- Takayuki Sasaki
Service Platforms Res. Labs. NEC Corporation 1753 Shimonumabe, Nakahara-Ku, Kawasaki, Kanagawa, Japan
A Framework for Detecting Insider Threats using Psychological Triggers
Malicious insiders are difficult to detect and prevent, because insiders such as employees have legitimate rights to access organization’s resources in order to carry out their responsibilities. To overcome this problem, we have developed a framework that detects suspicious insiders using a psychological trigger that impels malicious insiders to behave suspiciously. Also, we have proposed an architecture comprising an announcer, a monitor, and an analyzer. First, the announcer creates an event (called a “trigger”) that impels malicious insiders to behave suspiciously. Then the monitors record suspicious actions such as file/e-mail deletions. Finally, the analyzer identifies the suspicious insiders by comparing the number of deletions before/after the trigger. In this paper, we extend monitoring reaction from only “data deletion” to “stop further malicious activities”. This extension allows a wider variety of use cases such as “finding private web browsing” and “finding use of unnecessary applications”. Also, we extend the architecture so as to monitor servers as well as clients. The server monitoring architecture is required in the case of server side data deletions, i.e., e-mail or file deletions at the server side. Moreover, we describe the effectiveness of our approach in such cases.