Andrew Stephen McGough
Detecting Insider Threats Using Ben-ware: Beneficial Intelligent Software for Identifying Anomalous Human Behaviour
McGough, Andrew Stephen; Arief, Budi; Gamble, Carl; Wall, David; Brennan, John; Fitzgerald, John; van Moorsel, Aad; Alwis, Sujeewa; Theodoropoulos, Georgios; Ruck-Keene, Ed
Authors
Budi Arief
Carl Gamble
David Wall
John Brennan
John Fitzgerald
Aad van Moorsel
Sujeewa Alwis
Georgios Theodoropoulos
Ed Ruck-Keene
Abstract
The insider threat problem is a significant and ever present issue faced by any organisation. While security mechanisms can be put in place to reduce the chances of external agents gaining access to a system, either to steal assets or alter records, the issue is more complex in tackling insider threat. If an employee already has legitimate access rights to a system, it is much more difficult to prevent them from carrying out inappropriate acts, as it is hard to determine whether the acts are part of their official work or indeed malicious. We present in this paper the concept of “Ben-ware”: a beneficial software system that uses low-level data collection from employees’ computers, along with Artificial Intelligence, to identify anomalous behaviour of an employee. By comparing each employee’s activities against their own ‘normal’ profile, as well as against the organisational’s norm, we can detect those that are significantly divergent, which might indicate malicious activities. Dealing with false positives is one of the main challenges here. Anomalous behaviour could indicate malicious activities (such as an employee trying to steal confidential information), but they could also be benign (for example, an employee is carrying out a workaround or taking a shortcut to complete their job). Therefore it is important to minimise the risk of false positives, and we do this by combining techniques from human factors, artificial intelligence, and risk analysis in our approach. Developed as a distributed system, Ben-ware has a three-tier architecture composed of (i) probes for data collection, (ii) intermediate nodes for data routing, and (iii) high level nodes for data analysis. The distributed nature of Ben-ware allows for near-real-time analysis of employees without the need for dedicated hardware or a significant impact on the existing infrastructure. This will enable Ben-ware to be deployed in situations where there are restrictions due to legacy and low-power resources, or in cases where the network connection may be intermittent or has a low bandwidth. We demonstrate the appropriateness of Ben-ware, both in its ability to detect potentially malicious acts and its lowimpact on the resources of the organisation, through a proof-of-concept system and a scenario based on synthetically generated user data.
Citation
McGough, A. S., Arief, B., Gamble, C., Wall, D., Brennan, J., Fitzgerald, J., …Ruck-Keene, E. (2015). Detecting Insider Threats Using Ben-ware: Beneficial Intelligent Software for Identifying Anomalous Human Behaviour. Journal of wireless mobile networks, ubiquitous computing and dependable applications, 6(4), 1-44
Journal Article Type | Article |
---|---|
Acceptance Date | Dec 16, 2015 |
Publication Date | Dec 1, 2015 |
Deposit Date | Dec 16, 2015 |
Journal | Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications |
Print ISSN | 2093-5374 |
Electronic ISSN | 2093-5382 |
Publisher | Innovative Information Science & Technology Research Group |
Peer Reviewed | Peer Reviewed |
Volume | 6 |
Issue | 4 |
Pages | 1-44 |
Keywords | Insider threats, Detection, Anomalous behaviour, Human behaviour, Artificial intelligence, Assistive tool, Ethics. |
Publisher URL | http://jowua.yolasite.com/vol6no4.php |
You might also like
Using Machine Learning in Trace-driven Energy-Aware Simulations of High-Throughput Computing Systems
(2017)
Conference Proceeding
Efficient Comparison of Massive Graphs Through The Use Of 'Graph Fingerprints'
(2016)
Conference Proceeding
Data Quality Assessment and Anomaly Detection Via Map / Reduce and Linked Data: A Case Study in the Medical Domain
(2015)
Conference Proceeding
Downloadable Citations
About Durham Research Online (DRO)
Administrator e-mail: dro.admin@durham.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2024
Advanced Search