercial secrets or intellectual property, sabotage of information and system, etc. According to Computer Crime and Security survey sponsored by CSI and FBI, 87.1 % of respondents which include major organizations in the USA said that 20 % of their losses should be attributed to malicious insiders [4].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
