Detecting Insider Information Theft Using Features from File Access Logs

  • Christopher Gates
  • Ninghui Li
  • Zenglin Xu
  • Suresh N. Chari
  • Ian Molloy
  • Youngja Park
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8713)


Access control is a necessary, but often insufficient, mechanism for protecting sensitive resources. In some scenarios, the cost of anticipating information needs and specifying precise access control policies is prohibitive. For this reason, many organizations provide employees with excessive access to some resources, such as file or source code repositories. This allows the organization to maximize the benefit employees get from access to troves of information, but exposes the organization to excessive risk. In this work we investigate how to build profiles of normal user activity on file repositories for uses in anomaly detection, insider threats, and risk mitigation. We illustrate how information derived from other users’ activity and the structure of the filesystem hierarchy can be used to detect abnormal access patterns. We evaluate our methods on real access logs from a commercial source code repository on tasks of user identification and users seeking to leak resources by accessing more than they have a need for.


file access insider threat 


  1. 1.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  2. 2.
    Bell, D.E., LaPadula, L.J.: Secure computer systems: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, Mitre Corporation (March 1976)Google Scholar
  3. 3.
    Park, J., Sandhu, R.: Originator control in usage control. In: Proceedings of the Third International Workshop on Policies for Distributed Systems and Networks 2002 (2002)Google Scholar
  4. 4.
    Horizontal integration: Broader access models for realizing information dominance, JASON Report JSR-04-132 (2004)Google Scholar
  5. 5.
    Salem, M., Hershkop, S., Stolfo, S.: A Survey of Insider Attack Detection Research. In: Insider Attack and Cyber Security, pp. 69–90 (2008)Google Scholar
  6. 6.
    Chen, Y., Malin, B.: Detection of anomalous insiders in collaborative environments via relational analysis of access logs. CODASPY 2011: Proceedings of the First ACM Conference on Data and Application Security and Privacy (February 2011)Google Scholar
  7. 7.
    Denning, D.E.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering SE-13(2), 222–232 (1987)CrossRefGoogle Scholar
  8. 8.
    Apap, F., Honig, A., Hershkop, S., Eskin, E., Stolfo, S.J.: Detecting malicious software by monitoring anomalous windows registry accesses. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 36. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Senator, T.E., Goldberg, H.G., Memory, A., Young, W.T., Rees, B., Pierce, R., Huang, D., Reardon, M., Bader, D.A., Chow, E., Essa, I., Jones, J., Bettadapura, V., Chau, D.H., Green, O., Kaya, O., Zakrzewska, A., Briscoe, E., Mappus, R.I.L., McColl, R., Weiss, L., Dietterich, T.G., Fern, A., Wong, W.K., Das, S., Emmott, A., Irvine, J., Lee, J.Y., Koutra, D., Faloutsos, C., Corkill, D., Friedland, L., Gentzel, A., Jensen, D.: Detecting insider threats in a real corporate database of computer usage activity. In: KDD 2013: Proceedings of the 19th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, ACM Request Permissions (August 2013)Google Scholar
  10. 10.
    Stolfo, S.J., Hershkop, S., Bui, L.H., Ferster, R., Wang, K.: Anomaly detection in computer security and an application to file system accesses. In: Hacid, M.-S., Murray, N.V., Raś, Z.W., Tsumoto, S. (eds.) ISMIS 2005. LNCS (LNAI), vol. 3488, pp. 14–28. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy MLS: An Experiment on Quantified Risk-Adaptive Access Control. In: IEEE Symposium on Security and Privacy (2007)Google Scholar
  12. 12.
    Javitz, H.S., Valdes, A.: The SRI IDES Statistical Anomaly Detector. Research in Security and Privacy (1991)Google Scholar
  13. 13.
    Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)CrossRefGoogle Scholar
  14. 14.
    Sommer, R., Paxson, V.: Outside the closed world: On using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 305–316 (2010)Google Scholar
  15. 15.
    Mahoney, M.V., Chan, P.K.: Learning nonstationary models of normal network traffic for detecting novel attacks. In: KDD 2002: Proceedings of the Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM Request Permissions (July 2002)Google Scholar
  16. 16.
    Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, S&P 2001, pp. 130–143 (2001)Google Scholar
  17. 17.
    Lakhina, A., Crovella, M., Diot, C., Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions, vol. 35. ACM (October 2005)Google Scholar
  18. 18.
    Mathur, S., Coskun, B., Balakrishnan, S.: Detecting hidden enemy lines in IP address space. In: NSPW 2013: Proceedings of the 2013 Workshop on New Security Paradigms Workshop (December 2013)Google Scholar
  19. 19.
    Jamshed, M.A., Lee, J., Moon, S., Yun, I., Kim, D., Lee, S., Yi, Y., Park, K.: Kargus: a highly-scalable software-based intrusion detection system. In: CCS 2012: Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM Request Permissions (October 2012)Google Scholar
  20. 20.
    Huang, L., Wong, K.: Anomaly Detection by Monitoring Filesystem Activities. In: 2011 IEEE 19th International Conference on Program Comprehension (ICPC), pp. 221–222. IEEE (January 2011)Google Scholar
  21. 21.
    Bonwick, J.: Zfs end-to-end data integrity (December 2005)Google Scholar
  22. 22.
    Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 51–70. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  23. 23.
    Glovin, D., Harper, C.: Goldman trading-code investment put at risk by theft (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Christopher Gates
    • 1
  • Ninghui Li
    • 1
  • Zenglin Xu
    • 1
  • Suresh N. Chari
    • 2
  • Ian Molloy
    • 2
  • Youngja Park
    • 2
  1. 1.Purdue UniversityUSA
  2. 2.IBM ResearchUSA

Personalised recommendations