An Evaluation of the Technical Approaches to the Insider Threat Nicklaus A. Giacobe Overview Insider threats to an organization have been reported in the mainstream media, technical press and in academic research. The costs of these types of attacks are more significant than the costs of attacks from outside of the organization. Proposals for dealing with the insider threat problem include a number of technical solutions. Most of these solutions are simply re-purposed from defensive systems used against hackers and threats that come from the outside. Unfortunately, they are not effective against trusted network users who need to have access to the data, information and systems to do their jobs. The solutions proposed from the social psychology perspective include a variety of possibilities, but they are time intensive, costly and have legal consequences. This research attempts to classify the different technical solutions presented in the literature. An assessment is presented to identify where the future of insider threat systems should be focused. Personality Theory Personality Theory At an individual level, the basis for personality proofing can be drawn from large body of research in the field of psychology. Research here delves into personality characteristics such as Locus of Control, Attribution Style, Self Efficacy, and Neuroticism. The key however is to begin to look at these traits not as individual characteristics, but as pieces to a whole puzzle. Numerous studies have been conducted in personality psychology. These studies however have focused on examining each trait individually and have largely ignored the commonality and relationship between traits (Judge et al., 2002). It is this author’s belief that the key to successful profiling of insider threats lies in the identifying patterns that emerge by focusing on the relationships between a wider ranges of personality traits. At an individual level, the basis for personality proofing can be drawn from large body of research in the field of psychology. Research here delves into personality characteristics such as Locus of Control, Attribution Style, Self Efficacy, and Neuroticism. The key however is to begin to look at these traits not as individual characteristics, but as pieces to a whole puzzle. Numerous studies have been conducted in personality psychology. These studies however have focused on examining each trait individually and have largely ignored the commonality and relationship between traits (Judge et al., 2002). It is this author’s belief that the key to successful profiling of insider threats lies in the identifying patterns that emerge by focusing on the relationships Future Workbetween a wider ranges of personality traits. 1. Acquire and evaluate several COTS insider threat systems and evaluate their capabilities in reference to this proposed model. 2. Integrate behavioral theories to identify which data to mine and how to evaluate this information to assess an individual risk. 3. Research the legal perspectives of taking action on personality assessment in the workplace and the privacy concerns of data mining solutions. References Anderson, G.F., Selby, D.A., and Ramsey, M. "Insider attack and real-time data mining of user behavior," IBM Journal of Research and Development (51:3) 2007, pp 465-476. Overview This research attempts to characterize the insider by drawing on prominent theories from the fields of behavioral theory and psychology to create an insider personality profile. This profile will allow us to understand an insider’s motives and actions. Only then can effective technology solutions be designed to combat the insider threat. Baek, E., Kim, Y., Sung, J., and Lee, S. "The design of framework for detecting an insider's leak of confidential information," Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, Brussels, Belgium, 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop, 2008. Bradford, P., and Hu, N. "A layered approach to insider threat detection and proactive forensics," Proceedings of the Twenty-First Annual Computer Security Applications Conference (Technology Blitz), 2005. Chinchani, R., Iyer, A., Ngo, H., and Upadhyaya, S. "A Target-Centric Formal Model For Insider Threat and More." Chinchani, R., Iyer, A., Ngo, H.Q., and Upadhyaya, S. "Towards a theory of insider threat assessment," 2005 International Conference on Dependable Systems and Networks (DSN'05), 2005, pp. 108–117. Gaonjur, P., and Bokhoree, C. "Risk of Insider Threats in Information Technology Outsourcing: Can deceptive techniques be applied," School of Business Informatics, University of Technology, Mauritius) 2006. Behavioral Theory Much of the published information on insider threat has been compiled in case studies that focus on who insiders are, why they commit their crimes, and how they commit their crimes. The question then remains, why can’t insiders be stopped? To answer this question, researchers examine insiders from the aspect of several prominent behavioral theories such as general deterrence theory, social learning theory, social bond theory, and the theory of planned behavior. These theories focus on the behavior and motivation of insiders and help identify patterns of behavior at the organizational level. Understanding and insight at an organizational level helps to shape company policies and procedures to combat the insider threat. Holsopple, J., Yang, S.J., and Sudit, M. "TANDI: threat assessment of network data and information," Proceedings of SPIE, Defense and Security Symposium, 2006, pp. 211-222. Kerschbaum, F., Spafford, E.H., and Zamboni, D. "Using embedded sensors for detecting network attacks," Proceedings of the 1st ACM Workshop on Intrusion Detection Systems (Nov.), 2000. Liu, A., Martin, C., Hetherington, T., and Matzner, S. "A comparison of system call feature representations for insider threat detection," Sixth Annual IEEE SMC Information Assurance Workshop, 2005, 2005, pp. 340- 347. Magklaras, G.B., and Furnell, S.M. "Insider Threat Prediction Tool: Evaluating the probability of IT misuse," Computers & Security (21:1) 2001, pp 62-73. Maloof, M.A., and Stephens, G.D. "ELICIT: A System for Detecting Insiders Who Violate Need-to-Know," Recent Advances in Intrusion Detection (RAID), Springer-Verlag, 2007, pp. 146-166. Maybury, M., Chase, P., Cheikes, B., Brackney, D., Matzner, S., Hetherington, T., Wood, B., Sibley, C., Marin, J., and Longstaff, T. "Analysis and Detection of Malicious Insiders," in: Proceedings of the 2005 International Conference on Intelligence Analysis, MITRE CORP BEDFORD MA, 2005. Mukherjee, B., Heberlein, L.T., and Levitt, K.N. "Network intrusion detection," Network, IEEE (8:3) 1994, pp 26-41. Nguyen, N., Reiher, P., and Kuenning, G.H. "Detecting insider threats by monitoring system call activity," 2003, pp. 45-52. Shavlik, J., Shavlik, M., and Fahland, M. "Evaluating Software Sensors for Actively Profiling Windows 2000 Computer Users," Fourth International Symposium on Recent Advances in Intrusion Detection, 2001. Spafford, E.H., and Zamboni, D. "Intrusion detection using autonomous agents," Computer Networks (34:4) 2000, pp 547-570. Spitzner, L., and Inc, H.T. "Honeypots: catching the insider threat," Computer Security Applications Conference, 2003, pp. 170-179. Symonenko, S., Liddy, E.D., Yilmazel, O., Del Zoppo, R., Brown, E., and Downey, M. "Semantic Analysis for Monitoring Insider Threats," LECTURE NOTES IN COMPUTER SCIENCE (3073) 2004, pp 492-500. Thompson, H.H., Whittaker, J.A., and Andrews, M. "Intrusion detection Perspectives on the insider threat," Computer Fraud & Security (2004:1) 2004, pp 13-15. Wang, L., and Jajodia, S. "An Approach to Preventing, Correlating, and Predicting Multi-Step Network Attacks," Intrusion Detection Systems) 2008. Yilmazel, O., Symonenko, S., Balasubramanian, N., and Liddy, E.D. "Leveraging One-Class SVM and Semantic Analysis to Detect Anomalous Content," ISI/IEEE (5) 2005. Zhang, R., Qian, D., Ba, C., Wu, W., and Guo, X. "Multi-agent based intrusion detection architecture," International Conference on Computer Networks and Mobile Computing, 2001, pp. 494-501. Acknowledgements : Advisor: David L. Hall, Ph.D. | Sponsor: Lockheed Martin Corporation | Principle Investigator: Isaac Brewer, Ph.D.