Volume 4 - Issue 4
Towards a User and Role-based Sequential Behavioural Analysis Tool for Insider Threat Detection
- Ioannis Agrafiotis
Cyber Security Centre, Department of Computer Science, University of Oxford.
ioannis.agrafiotis@cs.ox.ac.uk
- Philip Legg
Cyber Security Centre, Department of Computer Science, University of Oxford.
- Michael Goldsmith
Cyber Security Centre, Department of Computer Science, University of Oxford.
- Sadie Creese
Cyber Security Centre, Department of Computer Science, University of Oxford.
Keywords: Insider threat, Anomaly detection, Attack trees
Abstract
Insider threat is recognised to be a significant problem and of great concern to both corporations and
governments alike. Traditional intrusion detection systems are known to be ineffective due to the
extensive knowledge and capability that insiders typically have regarding the organisational setup.
Instead, more sophisticated measures are required to analyse the actions performed by those within
the organisation, to assess whether their actions suggest that they pose a threat. In this paper, we propose
a proof-of-concept that focuses on the use of activity trees to establish sequential-based analysis
of employee behaviour. This concept combines the notions of previously-proposed techniques such
as attack trees and behaviour trees. For a given employee, we define a tree that can represent all
sequences of their observed behaviours. Over time, branches are either appended or created to reflect
the new observations that are made on how the employee acts. We also incorporate a similarity
measure to establish how different branches compare against each other. Attacks can be defined as
where the similarity measure between a newly-observed branch and all existing branches is below
a given acceptance criteria. The approach would allow an analyst to observe chains of events that
result in low probability activities that could be deemed as unusual and therefore may be malicious.
We demonstrate our proof-of-concept using third-party synthetic employee activity logs, to illustrate
the practicalities of delivering this form of protective monitoring.