An Evaluation of the Technical Approaches
to the Insider Threat
Nicklaus A. Giacobe
Overview
Insider threats to an organization have been reported in the
mainstream media, technical press and in academic research. The costs
of these types of attacks are more significant than the costs of attacks
from outside of the organization. Proposals for dealing with the insider
threat problem include a number of technical solutions. Most of these
solutions are simply re-purposed from defensive systems used against
hackers and threats that come from the outside. Unfortunately, they are
not effective against trusted network users who need to have access to
the data, information and systems to do their jobs. The solutions
proposed from the social psychology perspective include a variety of
possibilities, but they are time intensive, costly and have legal
consequences. This research attempts to classify the different technical
solutions presented in the literature. An assessment is presented to
identify where the future of insider threat systems should be focused.
Personality Theory
Personality Theory
At an individual level, the basis for personality proofing can be drawn
from large body of research in the field of psychology. Research here
delves into personality characteristics such as Locus of Control,
Attribution Style, Self Efficacy, and Neuroticism. The key however is to
begin to look at these traits not as individual characteristics, but as
pieces to a whole puzzle. Numerous studies have been conducted in
personality psychology. These studies however have focused on
examining each trait individually and have largely ignored the
commonality and relationship between traits (Judge et al., 2002). It is
this author’s belief that the key to successful profiling of insider threats
lies in the identifying patterns that emerge by focusing on the
relationships between a wider ranges of personality traits.
At an individual level, the basis for personality proofing can be drawn
from large body of research in the field of psychology. Research here
delves into personality characteristics such as Locus of Control,
Attribution Style, Self Efficacy, and Neuroticism. The key however is to
begin to look at these traits not as individual characteristics, but as
pieces to a whole puzzle. Numerous studies have been conducted in
personality psychology. These studies however have focused on
examining each trait individually and have largely ignored the
commonality and relationship between traits (Judge et al., 2002). It is
this author’s belief that the key to successful profiling of insider threats
lies in the identifying patterns that emerge by focusing on the
relationships
Future Workbetween a wider ranges of personality traits.
1. Acquire and evaluate several COTS insider threat systems and
evaluate their capabilities in reference to this proposed model.
2. Integrate behavioral theories to identify which data to mine and how
to evaluate this information to assess an individual risk.
3. Research the legal perspectives of taking action on personality
assessment in the workplace and the privacy concerns of data
mining solutions.
References
Anderson, G.F., Selby, D.A., and Ramsey, M. "Insider attack and real-time data mining of user behavior," IBM
Journal of Research and Development (51:3) 2007, pp 465-476.
Overview
This research attempts to characterize the insider by drawing on prominent theories from the fields of behavioral
theory and psychology to create an insider personality profile. This profile will allow us to understand an insider’s
motives and actions. Only then can effective technology solutions be designed to combat the insider threat.
Baek, E., Kim, Y., Sung, J., and Lee, S. "The design of framework for detecting an insider's leak of confidential
information," Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, Brussels,
Belgium, 1st international conference on Forensic applications and techniques in telecommunications, information, and
multimedia and workshop, 2008.
Bradford, P., and Hu, N. "A layered approach to insider threat detection and proactive forensics," Proceedings of the
Twenty-First Annual Computer Security Applications Conference (Technology Blitz), 2005.
Chinchani, R., Iyer, A., Ngo, H., and Upadhyaya, S. "A Target-Centric Formal Model For Insider Threat and More."
Chinchani, R., Iyer, A., Ngo, H.Q., and Upadhyaya, S. "Towards a theory of insider threat assessment," 2005
International Conference on Dependable Systems and Networks (DSN'05), 2005, pp. 108–117.
Gaonjur, P., and Bokhoree, C. "Risk of Insider Threats in Information Technology Outsourcing: Can deceptive techniques
be applied," School of Business Informatics, University of Technology, Mauritius) 2006.
Behavioral Theory
Much of the published information on insider threat has been
compiled in case studies that focus on who insiders are, why
they commit their crimes, and how they commit their crimes.
The question then remains, why can’t insiders be stopped? To
answer this question, researchers examine insiders from the
aspect of several prominent behavioral theories such as
general deterrence theory, social learning theory, social bond
theory, and the theory of planned behavior. These theories
focus on the behavior and motivation of insiders and help
identify patterns of behavior at the organizational level.
Understanding and insight at an organizational level helps to
shape company policies and procedures to combat the insider
threat.
Holsopple, J., Yang, S.J., and Sudit, M. "TANDI: threat assessment of network data and information," Proceedings of
SPIE, Defense and Security Symposium, 2006, pp. 211-222.
Kerschbaum, F., Spafford, E.H., and Zamboni, D. "Using embedded sensors for detecting network attacks," Proceedings
of the 1st ACM Workshop on Intrusion Detection Systems (Nov.), 2000.
Liu, A., Martin, C., Hetherington, T., and Matzner, S. "A comparison of system call feature representations for insider
threat detection," Sixth Annual IEEE SMC Information Assurance Workshop, 2005, 2005, pp. 340- 347.
Magklaras, G.B., and Furnell, S.M. "Insider Threat Prediction Tool: Evaluating the probability of IT misuse," Computers &
Security (21:1) 2001, pp 62-73.
Maloof, M.A., and Stephens, G.D. "ELICIT: A System for Detecting Insiders Who Violate Need-to-Know," Recent
Advances in Intrusion Detection (RAID), Springer-Verlag, 2007, pp. 146-166.
Maybury, M., Chase, P., Cheikes, B., Brackney, D., Matzner, S., Hetherington, T., Wood, B., Sibley, C., Marin, J., and
Longstaff, T. "Analysis and Detection of Malicious Insiders," in: Proceedings of the 2005 International Conference on
Intelligence Analysis, MITRE CORP BEDFORD MA, 2005.
Mukherjee, B., Heberlein, L.T., and Levitt, K.N. "Network intrusion detection," Network, IEEE (8:3) 1994, pp 26-41.
Nguyen, N., Reiher, P., and Kuenning, G.H. "Detecting insider threats by monitoring system call activity," 2003, pp. 45-52.
Shavlik, J., Shavlik, M., and Fahland, M. "Evaluating Software Sensors for Actively Profiling Windows 2000 Computer
Users," Fourth International Symposium on Recent Advances in Intrusion Detection, 2001.
Spafford, E.H., and Zamboni, D. "Intrusion detection using autonomous agents," Computer Networks (34:4) 2000, pp
547-570.
Spitzner, L., and Inc, H.T. "Honeypots: catching the insider threat," Computer Security Applications Conference, 2003,
pp. 170-179.
Symonenko, S., Liddy, E.D., Yilmazel, O., Del Zoppo, R., Brown, E., and Downey, M. "Semantic Analysis for Monitoring
Insider Threats," LECTURE NOTES IN COMPUTER SCIENCE (3073) 2004, pp 492-500. Thompson, H.H., Whittaker,
J.A., and Andrews, M. "Intrusion detection Perspectives on the insider threat," Computer Fraud & Security (2004:1) 2004,
pp 13-15.
Wang, L., and Jajodia, S. "An Approach to Preventing, Correlating, and Predicting Multi-Step Network Attacks," Intrusion
Detection Systems) 2008.
Yilmazel, O., Symonenko, S., Balasubramanian, N., and Liddy, E.D. "Leveraging One-Class SVM and Semantic Analysis
to Detect Anomalous Content," ISI/IEEE (5) 2005.
Zhang, R., Qian, D., Ba, C., Wu, W., and Guo, X. "Multi-agent based intrusion detection architecture," International
Conference on Computer Networks and Mobile Computing, 2001, pp. 494-501.
Acknowledgements : Advisor: David L. Hall, Ph.D. | Sponsor: Lockheed Martin Corporation | Principle Investigator: Isaac Brewer, Ph.D.