Abstract
Cyber insider detection is challenging due to the difficulty in differentiating legitimate activities from malicious ones. This chapter will begin by providing a brief review of exiting works in the machine learning community that offer treatments to cyber insider detection. The review will lead to our recent research advance that focuses on early detection of ongoing insider mission instead of trying to determine whether individual events are malicious or not. Multiple automated software agents are assumed to possess different account privileges on different hosts, to perform different dimensions of a complex insider mission. This work develops an integrated approach that utilizes Hidden Markov Models to estimate the suspicious level of insider activities, and then fuses these suspiciousness values across insider activity dimensions to estimate the progression of an insider mission. The fusion across cyber insider dimensions is accomplished using a combination of Fuzzy rules and Ordered Weighted Average functions. Experimental results based on simulated data show that the integrated approach detects the insider mission with high accuracy and in a timely manner, even in the presence of obfuscation techniques.
Research supported by DARPA Cyber Insider (CINDER, FA8750-11-C-0038) program. The views expressed are those of the authors and do not reflect the official policy or position of the Department of Defense or the U.S. Government. Distribution Statement A—Approved for Public Release, Distribution Unlimited.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Ali, G., Shaikh, N.A., Shaikh, Z.A.: Towards an automated multiagent system to monitor user activities against insider threat. In: Proceedings of International Symposium on Biometrics and Security Technologies, pp. 1–5 (2008)
Bertino, E., Ghinita, G.: Towards mechanisms for detection and prevention of data exfiltration by insiders. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 10–19 (2011)
Buford, J.F., Lewis, L., Jakobson, G.: Insider threat detection using situation-aware MAS. In: Proceedings of 11th International Conference on Information Fusion (2008)
Hu, Y., Panda, B.: Two-dimensional traceability link rule mining for detection of insider attacks. In: Proceedings of the 43rd Hawaii International Conference on System Sciences (2010)
Kohli, H., Lindskog, D., Zavarsky, P., Ruhl, R.: An enhanced threat identification approach for collusion threats. In: Proceedings of Third International Workshop on Security Measurements and Metrics, pp. 25–30 (2011)
Liu Y., Cobett, C., Chiang K., Archibald, R., Mukherjee, B., Ghosal, D.: SIDD: a framework for detecting sensitive data exfiltration by an insider attack. In: Proceedings of the 42nd Hawaii International Conference on System Science (2009)
Mathew1, S., Petropoulos, M., Ngo, H.Q., Upadhyaya, S.: A data-centric approach to insider attack detection in database systems. In: Proceedings of the 13th international Conference on Recent advances in intrusion Detection, pp. 382–401 (2010)
Maybury, M., Chase, P., Cheikes, B., Brackney, D., Matzner, S., Hetherington, T., Wood, B., Sibley, C., Marin, J., Longstaff, T.: Analysis and detection of malicious insiders. Technical report, MITRE (2005)
Parveen, P., Weger, Z.R., Thuraisingham, B., Hamlen, K., Khan, L.: Surpervised learning for insider threat detection. In: Proceedings of the 23rd IEEE International Conference on Tools with Artificial Intelligence, pp. 1032–1039 (2011)
Pfleeger, S.L., Predd, J.B., Hunker, J., Bulford, C.: Insiders behaving badly: addressing bad actors and their actions. IEEE Trans. Inf. Forensics Secur. 5(1), 169–179 (2010)
Raissi-Dehkordi, M., Carr, D.: A multi-perspective approach to insider threat detection. In: Proceedings of IEEE Military Communications Conference, pp. 1164–1169 (2011)
Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. Insider Attack Cyber Secur. 39, 69–90 (2008)
Santos, E., Nguyen, H., Yu, F., Kim, K., Li, D., Wilkinson, J.T., Olson, A., Jacob, R.: Intent-driven insider threat detection in intelligence analyses. Proc. IEEE/WIC/ACM Int. Conf. Web Intell. Intell. Agent Technol. 2, 345–349 (2008)
Singh, S., Silakari, S.: A survey of cyber attack detection systems. Int. J. Comput. Sci. Netw. Secur. 9(5) (2009)
Wang, L.X.: A Course on Fuzzy Systems. Prentice-Hall press, USA (1999)
Yager, R.R.: On ordered weighted averaging aggregation operators in multicriteria decisionmaking. IEEE Trans. Syst Man Cybern. 18(1), 183–190 (1988)
Yang, J., Ray, L., Zhao, G.: Detect stepping-stone insider attacks by network traffic mining and dynamic programming. In: Proceedings of the 2011 International Conference on Advanced Information Networking and Applications, pp. 151–158 (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Du, H., Wang, C., Zhang, T., Yang, S.J., Choi, J., Liu, P. (2015). Cyber Insider Mission Detection for Situation Awareness. In: Yager, R., Reformat, M., Alajlan, N. (eds) Intelligent Methods for Cyber Warfare. Studies in Computational Intelligence, vol 563. Springer, Cham. https://doi.org/10.1007/978-3-319-08624-8_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-08624-8_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08623-1
Online ISBN: 978-3-319-08624-8
eBook Packages: EngineeringEngineering (R0)