{"title":"Role-based differentiation for insider detection algorithms","authors":"Suraj Nellikar, D. Nicol, Jai J. Choi","doi":"10.1145/1866886.1866897","DOIUrl":null,"url":null,"abstract":"Insider threat problems are widespread in industry today, resulting in large losses of intellectual property. Reputable reports assert that attacks from within an organization are on the rise, making detection of insider-based attacks a top priority. This paper evaluates the effectiveness of using role-based differentiation of user behavior as a tool in detecting insider attack behavior. This differentiation is natural in contexts where role-based access control (RBAC) mechanisms are in place. Using synthetically generated traffic (which puts placement and intensity of insider behavior under experimental control), we train five different algorithms on \"normal\" behavior with and without RBAC differentiation, and measure the accuracy of detecting malicious behavior with, and without RBAC, as a function of insider behavior. We find that in some contexts RBAC differentiation significantly reduces these errors. However, in our experiments two of the five algorithms had statistically significant increases in false positives under RBAC as opposed to non-RBAC. However, these increases are small compared to the very large gain in detection capability that RBAC brings, and we conclude that RBAC is very much worth considering as a tool for insider threat detection.","PeriodicalId":249095,"journal":{"name":"Insider Threats '10","volume":"63 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Insider Threats '10","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1866886.1866897","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 6
Abstract
Insider threat problems are widespread in industry today, resulting in large losses of intellectual property. Reputable reports assert that attacks from within an organization are on the rise, making detection of insider-based attacks a top priority. This paper evaluates the effectiveness of using role-based differentiation of user behavior as a tool in detecting insider attack behavior. This differentiation is natural in contexts where role-based access control (RBAC) mechanisms are in place. Using synthetically generated traffic (which puts placement and intensity of insider behavior under experimental control), we train five different algorithms on "normal" behavior with and without RBAC differentiation, and measure the accuracy of detecting malicious behavior with, and without RBAC, as a function of insider behavior. We find that in some contexts RBAC differentiation significantly reduces these errors. However, in our experiments two of the five algorithms had statistically significant increases in false positives under RBAC as opposed to non-RBAC. However, these increases are small compared to the very large gain in detection capability that RBAC brings, and we conclude that RBAC is very much worth considering as a tool for insider threat detection.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
