Cyber Insider Mission Detection for Situation Awareness

  • Haitao Du
  • Changzhou Wang
  • Tao Zhang
  • Shanchieh Jay Yang
  • Jai Choi
  • Peng Liu
Part of the Studies in Computational Intelligence book series (SCI, volume 563)


Cyber insider detection is challenging due to the difficulty in differentiating legitimate activities from malicious ones. This chapter will begin by providing a brief review of exiting works in the machine learning community that offer treatments to cyber insider detection. The review will lead to our recent research advance that focuses on early detection of ongoing insider mission instead of trying to determine whether individual events are malicious or not. Multiple automated software agents are assumed to possess different account privileges on different hosts, to perform different dimensions of a complex insider mission. This work develops an integrated approach that utilizes Hidden Markov Models to estimate the suspicious level of insider activities, and then fuses these suspiciousness values across insider activity dimensions to estimate the progression of an insider mission. The fusion across cyber insider dimensions is accomplished using a combination of Fuzzy rules and Ordered Weighted Average functions. Experimental results based on simulated data show that the integrated approach detects the insider mission with high accuracy and in a timely manner, even in the presence of obfuscation techniques.


Insider threat Information fusion Intrusion detection 


  1. 1.
    Ali, G., Shaikh, N.A., Shaikh, Z.A.: Towards an automated multiagent system to monitor user activities against insider threat. In: Proceedings of International Symposium on Biometrics and Security Technologies, pp. 1–5 (2008)Google Scholar
  2. 2.
    Bertino, E., Ghinita, G.: Towards mechanisms for detection and prevention of data exfiltration by insiders. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 10–19 (2011)Google Scholar
  3. 3.
    Buford, J.F., Lewis, L., Jakobson, G.: Insider threat detection using situation-aware MAS. In: Proceedings of 11th International Conference on Information Fusion (2008)Google Scholar
  4. 4.
    Hu, Y., Panda, B.: Two-dimensional traceability link rule mining for detection of insider attacks. In: Proceedings of the 43rd Hawaii International Conference on System Sciences (2010)Google Scholar
  5. 5.
    Kohli, H., Lindskog, D., Zavarsky, P., Ruhl, R.: An enhanced threat identification approach for collusion threats. In: Proceedings of Third International Workshop on Security Measurements and Metrics, pp. 25–30 (2011)Google Scholar
  6. 6.
    Liu Y., Cobett, C., Chiang K., Archibald, R., Mukherjee, B., Ghosal, D.: SIDD: a framework for detecting sensitive data exfiltration by an insider attack. In: Proceedings of the 42nd Hawaii International Conference on System Science (2009)Google Scholar
  7. 7.
    Mathew1, S., Petropoulos, M., Ngo, H.Q., Upadhyaya, S.: A data-centric approach to insider attack detection in database systems. In: Proceedings of the 13th international Conference on Recent advances in intrusion Detection, pp. 382–401 (2010)Google Scholar
  8. 8.
    Maybury, M., Chase, P., Cheikes, B., Brackney, D., Matzner, S., Hetherington, T., Wood, B., Sibley, C., Marin, J., Longstaff, T.: Analysis and detection of malicious insiders. Technical report, MITRE (2005)Google Scholar
  9. 9.
    Parveen, P., Weger, Z.R., Thuraisingham, B., Hamlen, K., Khan, L.: Surpervised learning for insider threat detection. In: Proceedings of the 23rd IEEE International Conference on Tools with Artificial Intelligence, pp. 1032–1039 (2011)Google Scholar
  10. 10.
    Pfleeger, S.L., Predd, J.B., Hunker, J., Bulford, C.: Insiders behaving badly: addressing bad actors and their actions. IEEE Trans. Inf. Forensics Secur. 5(1), 169–179 (2010)CrossRefGoogle Scholar
  11. 11.
    Raissi-Dehkordi, M., Carr, D.: A multi-perspective approach to insider threat detection. In: Proceedings of IEEE Military Communications Conference, pp. 1164–1169 (2011)Google Scholar
  12. 12.
    Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. Insider Attack Cyber Secur. 39, 69–90 (2008)Google Scholar
  13. 13.
    Santos, E., Nguyen, H., Yu, F., Kim, K., Li, D., Wilkinson, J.T., Olson, A., Jacob, R.: Intent-driven insider threat detection in intelligence analyses. Proc. IEEE/WIC/ACM Int. Conf. Web Intell. Intell. Agent Technol. 2, 345–349 (2008)Google Scholar
  14. 14.
    Singh, S., Silakari, S.: A survey of cyber attack detection systems. Int. J. Comput. Sci. Netw. Secur. 9(5) (2009)Google Scholar
  15. 15.
    Wang, L.X.: A Course on Fuzzy Systems. Prentice-Hall press, USA (1999)Google Scholar
  16. 16.
    Yager, R.R.: On ordered weighted averaging aggregation operators in multicriteria decisionmaking. IEEE Trans. Syst Man Cybern. 18(1), 183–190 (1988)Google Scholar
  17. 17.
    Yang, J., Ray, L., Zhao, G.: Detect stepping-stone insider attacks by network traffic mining and dynamic programming. In: Proceedings of the 2011 International Conference on Advanced Information Networking and Applications, pp. 151–158 (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Haitao Du
    • 1
  • Changzhou Wang
    • 2
  • Tao Zhang
    • 3
  • Shanchieh Jay Yang
    • 1
  • Jai Choi
    • 2
  • Peng Liu
    • 3
  1. 1.Department of Computer EngineeringRochester Institute of TechnologyRochesterUSA
  2. 2.The Boeing CompanySeattleUSA
  3. 3.College of Information Sciences and TechnologyPennsylvania State UniversityUniversity ParkUSA

Personalised recommendations