A State Machine System for Insider Threat Detection

  • Haozhe ZhangEmail author
  • Ioannis Agrafiotis
  • Arnau Erola
  • Sadie Creese
  • Michael Goldsmith
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11086)


The risk from insider threats is rising significantly, yet the majority of organizations are ill-prepared to detect and mitigate them. Research has focused on providing rule-based detection systems or anomaly detection tools which use features indicative of malicious insider activity. In this paper we propose a system complimentary to the aforementioned approaches. Based on theoretical advances in describing attack patterns for insider activity, we design and validate a state-machine system that can effectively combine policies from rule-based systems and alerts from anomaly detection systems to create attack patterns that insiders follow to execute an attack. We validate the system in terms of effectiveness and scalability by applying it on ten synthetic scenarios. Our results show that the proposed system allows analysts to craft novel attack patterns and detect insider activity while requiring minimum computational time and memory.


Insider threat Tripwires Attack patterns 

Supplementary material


  1. 1.
    Agrafiotis, I., Erola, A., Goldsmith, M., Creese, S.: Formalising policies for insider-threat detection: a tripwire grammar. J. Wirel. Mob. Netw. Ubiquit. Comput. Dependable Appl. (JoWUA) 8(1), 26–43 (2017)Google Scholar
  2. 2.
    Agrafiotis, I., Erola, A., Happa, J., Goldsmith, M., Creese, S.: Validating an insider threat detection system: a real scenario perspective. In: 2016 IEEE Security and Privacy Workshops (SPW), pp. 286–295. IEEE (2016)Google Scholar
  3. 3.
    Agrafiotis, I., Nurse, J.R., Buckley, O., Legg, P., Creese, S., Goldsmith, M.: Identifying attack patterns for insider threat detection. Comput. Fraud Secur. 2015(7), 9–17 (2015)CrossRefGoogle Scholar
  4. 4.
    Arulampalam, M.S., Maskell, S., Gordon, N., Clapp, T.: A tutorial on particle filters for online nonlinear/non-Gaussian Bayesian tracking. IEEE Trans. Sig. Process. 50(2), 174–188 (2002)CrossRefGoogle Scholar
  5. 5.
    Bishop, M., et al.: Insider threat identification by process analysis. In: 2014 IEEE Security and Privacy Workshops (SPW), pp. 251–264. IEEE (2014)Google Scholar
  6. 6.
    Bostock, M.: D3.js. Data Driven Doc. 492, 701 (2012)Google Scholar
  7. 7.
    Brdiczka, O., et al.: Proactive insider threat detection through graph learning and psychological context. In: 2012 IEEE Symposium on Security and Privacy Workshops (SPW), pp. 142–149. IEEE (2012)Google Scholar
  8. 8.
    Gemalto’s Breach Level Index: Data breach database and risk assessment calculator (2016).
  9. 9.
    Buford, J.F., Lewis, L., Jakobson, G.: Insider threat detection using situation-aware MAS. In: 2008 11th International Conference on Information Fusion, pp. 1–8. IEEE (2008)Google Scholar
  10. 10.
    Cappelli, D.M., Moore, A.P., Trzeciak, R.F.: The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison-Wesley, Boston (2012)Google Scholar
  11. 11.
    Chen, Y., Malin, B.: Detection of anomalous insiders in collaborative environments via relational analysis of access logs. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, pp. 63–74. ACM (2011)Google Scholar
  12. 12.
    Eberle, W., Graves, J., Holder, L.: Insider threat detection using a graph-based approach. J. Appl. Secur. Res. 6(1), 32–81 (2010)CrossRefGoogle Scholar
  13. 13.
    Fedosejev, A.: React.js Essentials. Packt Publishing Ltd., Birmingham (2015)Google Scholar
  14. 14.
    Health Professions Education Unit United Kingdom: Ponemon cyber crime report: it, computer and internet security (2015).
  15. 15.
    Magklaras, G., Furnell, S.: Insider threat prediction tool: evaluating the probability of IT misuse. Comput. Secur. 21(1), 62–73 (2001)CrossRefGoogle Scholar
  16. 16.
    Moore, A.P., Cappelli, D., Caron, T.C., Shaw, E.D., Spooner, D., Trzeciak, R.F.: A preliminary model of insider theft of intellectual property (2011)Google Scholar
  17. 17.
    Moore, A.P., Cappelli, D.M., Trzeciak, R.F.: The “Big Picture” of insider IT sabotage across U.S. critical infrastructures. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds.) Insider Attack and Cyber Security, pp. 17–52. Springer, Heidelberg (2008). Scholar
  18. 18.
    Myers, J., Grimaila, M.R., Mills, R.F.: Towards insider threat detection using web server logs. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, p. 54. ACM (2009)Google Scholar
  19. 19.
    Nurse, J.R., et al.: Understanding insider threat: a framework for characterising attacks. In: 2014 IEEE Security and Privacy Workshops (SPW), pp. 214–228. IEEE (2014)Google Scholar
  20. 20.
    Nurse, J.R.C., et al.: A critical reflection on the threat from human insiders – its nature, industry perceptions, and detection approaches. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 270–281. Springer, Cham (2014). Scholar
  21. 21.
    Parveen, P., Thuraisingham, B.: Unsupervised incremental sequence learning for insider threat detection. In: 2012 IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 141–143. IEEE (2012)Google Scholar
  22. 22.
    Rashid, T., Agrafiotis, I., Nurse, J.R.: A new take on detecting insider threats: exploring the use of hidden Markov models. In: Proceedings of the 2016 International Workshop on Managing Insider Security Threats, pp. 47–56. ACM (2016)Google Scholar
  23. 23.
    ISACA and RSA Conference: State of Cybersecurity: implications for 2015 (2015).
  24. 24.
    Sarkar, K.R.: Assessing insider threats to information security using technical, behavioural and organisational measures. Inf. Secur. Tech. Rep. 15(3), 112–133 (2010)CrossRefGoogle Scholar
  25. 25.
    Tilkov, S., Vinoski, S.: Node.js: using Javascript to build high-performance network programs. IEEE Internet Comput. 14(6), 80–83 (2010)CrossRefGoogle Scholar
  26. 26.
    Upton, D.M., Creese, S.: The danger from within. Harv. Bus. Rev. 92(9), 94–101 (2014)Google Scholar
  27. 27.
    Young, W.T., Memory, A., Goldberg, H.G., Senator, T.E.: Detecting unknown insider threat scenarios. In: 2014 IEEE Security and Privacy Workshops, pp. 277–288, May 2014.

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Haozhe Zhang
    • 1
    Email author
  • Ioannis Agrafiotis
    • 1
  • Arnau Erola
    • 1
  • Sadie Creese
    • 1
  • Michael Goldsmith
    • 1
  1. 1.Department of Computer ScienceUniversity of OxfordOxfordUK

Personalised recommendations