Implementation of Insider Threat Detection System Using Honeypot Based Sensors and Threat Analytics

  • Muhammad Mudassar YaminEmail author
  • Basel Katt
  • Kashif Sattar
  • Maaz Bin Ahmad
Conference paper
Part of the Lecture Notes in Networks and Systems book series (LNNS, volume 70)


An organization is a combination of vision, technology and employees. The wellbeing of organization is directly associated with the honesty of its workers. However, an organization is also threatened by misuse of information from its agents like former employees, current employees, vendors or business associates. These kinds of threats which are posed from within the organization are known as Insider Threats. Many approaches have been employed to detect the Insider Threats in organizations. One of such approaches is to monitor the system functions to detect possible insiders. These approaches raise unnecessary amount of false positive alarm which is then taken care of with the use of evolutionary algorithms. The solution to this Insider Threat detection requires a lot of configuration before implementation in real world scenarios due to different threshold values in different organizations. Insider Threat detection can be done by means of honeypots sensors in a limited and in satisfactory way. The present research proposes a new technique for detecting insiders using encrypted honeypots. This technique complements the existing insider detection systems and improves its performance in terms of decreasing false positive results.


Insider threat System monitoring Activity detection Honeypots Threat analytics 


  1. 1.
    Mallah, G.A., Shaikh, Z.A.: A platform independent approach for mobile agents to monitor Network vulnerabilities. WSEAS Trans. Comput. 4(11), 1672–1677 (2005)Google Scholar
  2. 2.
    Moore, A.P., Cappelli, D.M., Caron, T., Shaw, E., Trzeciak, R.F.: Insider theft of intellectual property for business advantage: a preliminary model. In: Proceedings of the 1st International Workshop on Managing Insider Security Threats (MIST2009), Purdue University, West Lafayette, USA (2009)Google Scholar
  3. 3.
    Hayden, M.: The insider threat to US government information systems (No. NSTISSAM-INFOSEC/1-99). National Security Agency/Central Security Service Fort George G Meade Md (1999)Google Scholar
  4. 4.
    Ahmad, M.B., Akram, A., Asif, M., Ur-Rehman, S.: Using genetic algorithm to minimize false alarms in insider threats detection of information misuse in windows environment. Mathematical Problems in Engineering (2014)Google Scholar
  5. 5.
    Legg, P.A., Buckley, O., Goldsmith, M., Creese, S.: Automated insider threat detection system using user and role-based profile assessment. IEEE Syst. J. 1–10 (2015)Google Scholar
  6. 6.
    Bishop, M.: The insider problem revisited. In: Proceedings of the 2005 workshop on New security paradigms, pp. 75–76. ACM (2005)Google Scholar
  7. 7.
    Grobauer, B., Schreck, T.: Towards incident handling in the cloud: challenges and approaches. In: Proceedings of the 2010 ACM workshop on Cloud computing security workshop, pp. 77–86. ACM (2010)Google Scholar
  8. 8.
    McKinney, S., Reeves, D.S.: User identification via process profiling. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, p. 51. ACM (2009)Google Scholar
  9. 9.
    Qiao, H., Peng, J., Feng, C., Rozenblit, J.W.: Behavior analysis-based learning framework for host level intrusion detection. In: 14th Annual IEEE International Conference and Workshops on the Engineering of Computer-Based Systems (ECBS’07), pp. 441–447. IEEE (2007)Google Scholar
  10. 10.
    Shavlik, J., Shavlik, M., Fahland, M.: Evaluating software sensors for actively profiling Windows 2000 computer users. In: Fourth International Symposium on Recent Advances in Intrusion Detection (2001)Google Scholar
  11. 11.
    Spitzner, L.: Honeypots: catching the insider threat. In: Computer Security Applications Conference, 2003. Proceedings. 19th Annual, pp. 170–179. IEEE (2003)Google Scholar
  12. 12.
    Yu, Y., Chiueh, T.C.: Display-only file server: a solution against information theft due to insider attack. In: Proceedings of the 4th ACM workshop on Digital rights management, pp. 31–39. ACM (2004)Google Scholar
  13. 13.
    Pramanik, S., Sankaranarayanan, V., Upadhyaya, S.: Security policies to mitigate Insider Threat in the document control domain. In: Computer Security Applications Conference, 2004. 20th Annual, pp. 304–313. IEEE (2004)Google Scholar
  14. 14.
    Park, J.S., Ho, S.M.: Composite role-based monitoring (CRBM) for countering insider threats. In: International Conference on Intelligence and Security Informatics, pp. 201–213. Springer, Berlin (2004)CrossRefGoogle Scholar
  15. 15.
    Ali, G., Shaikh, N.A., Shaikh, Z.A.: Towards an automated multiagent system to monitor user activities against Insider Threat. In: International Symposium on Biometrics and Security Technologies, 2008. ISBAST 2008, pp. 1–5. IEEE (2008)Google Scholar
  16. 16.
    Cathey, R., Ma, L., Goharian, N., Grossman, D.: Misuse detection for information retrieval systems. In: Proceedings of the Twelfth International Conference on Information and Knowledge Management, pp. 183–190. ACM (2003)Google Scholar
  17. 17.
    Ma, L., Goharian, N.: Query length impact on misuse detection in information retrieval systems. In: Proceedings of the 2005 ACM Symposium on Applied Computing, pp. 1070–1075. ACM (2005)Google Scholar
  18. 18.
    Aleman-Meza, B., Burns, P., Eavenson, M., Palaniswami, D., Sheth, A.: An ontological approach to the document access problem of Insider Threat. In: International Conference on Intelligence and Security Informatics, pp. 486–491. Springer, Berlin (2005)CrossRefGoogle Scholar
  19. 19.
    Liu, A., Martin, C., Hetherington, T., Matzner, S.: A comparison of system call feature representations for insider threat detection. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, pp. 340–347. IEEE (2005)Google Scholar
  20. 20.
    Anderson, K., Carzaniga, A., Heimbigner, D., Wolf, A.: Event-based document sensing for Insider Threats. University of Colorado, Computer Science Technical Report CUCS-968-04 (2004)Google Scholar
  21. 21.
    Nguyen, N.T., Reiher, P.L., Kuenning, G.H.: Detecting insider threats by monitoring system call activity. In: IAW, pp. 45–52 (2003)Google Scholar
  22. 22.
    Ahmad, M.B., Akram, A., Islam, H.: Implementation of a behavior driven methodology for insider threats detection of misuse of information in windows environment. Information 16(11), 8121 (2013)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Muhammad Mudassar Yamin
    • 1
    Email author
  • Basel Katt
    • 1
  • Kashif Sattar
    • 2
  • Maaz Bin Ahmad
    • 3
  1. 1.Norwegian University of Science and TechnologyGjovikNorway
  2. 2.University of Arid Agriculture RawalpindiRawalpindiPakistan
  3. 3.PAF KIET KarachiKarachiPakistan

Personalised recommendations