A Data-Driven Evaluation for Insider Threats

Insiders are often legal users who are authorized to access system and data. If they misuse their privileges, it would bring great threat to system security. In practice, we could not have any knowledge about fraud pattern in advance, and most malicious behaviors are often in accordance with security rules; thus, it is difficult to predefine regulations for preventing all kinds of frauds. In this paper, we propose a data-driven evaluation model to detect malicious insiders, which audits user behaviors from both parallel and incremental aspects. Users are grouped together according to their positions and responsibilities, based on which the normal pattern is learned. For each user, a routine behavior pattern is also learned for historical assessment. Then, users are evaluated against both group patterns and routine patterns by probabilistic methods. The deviation degree is adopted as an evidence to justify an anomaly. We also recognize the abnormal activities that often make a user behavior much deviate, which can help an administrator revisit security policies or update activity weights in assessment. At last, experiments are performed on several real dataset.