research-article

Data-driven Model-based Detection of Malicious Insiders via Physical Access Logs

Authors:

William H. SandersAuthors Info & Claims

ACM Transactions on Modeling and Computer Simulation (TOMACS), Volume 29, Issue 4

Article No.: 26, Pages 1 - 25

https://doi.org/10.1145/3309540

Published: 18 November 2019 Publication History

Get Access

Abstract

The risk posed by insider threats has usually been approached by analyzing the behavior of users solely in the cyber domain. In this article, we show the viability of using physical movement logs, collected via a building access control system, together with an understanding of the layout of the building housing the system’s assets, to detect malicious insider behavior that manifests itself in the physical domain. In particular, we propose a systematic framework that uses contextual knowledge about the system and its users, learned from historical data gathered from a building access control system, to select suitable models for representing movement behavior. We suggest two different models of movement behavior in this article and evaluate their ability to represent normal user movement. We then explore the online usage of the learned models, together with knowledge about the layout of the building being monitored, to detect malicious insider behavior. Finally, we show the effectiveness of the developed framework using real-life data traces of user movement in railway transit stations.

References

[1]

Alien Vault. 2016. Insider Threat Detection Software. Retrieved from https://www.alienvault.com/.

Google Scholar

[2]

Graeme Baker. 2008. Schoolboy hacks into city’s tram system. The Telegraph (January 11 2008). Retrieved from http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html.

Google Scholar

[3]

Lujo Bauer, Lorrie Faith Cranor, Robert W. Reeder, Michael K. Reiter, and Kami Vaniea. 2009. Real-life challenges in access-control management. In Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 899--908.

Digital Library

Google Scholar

[4]

Patrick Billingsley. 1961. Statistical methods in Markov chains. Ann. Math. Stat. 32, 1 (1961), 12--40.

Crossref

Google Scholar

[5]

Robert P. Biuk-Aghai, Yain-Whar Si, Simon Fong, and Peng-Fan Yan. 2012. Individual movement behaviour in secure physical environments: Modeling and detection of suspicious activity. In Behavior Computing, Longbing Cao and Philip S. Yu (Eds.). Springer, 241--253.

Google Scholar

[6]

CERT Insider Threat Center. 2011. Insider Threat and Physical Security of Organizations. Retrieved from https://insights.sei.cmu.edu/insider-threat/2011/05/insider-threat-and-physical-security-of-organizations.html.

Google Scholar

[7]

Carmen Cheh, Binbin Chen, William G. Temple, and William H. Sanders. 2017a. Data-driven model-based detection of malicious insiders via physical access logs. In Quantitative Evaluation of Systems, Nathalie Bertrand and Luca Bortolussi (Eds.). Springer International Publishing, Cham, 275--291.

Google Scholar

[8]

Carmen Cheh, Ken Keefe, Brett Feddersen, Binbin Chen, William G. Temple, and William H. Sanders. 2017b. Developing models for physical attacks in cyber-physical systems. In Proceedings of the Workshop on Cyber-Physical Systems Security and PrivaCy (CPS’17). ACM, New York, NY, 49--55.

Google Scholar

[9]

M. Dash, K. K. Koo, J. B. Gomes, S. P. Krishnaswamy, D. Rugeles, and A. Shi-Nash. 2015. Next place prediction by understanding mobility patterns. In Proceedings of the IEEE International Conference on Pervasive Computing and Communication Workshops. 469--474.

Google Scholar

[10]

Michael Davis, Weiru Liu, Paul Miller, and George Redpath. 2011. Detecting anomalies in graphs with numeric labels. In Proceedings of the 29th ACM Conf. on Information and Knowledge Management. 1197--1202.

Digital Library

Google Scholar

[11]

William Eberle and Lawrence Holder. 2007. Anomaly detection in data represented as graphs. Intell. Data Anal.: Int. J. 11, 6 (2007), 663--689.

Digital Library

Google Scholar

[12]

William Eberle, Lawrence Holder, and Jeffrey Graves. 2009. Detecting employee leaks using badge and network IP traffic. In Proceedings of the IEEE Symposium on Visual Analytics Science and Technology.

Google Scholar

[13]

Arpad Gellert and Lucian Vintan. 2006. Person movement prediction using hidden Markov models. Studies Info. Control 15, 1 (2006), 17--30.

Google Scholar

[14]

Shelby Grad. 2009. Engineers who hacked into L.A. traffic signal computer, jamming streets, sentenced. Los Angeles Times (December 1 2009). Retrieved from http://latimesblogs.latimes.com/lanow/2009/12/engineers-who-hacked-in-la-traffic-signal-computers-jamming-traffic-sentenced.html.

Google Scholar

[15]

Mark J. Hoesl. 2014. Integrated Physical Access Control and Information Technology Security. U.S. Patent No. 6641090 B2, granted on June 17, 2014.

Google Scholar

[16]

Alexander D. Kent, Lorie M. Liebrock, and Joshua C. Neil. 2015. Authentication graphs: Analyzing user behavior within an enterprise network. Comput. Secur. 48 (2015), 150--166.

Digital Library

Google Scholar

[17]

Himanshu Khurana, Valerie Guralnik, and Robert Shanley. 2014. System and Method for Insider Threat Detection. U.S. Patent No. 8793790 B2, granted on July 29, 2014.

Google Scholar

[18]

Christian Koehler, Nikola Banovic, Ian Oakley, Jennifer Mankoff, and Anind K. Dey. 2014. Indoor-ALPS: An adaptive indoor location prediction system. In Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing. 171--181.

Google Scholar

[19]

Xun Li. 2014. Using complexity measures of movement for automatically detecting movement types of unknown GPS trajectories. Amer. J. Geogr. Info. Syst. 3, 2 (2014), 63--74.

Google Scholar

[20]

Miao Lin, Hong Cao, Vincent Zheng, Kevin Chen-Chuan Chang, and Shonali Krishnaswamy. 2015. Mobility profiling for user verification with anonymized location data. In Proceedings of the 24th International Conference on Artificial Intelligence (IJCAI’15). AAAI Press, 960--966.

Digital Library

Google Scholar

[21]

Chuanren Liu, Hui Xiong, Yong Ge, Wei Geng, and Matt Perkins. 2012. A stochastic model for context-aware anomaly detection in indoor location traces. In Proceedings of the IEEE 12th International Conference on Data Mining. 449--458.

Digital Library

Google Scholar

[22]

Matthew E. Luallen. 2011. Managing Insiders in Utility Control Environments. Technical Report. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/managing-insiders-utility-control-environments-34960.

Google Scholar

[23]

G. Pallotta and A. L. Jousselme. 2015. Data-driven detection and context-based classification of maritime anomalies. In Proceedings of the 18th International Conference on Information Fusion. 1152--1159.

Google Scholar

[24]

Steven M. Pincus. 1991. Approximate entropy as a measure of system complexity. Proc. Natl. Acad. Sci. U.S.A. 88, 6 (1991), 2297--2301.

Crossref

Google Scholar

[25]

A. N. Radon, K. Wang, U. Glasser, H. Wehn, and A. Westwell-Roper. 2015. Contextual verification for false alarm reduction in maritime anomaly detection. In Proceedings of the IEEE International Conference on Big Data. 1123--1133.

Google Scholar

[26]

M. B. Salem, S. Hershkop, and S. J. Stolfo. 2008. A survey of insider attack detection research. In Insider Attack and Cyber Security: Beyond the Hacker, Salvatore J. Stolfo, Steven M. Bellovin, Angelos D. Keromytis, Shlomo Hershkop, Sean W. Smith, and Sara Sinclair (Eds.). Springer, 69--90.

Google Scholar

[27]

Chaoming Song, Zehui Qu, Nicholas Blumm, and Albert-László Barabási. 2010. Limits of predictability in human mobility. Science 327, 5968 (2010), 1018--1021.

Google Scholar

[28]

Tripwire. 2016. Insider Threat Security 8 Detection. Retrieved from http://www.tripwire.com/.

Google Scholar

Cited By

View all

Alzaabi FMehmood A(2024)A Review of Recent Advances, Challenges, and Opportunities in Malicious Insider Threat Detection Using Machine Learning MethodsIEEE Access10.1109/ACCESS.2024.336990612(30907-30927)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3369906
T. N. NPramod D(2023)Insider Intrusion Detection Techniques: A State-of-the-Art ReviewJournal of Computer Information Systems10.1080/08874417.2023.217533764:1(106-123)Online publication date: 14-Feb-2023
https://doi.org/10.1080/08874417.2023.2175337
Alotaibi Y(2021)A New Database Intrusion Detection Approach Based on Hybrid Meta-heuristicsComputers, Materials & Continua10.32604/cmc.2020.01373966:2(1879-1895)Online publication date: 2021
https://doi.org/10.32604/cmc.2020.013739
Show More Cited By

Index Terms

Data-driven Model-based Detection of Malicious Insiders via Physical Access Logs
1. Computer systems organization
  1. Embedded and cyber-physical systems
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation

Recommendations

Modeling Adversarial Physical Movement in a Railway Station: Classification and Metrics
Special Issue on Transportation CPS

Many real-world attacks on cyber-physical systems involve physical intrusions that directly cause damage or facilitate cyber attacks. Hence, in this work, we investigate the security risk of organizations with respect to different adversarial models of ...
Data Integrity Threats and Countermeasures in Railway Spot Transmission Systems
Special Issue on Transportation CPS

Modern trains rely on balises (communication beacons) located on the track to provide location information as they traverse a rail network. Balises, such as those conforming to the Eurobalise standard, were not designed with security in mind and are ...
Optimising Free Hand Selection in Large Displays by Adapting to User's Physical Movements
SUI '16: Proceedings of the 2016 Symposium on Spatial User Interaction

Advance in motion sensing technologies such as Microsoft Kinect and ASUS Xtion has enabled users to select targets on a large display through natural hand gestures. In such interaction, the users move left and right to navigate the display, and they ...

Reviews

Reviewer: Amos O Olagunju

Employees with security clearance will perhaps continue to pose the ultimate security threat to businesses, organizations, and security researchers. What kinds of data and algorithms should be effectively used to monitor and thwart risky employees Cheh et al. offer some insights for identifying malicious insiders based on recorded physical access logs. The authors present a framework for portraying user actions, to identify different models for delving into user behavior via historical data. Two distinct Markov models are used to identify the physical pathways in use at railway transit stations. The security threat model identifies users with legal or illegal physical access to the station rooms. The malicious insider detection framework consists of components for discovering the spatial and temporal properties of user movement behavior, and then ascertaining and applying an appropriate model to guesstimate the likelihood of anomalous access in the railway system blueprint. The framework includes offline and online phases. In the offline phase, characterization of users based on their past movement behavior, and construction of models based on users' characteristics and past movement. The online phase computes the magnitude of uncharacteristic accesses by users. To evaluate the effectiveness of the advocated framework, the authors use data on the physical card accesses of 590 users to a railway station with 62 rooms. The information on several thousand physical accesses includes date and time, door code, user credential, and access type. The results of the data analysis reveal that the Markov model is effective in forecasting subsequent user movements based on historical physical accesses, and the unique pathways of users are appropriate for discovering regular and irregular movement behavior. The simulation results show the framework's reliability and competency. The authors present accurate and efficient algorithms for detecting normal and abnormal access to physical computer rooms and resources. System administrators and cybersecurity experts should read this insightful paper.

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

ACM Transactions on Modeling and Computer Simulation Volume 29, Issue 4

Special Issue On Qest 2017

October 2019

188 pages

ISSN:1049-3301

EISSN:1558-1195

DOI:10.1145/3372492

Editor:
Francesco Quaglia
University of Rome Tor Vergata, Italy

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 November 2019

Accepted: 01 January 2019

Revised: 01 November 2018

Received: 01 January 2018

Published in TOMACS Volume 29, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Advanced Digital Sciences Center from Singapore's Agency for Science, Technology and Research (A*STAR)
National Cybersecurity R8D Directorate
Maryland Procurement Office
Human-Centered Cyber-physical Systems Programme
National Research Foundation (NRF), Prime Minister's Office, Singapore, under its National Cybersecurity R8D Programme

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
290
Total Downloads

Downloads (Last 12 months)39
Downloads (Last 6 weeks)1

Reflects downloads up to 27 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Alzaabi FMehmood A(2024)A Review of Recent Advances, Challenges, and Opportunities in Malicious Insider Threat Detection Using Machine Learning MethodsIEEE Access10.1109/ACCESS.2024.336990612(30907-30927)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3369906
T. N. NPramod D(2023)Insider Intrusion Detection Techniques: A State-of-the-Art ReviewJournal of Computer Information Systems10.1080/08874417.2023.217533764:1(106-123)Online publication date: 14-Feb-2023
https://doi.org/10.1080/08874417.2023.2175337
Alotaibi Y(2021)A New Database Intrusion Detection Approach Based on Hybrid Meta-heuristicsComputers, Materials & Continua10.32604/cmc.2020.01373966:2(1879-1895)Online publication date: 2021
https://doi.org/10.32604/cmc.2020.013739
Lin LLi SLv XLi B(2021)BTDetect: An Insider Threats Detection Approach Based on Behavior Traceability for IaaS Environments2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00055(344-351)Online publication date: Sep-2021
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00055
Saxena NHayes EBertino EOjo PChoo KBurnap P(2020)Impact and Key Challenges of Insider Threats on Organizations and Critical BusinessesElectronics10.3390/electronics90914609:9(1460)Online publication date: 7-Sep-2020
https://doi.org/10.3390/electronics9091460
(2019)Introduction to the Special Issue on Qest 2017ACM Transactions on Modeling and Computer Simulation10.1145/336378429:4(1-2)Online publication date: 18-Nov-2019
https://dl.acm.org/doi/10.1145/3363784

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Abstract

References

Cited By

Index Terms

Recommendations

Modeling Adversarial Physical Movement in a Railway Station: Classification and Metrics

Data Integrity Threats and Countermeasures in Railway Spot Transmission Systems

Optimising Free Hand Selection in Large Displays by Adapting to User's Physical Movements

Reviews

Access critical reviews of Computing literature here

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

HTML Format

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations