Two-Dimensional Traceability Link Rule Mining for Detection of Insider Attacks

Abstract

Organizations face a growing threat of insider attacks. This paper presents a model for detecting insider malicious activities targeted at tampering the contents of files for various purposes. It employs two-dimensional traceability link rule mining to identify intrinsic file dependencies. Traceability links are traditionally used by software practitioners and researchers to uncover the relationships between programs and documents in a software system. In this research, we borrow the concept of traceability link from software engineering realm and use traceability links to model file access patterns. Activities that modify data without complying with various file traceability link rules will be identified as suspicious activities. Because file traceability links are less prone to change than individual user's file access patterns, the insider attack detection model built on traceability links is more effective than many existing systems based on usage patterns.