Abstract
Collaborative information systems (CIS) enable users to coordinate efficiently over shared tasks in complex distributed environments. For flexibility, they provide users with broad access privileges, which, as a side-effect, leave such systems vulnerable to various attacks. Some of the more damaging malicious activities stem from internal misuse, where users are authorized to access system resources. A promising class of insider threat detection models for CIS focuses on mining access patterns from audit logs, however, current models are limited in that they assume organizations have significant resources to generate label cases for training classifiers or assume the user has committed a large number of actions that deviate from "normal" behavior. In lieu of the previous assumptions, we introduce an approach that detects when specific actions of an insider deviate from expectation in the context of collaborative behavior. Specifically, in this paper, we introduce a specialized network anomaly detection model, or SNAD, to detect such events. This approach assesses the extent to which a user influences the similarity of the group of users that access a particular record in the CIS. From a theoretical perspective, we show that the proposed model is appropriate for detecting insider actions in dynamic collaborative systems. From an empirical perspective, we perform an extensive evaluation of SNAD with the access logs of two distinct environments: the patient record access logs a large electronic health record system (6,015 users, 130,457 patients and 1,327,500 accesses) and the editing logs of Wikipedia (2,394,385 revisors, 55,200 articles and 6,482,780 revisions). We compare our model with several competing methods and demonstrate SNAD is significantly more effective: on average it achieves 20-30% greater area under an ROC curve.
Highlights
The popularity of collaborative information systems (CIS) has exploded over the past decade
3.2 Spectral Anomaly Detection Model Though specialized network anomaly detection (SNAD) may appear to be a simplistic model, we find it is more appropriate for access-level insider threat detection in CIS than more sophisticated competitors
It is anticipated that the number of subjects accessed by a user is significantly smaller than m and the time to compute the similarity of a pair of users is O
Summary
The popularity of collaborative information systems (CIS) has exploded over the past decade. There is evidence that they can increase the efficiency of completing tasks posed to the members of an organization [7] These gains may be realized through various routes, such as coordination of workflows [8], teambased communication and editing [9], and management of the life-cycle of knowledge and documents in heterogenous environments [10]. The basis of such improvements is varied and may arise by leveraging the wisdom of crowds [12], performing innovative brainstorming sessions [13], and provisioning information in a just-in-time manner from experts [14] These benefits are realized because CIS facilitate flexible participation and coordination between disparate users over common tasks. These vulnerabilities arise because the environments in which CIS are deployed are inherently complex
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
