Mathematical models for insider threat mitigation

Gamachchi, A 2017, Mathematical models for insider threat mitigation, Doctor of Philosophy (PhD), Science, RMIT University.

Document type: Thesis
Collection: Theses

Attached Files
Name Description MIMEType Size
Gamachchi.pdf Thesis Click to show the corresponding preview/stream application/pdf; Bytes
Title Mathematical models for insider threat mitigation
Author(s) Gamachchi, A
Year 2017
Abstract The world is rapidly undergoing a massive digital transformation where every human will have no choice but to rely on the confidentiality, integrity, and availability of information systems. At the same time, there are increasing numbers of malicious attackers who are ever trying to compromise information systems for financial or political gain. Given the threat landscape and its sophistication, the traditional approach of fortifying the castle will not provide sufficient protection to the information systems. This formidable threat can only be restrained by a new approach, which looks at both inwards and outwards for potential attacks. It is well established that humans are the weakest link when it comes to information security controls although the same humans are considered as the most valued assets. A trusted custodian with malicious intent can inflict an enormous damage to critical information assets. Often these attacks go unnoticed for a considerable period and will have caused irreversible damage to the organisation by the time they are discovered.

In the recent past, there have been well publicised data compromises in the media which have damaged the reputations of governments and organisations and in some cases endangered human life. While some of these leaks can be classified as whistleblowing in the public interest, they are very real examples of information compromises in the context of information security. High profile leaks by Edward Snowden and Bradley (Chelsea) Manning, are perfect examples of the potential damage from an insider. Furthermore, most malicious insider activities go unnoticed or unpublicised as a damage control measure by the affected organisations. While there is lots of research and investment going into insider threat prevention, these attacks are
on the rise at an alarming rate.

A comprehensive study of publicly available insider threat cases, academic literature, and technical reports reveals the need for a multifaceted view of the problem. The insider threat problem can no longer be treated only as a technical data driven problem but requires the analysis of associated factors, a combination of technical and human behavioural aspects going beyond the traditional technology driven approaches.

Furthermore, there is no universally agreed comprehensive feature set as the majority of the proposed models are bounded into a single threat scenario or conducted on a specific system. In order to overcome this limitation, this thesis introduces a precise user profile model integrating insider threat related parameters from technical, behavioural, psychological, and organisational paradigms. The proposed user profile model is a combination of: a comprehensive insider threat detection and prediction feature set; a collection of various techniques for feature specific user behaviour comparisons; and a framework for quantifying user behaviour as a numerical value.

The unpredictability of malicious attackers and the complexity of malicious actions, necessitates the careful analysis of network, system and user parameters correlated with the insider threat problem. Also, unearthing the hidden evidence requires the analysis of an enormous amount of data generated from heterogeneous input streams. This creates a high dimensional, heterogeneous data analysis problem for distinguishing suspicious users from benign users. This creates the need to identify an appropriate means for data representation and feature extraction. Since traditional graph theory and new approaches in the field of complex networks
enable the means of representing high dimensional, heterogeneous data, the feasibility of the use of graphs for data representation and feature extraction are investigated going beyond traditional data mining techniques.

Unattributed graphs are introduced to represent users’ device usage data, web access data, and organisational hierarchy. A graph based feature extraction technique based on subgraphs generated on different order of neighbourhoods are introduced. A graph based approach to capture inter-user relationships using web access data is presented.

Various insider threat models proposed in the literature including intrusion detection based approaches, system call based approaches, honeypot based approaches and stream mining approaches end up with high false positive rates. More recently machine learning approaches for identifying suspicious users from normal users have increased. However, the application of graph based anomaly detection techniques addressing the insider threat problem is relatively rare in the academic literature as well as uncommon in the commercial world. Therefore, we focused our attention on graph based anomaly detection techniques for differentiating suspicious
users from the benign users.

This thesis introduces two distinct insider threat detection frameworks. The first is a hybrid insider threat detection framework based on graph theoretic feature extraction mechanism and an unsupervised anomaly detection algorithm. The second is built on an attributed graph clustering mechanism integrated with an outlier ranking mechanism.

Finally, a comprehensive theoretical and commercially viable framework for insider threat mitigation integrating user profiling, threat detection, and threat detection is introduced.
Degree Doctor of Philosophy (PhD)
Institution RMIT University
School, Department or Centre Science
Subjects Computer System Security
Applied Mathematics not elsewhere classified
Pattern Recognition and Data Mining
Keyword(s) Insider Threat
Insider Threat Detection
Anaomaly Detection
User Behaviour Analysis
Graph Theory
Attributed Graphs
Data Mining
Version Filter Type
Access Statistics: 461 Abstract Views, 220 File Downloads  -  Detailed Statistics
Created: Tue, 20 Mar 2018, 09:43:43 EST by Denise Paciocco
© 2014 RMIT Research Repository • Powered by Fez SoftwareContact us