Advertisement

Combining Traditional Cyber Security Audit Data with Psychosocial Data: Towards Predictive Modeling for Insider Threat Mitigation

  • Frank L. Greitzer
  • Deborah A. Frincke
Chapter
Part of the Advances in Information Security book series (ADIS, volume 49)

Abstract

The purpose of this chapter is to motivate the combination of traditional cyber security audit data with psychosocial data, to support a move from an insider threat detection stance to one that enables prediction of potential insider presence. Twodistinctiveaspects of the approach are the objectiveof predicting or anticipating potential risksandthe useoforganizational datain additiontocyber datato support the analysis. The chapter describes the challenges of this endeavor and reports on progressin definingausablesetof predictiveindicators,developingaframeworkfor integratingthe analysisoforganizationalandcyber securitydatatoyield predictions about possible insider exploits, and developing the knowledge base and reasoning capabilityof the system.We also outline the typesof errors that oneexpectsina predictive system versus a detection system and discuss how those errors can affect the usefulness of the results.

Keywords

Injection Rate Description Logic Dynamic Bayesian Network Northwest National Laboratory Attack Graph 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aleman-Meza, B., Burns, P., Eavenson, M., Palaniswami, D., Sheth, A.P.: An ontological approach to the document access problem of insider threat. In: Proceedigs of the IEEE International Conference on Intelligence and Security Informatics (ISI 2005), pp. 486–491 (2005)Google Scholar
  2. 2.
    Band, S.R., Cappelli, D., Fischer, L.F., Moore, A.P., Shaw, E.D., Trzeciak, R.F.: Comparing insider IT sabotage and espionage: A model-based analysis. Tech. rep., Carnegie Mellon Software Engineering Institute, Pittsburgh, Pennsylvania, U.S.A. (2006)Google Scholar
  3. 3.
    Barbosa, R., Silva, N., Duraes, J., Madeira, H.: Verification and validation of (real time) COTS products using fault injection techniques. In: Proceedings of the Sixth International IEEE Conference on Commercial-off-the-Shelf (COTS)-Based Software Systems (ICCBSS ’07), pp. 233–242. IEEE Computer Society, Washington, DC, USA (2007)Google Scholar
  4. 4.
    Brown, W.S.: Technology, workplace privacy and personhood. Journal of Business Ethics 15(11), 1237–1248 (1996)CrossRefGoogle Scholar
  5. 5.
    Butts, J.W., Mills, R.F., Baldwin, R.O.: Developing an insider threat model using functional decomposition. In: Proceedings of the Third International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security (MMM-ACNS 2005), pp. 412–417 (2005)Google Scholar
  6. 6.
    Cappelli, D.M., Desai, A.G., Moore, A.P., Shimeall, T.J., Weaver, E.A., Willke, B.J.: Management and education of the risk of insider threat (MERIT): Mitigating the risk of sabotage to employers? information, systems, or networks. Tech. rep., Carnegie Mellon Software Engineering Institute, Pittsburgh, Pennsylvania (2006)Google Scholar
  7. 7.
    Cappelli, D.M., Moore, A.P., Trzeciak, R.F., Shimeall, T.J.: Common sense guide to prevention and detection of insider threats. Tech. rep., Carnegie Mellon Software Engineering Institute, Pittsburgh, Pennsylvania (2009). 3rd edition, version 301. Available at http: //www.cert.org/archive/pdf/CSG-V3.pdf.Google Scholar
  8. 8.
    Chinchani, R., Iyer, A., Ngo, H.Q., Upadhyaya, S.J.: Towards a theory of insider threat assessment. In: Proceedings of The International Conference on Dependable Systems and Networks (DSN 2005), pp. 108–117 (2005)Google Scholar
  9. 9.
    Costa, P.C.G., Laskey, K.B., Revankar, M., Mirza, S., Alghamdi, G., Barbar, D., Shakelford, T., Wright, E.J.: DTB project: A behavioral model for detecting insider threats. In: Proceedings of the 2005 International Conference on Intelligence Analysis. The Mitre Corporation (2005)Google Scholar
  10. 10.
    Doucette, P.J., Harvey, W.J., Hohimer, R.E., Martucci, L.M., Paulson, P.R., Petrie, G.M., Pike, B.A., Seedahmed, G.H.: Characterizing motion in video streams using supple knowledge. Tech. Rep. PNNL-16518, Pacific Northwest National Laboratory, Richland, Washington (2007)Google Scholar
  11. 11.
    Gabrielson, B., Goertzel, K.M., Hoenicke, B., Kleiner, D., Winograd, T.: The insider threat to information systems. State-of-the-art report. Tech. rep., Information Assurance Technology Analysis Center, Herndon, Virginia (2008)Google Scholar
  12. 12.
    Gelles, M.: Exploring the mind of the spy. In: Employees’ Guide to Security Responsibilities. Texas A&M University Research Foundation, College Station, Texas (2005)Google Scholar
  13. 13.
    Greitzer, F.L., Frincke, D.A., Zabriskie, M.M.: Social/ethical issues in predictive insider threat monitoring. In: M.J. Dark (ed.) Information Assurance and Security Ethics in Complex Systems: Interdisciplinary Perspectives. IGI Global, Hershey, Pennsylvania (in press)Google Scholar
  14. 14.
    Greitzer, F.L., Moore, A.P., Cappelli, D.M., Andrews, D.H., Carroll, L.A., Hull, T.D.: Combating the insider cyber threat. IEEE Security and Privacy 6, 61–64 (2008)CrossRefGoogle Scholar
  15. 15.
    Greitzer, F.L., Paulson, P.R., Kangas, L.J., Edgar, T., Zabriskie, M.M., Franklin, L.R., Frincke, D.A.: Predictive modeling for insider threat mitigation. Tech. Rep. PNNL-SA-60737, Pacific Northwest National Laboratory, Richland, Washington (2008)Google Scholar
  16. 16.
    Infosec Research Council: Hard problem list (2005). Available from http://www. infosec - research.org/docs_public/2 0 05113 0- IRC-HPL-FINAL.pdf. Accessed January 11, 2010.
  17. 17.
    Keeney, M., Kowalski, E., Cappelli, D.M., Moore, A.P., Shimeall, T.J., Rogers, S.: Insider threat study: Computer system sabotage in critical infrastructure sectors. Tech. rep., U.S. Secret Service and CERT Coordination Center, Washington, D.C., Carnegie Mellon Software Engineering Institute, Pittsburgh, Pennsylvania (2005). Available from http:// www.secretservice.gov/ntac/its%5Freport%5F050516.pdf. Accessed August 14, 2009Google Scholar
  18. 18.
    Kramer, L.A., Jr., R.J.H., Crawford, K.S.: Technological, social, and economic trends that are increasing u.s. vulnerability to insider espionage. Tech. Rep. 05-10, Personnel Security Research Center (PERSEREC), Monterey, California (2005)Google Scholar
  19. 19.
    Krofcheck, J.L., Gelles, M.G.: Behavioral Consultation in Personnel Security: Training and Reference Manual for Personnel Security Professionals. Yarrow Associates, Fairfax, Virginia (2005)Google Scholar
  20. 20.
    Lane, F.S.I.: The Naked Employee: How Technology is Compromising Workplace Privacy. American Management Association (AMACOM) (2003)Google Scholar
  21. 21.
    Magklaras, G.B., Furnell, S.M.: Insider threat prediction tool: Evaluating the probability of it misuse. Computers & Security 21(1), 62–73 (2002)CrossRefGoogle Scholar
  22. 22.
    Magklaras, G.B., Furnell, S.M.: A preliminary model of end user sophistication for insider threat prediction in it systems. Computers & Security 24(5), 371–380 (2005)CrossRefGoogle Scholar
  23. 23.
    Maybury, M., Chase, P., Cheikes, B., Brackney, D., Matzner, S., Hetherington, T., Wood, B., Sibley, C., Marin, J., Longstaff, T., Spitzner, L., Haile, J., Copeland, J., Lewandowski, S.: Analysis and detection of malicious insiders. In: Proceedings of the 2005 International Conference on Intelligence Analysis. The MITRE Corporation (2005)Google Scholar
  24. 24.
    Mayer, R.C., Davis, J.H., Schoorman, F.D.: An integrative model of organizational trust. Academy of Management Review 20(3), 709–734 (1995)CrossRefGoogle Scholar
  25. 25.
    Moore, A.P., Cappelli, D.M., Trzeciak, R.F.: The "big picture" of insider it sabotage across u.s. critical infrastructures. Tech. rep., Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania (2008)Google Scholar
  26. 26.
    Nardi, D., Brachman, R.J.: An introduction to description logics. In: F. Baader, D. Calvanese, D.L. McGuinness, D. Nardi, P.F. Patel-Schnieder (eds.) The Description Logic Handbook: Theory, Implementation, and Applications, pp. 5–44. Cambridge University Press, Cambridge, United Kingdom (2003)Google Scholar
  27. 27.
    Parker, D.B.: Fighting Computer Crime: A New Framework for Protecting Information. John Wiley & Sons, New York (1998)Google Scholar
  28. 28.
    Pearl, J.: Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann, San Francisco, California (1988)Google Scholar
  29. 29.
    Rosenberg, R.S.: The workplace on the verge of the 21st century. Journal of Business Ethics 22(1), 3–14 (1999)CrossRefGoogle Scholar
  30. 30.
    Schultz, E.E.: A framework for understanding and predicting insider attacks. Computers & Security 21(6), 526–531 (2002)CrossRefGoogle Scholar
  31. 31.
    Shaw, E.D., Fischer, L.F.: Ten tales of betrayal: The threat to corporate infrastructure by information technology insiders analysis and observations. Tech. rep., Personnel Security Research Center (PERSEREC), Monterey, California (2005). Available from http: //handle.dtic.mil/100.2/ADA4 412 93. Accessed August 14, 2009.Google Scholar
  32. 32.
    Siegel, S.: Nonparametric Statistics for the Behavioral Sciences. McGraw-Hill, New York (1956)MATHGoogle Scholar
  33. 33.
    Tabak, F., Smith, W.P.: Privacy and electronic monitoring in the workplace: A model of managerial cognition and relational trust development. Employee Responsibilities and Rights Journal 17(3), 173–189 (2005)CrossRefGoogle Scholar
  34. 34.
    US-CERT/CERT Coordination Center: 2004 e-crime watch survey—summary of findings. Tech. rep., U.S. Secret Service and CERT Coordination Center, Washington, D.C. Carnegie Mellon Software Engineering Institute, Pittsburgh, Pennsylvania (2004). Available from http://www.cert.org/archive/pdf/ecrimesurvey05.pdf. Accessed January 11, 2010.
  35. 35.
    US-CERT/CERT Coordination Center: 2005 e-crime watch survey—survey results. Tech. rep., U.S. Secret Service and CERT Coordination Center, Washington, D.C. Carnegie Mellon Software Engineering Institute, Pittsburgh, Pennsylvania (2005). Available from http:// www.cert.org/archive/pdf/ecrimesurvey06.pdf. Accessed January 11, 2010.
  36. 36.
    US-CERT/CERT Coordination Center: 2006 e-crime watch survey—complete survey results. Tech. rep., U.S. Secret Service and CERT Coordination Center, Washington, D.C. Carnegie Mellon Software Engineering Institute, Pittsburgh, Pennsylvania (2006). Available from http://www.cert.org/archive/pdf/ecrimesurvey0 6.pdf. Accessed January 11, 2010.Google Scholar
  37. 37.
    US-CERT/CERT Coordination Center: 2007 e-crime watch survey—complete survey results. Tech. rep., U.S. Secret Service and CERT Coordination Center, Washington, D.C. Carnegie Mellon Software Engineering Institute, Pittsburgh, Pennsylvania (2007). Available from http://www.cert.org/archive/pdf/ecrimesurvey07.pdf. Accessed January 11, 2010.Google Scholar
  38. 38.
    U.S. Department of Defense Office of the Inspector General (DoD): DoD management of information assurance efforts to protect automated information systems. Tech. Rep. 97-049, U.S. Department of Defense, Washington, D.C. (1997)Google Scholar
  39. 39.
    Wood, B.: An insider threat model for adversary simulation. In: Proceedings of the Research on Mitigating the Insider Threat on Information Systems. Arlington, Virginia (2000)Google Scholar
  40. 40.
    Zadeh, L.A.: Fuzzy sets. Information Control 8(3), 338–353 (1965)MATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Pacific Northwest National LaboratoryRichlandU.S.A.

Personalised recommendations