Volume 6 - Issue 4
Detecting Insider Threats Using Ben-ware: Beneficial Intelligent Software for Identifying Anomalous Human Behaviour
- Andrew Stephen McGough
Durham University, Durham DH1 3LE, UK
stephen.mcgough@durham.ac.uk
- Budi Arief
Newcastle University, Newcastle upon Tyne NE1 7RU, UK
budi.arief@newcastle.ac.uk
- Carl Gamble
Newcastle University, Newcastle upon Tyne NE1 7RU, UK
carl.gamble@newcastle.ac.uk
- David Wall
University of Leeds, Leeds LS2 9JT, UK
d.s.wall@leeds.ac.uk
- John Brennan
Durham University, Durham DH1 3LE, UK
j.d.brennan@durham.ac.uk
- John Fitzgerald
Newcastle University, Newcastle upon Tyne NE1 7RU, UK
john.fitzgerald@newcastle.ac.uk
- Aad van Moorsel
Newcastle University, Newcastle upon Tyne NE1 7RU, UK
aad.vanmoorsel@newcastle.ac.uk
- Sujeewa Alwis
Insighlytics Ltd, York, UK
sujeewa@insighlytics.com
- Georgios Theodoropoulos
Durham University, Durham DH1 3LE, UK
georgios.theodoropoulos
- Ed Ruck-Keene
Durham University, Durham DH1 3LE, UK
e.a.ruck-keene@durham.ac.uk
Keywords: Insider threats; detection; anomalous behaviour; human behaviour; artificial intelligence; assistive tool; ethics.
Abstract
The insider threat problem is a significant and ever present issue faced by any organisation. While
security mechanisms can be put in place to reduce the chances of external agents gaining access to
a system, either to steal assets or alter records, the issue is more complex in tackling insider threat.
If an employee already has legitimate access rights to a system, it is much more difficult to prevent
them from carrying out inappropriate acts, as it is hard to determine whether the acts are part of their
official work or indeed malicious. We present in this paper the concept of “Ben-ware”: a beneficial
software system that uses low-level data collection from employees’ computers, along with Artificial
Intelligence, to identify anomalous behaviour of an employee. By comparing each employee’s
activities against their own ‘normal’ profile, as well as against the organisational’s norm, we can
detect those that are significantly divergent, which might indicate malicious activities. Dealing with
false positives is one of the main challenges here. Anomalous behaviour could indicate malicious
activities (such as an employee trying to steal confidential information), but they could also be benign
(for example, an employee is carrying out a workaround or taking a shortcut to complete their
job). Therefore it is important to minimise the risk of false positives, and we do this by combining
techniques from human factors, artificial intelligence, and risk analysis in our approach. Developed
as a distributed system, Ben-ware has a three-tier architecture composed of (i) probes for data collection,
(ii) intermediate nodes for data routing, and (iii) high level nodes for data analysis. The
distributed nature of Ben-ware allows for near-real-time analysis of employees without the need for
dedicated hardware or a significant impact on the existing infrastructure. This will enable Ben-ware
to be deployed in situations where there are restrictions due to legacy and low-power resources, or
in cases where the network connection may be intermittent or has a low bandwidth. We demonstrate
the appropriateness of Ben-ware, both in its ability to detect potentially malicious acts and its lowimpact
on the resources of the organisation, through a proof-of-concept system and a scenario based
on synthetically generated user data.