Skip to main content
SpringerLink
Log in

elicit: A System for Detecting Insiders Who Violate Need-to-Know

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4637))

Included in the following conference series:

Abstract

Malicious insiders do great harm and avoid detection by using their legitimate privileges to steal information that is often outside the scope of their duties. Based on information from public cases, consultation with domain experts, and analysis of a massive collection of information-use events and contextual information, we developed an approach for detecting insiders who operate outside the scope of their duties and thus violate need-to-know. Based on the approach, we built and evaluated elicit, a system designed to help analysts investigate insider threats. Empirical results suggest that, for a specified decision threshold of .5, elicit achieves a detection rate of .84 and a false-positive rate of .015, flagging per day only 23 users of 1,548 for further scrutiny. It achieved an area under an roc curve of .92.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. United States v. Leandro Aragoncillo and Michael Ray Aquino: Criminal complaint. District of New Jersey (September 9, 2005)

    Google Scholar 

  2. Keeney, M., et al.: Insider threat study: Computer system sabotage in critical infrastructure sector. Technical report, US Secret Service and CERT Program, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA (May 2005)

    Google Scholar 

  3. Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security 3(4), 227–261 (2000)

    Article  Google Scholar 

  4. Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th NIST-NCSC National Information Systems Security Conference, pp. 353–365. National Institute of Standards and Technology, Gaithersburg, MD (1997)

    Google Scholar 

  5. Lane, T., Brodley, C.E.: Temporal sequence learning and data reduction for anomaly detection. ACM Transactions on Information and System Security 2(3), 295–331 (1999)

    Article  Google Scholar 

  6. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6(3), 151–180 (1988)

    Google Scholar 

  7. Ethereal, Inc.: Ethereal. Software (2007), http://www.ethereal.com

  8. Leone, F.C., Nelson, L.S., Nottingham, R.B.: The Folded Normal Distribution. Technometrics 3(4), 543–550 (1961)

    Article  MathSciNet  Google Scholar 

  9. Silverman, B.W.: Density estimation for statistics and data analysis. Chapman & Hall/CRC, Boca Raton, FL (1998)

    Google Scholar 

  10. Jensen, F.V.: Bayesian networks and decision graphs. Statistics for Engineering and Information Science. Springer, New York, NY (2001)

    MATH  Google Scholar 

  11. Lippmann, R., et al.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34, 579–595 (2000)

    Article  Google Scholar 

  12. McHugh, J.: Testing intrusion detection systems. ACM Transactions on Information and System Security 3(4), 262–294 (2000)

    Article  Google Scholar 

  13. Bishop, M.: Computer security. Addison-Wesley, Boston, MA (2003)

    Google Scholar 

  14. Denning, D.E.: An intrusion-detection model. IEEE Transactions on Software Engineering SE-13(2), 222–232 (1987)

    Article  Google Scholar 

  15. Lunt, T., et al.: IDES: A progress report. In: Proceedings of the Sixth Annual Computer Security Applications Conference. Applied Computer Security Associates, pp. 273–285. Silver Spring, MD (1990)

    Chapter  Google Scholar 

  16. Christoph, G.G., et al.: UNICORN: Misuse detection for UNICOSTM. In: Supercomputing 1995, p. 56. IEEE Press, Los Alamitos, CA (1995)

    Chapter  Google Scholar 

  17. Schonlau, M., et al.: Computer intrusion: Detecting masquerades. Statistical Science 16(1), 58–74 (2001)

    Article  MATH  MathSciNet  Google Scholar 

  18. Maxion, R.A.: Masquerade detection using enriched command lines. In: Proceedings of the International Conference on Dependable Systems and Networks, pp. 5–14. IEEE Press, Los Alamitos, CA (2003)

    Chapter  Google Scholar 

  19. Maybury, M., et al.: Analysis and detection of malicious insiders. In: Proceedings of the 2005 International Conference on Intelligence Analysis, The MITRE Corporation, McLean, VA (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Georgetown University, Washington, DC  20057, USA

    Marcus A. Maloof

  2. Center for Integrated Intelligence Systems, The MITRE Corporation, McLean, VA  22102, USA

    Gregory D. Stephens

Authors
  1. Marcus A. Maloof
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gregory D. Stephens
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Christopher Kruegel Richard Lippmann Andrew Clark

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Maloof, M.A., Stephens, G.D. (2007). elicit: A System for Detecting Insiders Who Violate Need-to-Know. In: Kruegel, C., Lippmann, R., Clark, A. (eds) Recent Advances in Intrusion Detection. RAID 2007. Lecture Notes in Computer Science, vol 4637. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74320-0_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-74320-0_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-74319-4

  • Online ISBN: 978-3-540-74320-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation