JoWUA

Abstract

The increasing threat of insider attacks has resulted in a correlated increase in incentives to monitor trusted insiders. Measures of volumes of access, detailed background checks, and statistical characterizations of employee behaviors are all commonly used to mitigate the insider threat. These traditional approaches usually rely on supervised learning models or case studies to determine the critical features or attributes that can be used as indicators. Such approaches require labeled data for correct characterization of the threat. Yet regardless of the incentives to detect the insider threat, the incentives to share detailed labeled data on successful malicious insiders have proven inadequate. To address this challenging data environment, we developed an innovative approach that captures the temporal evolution of user-system interactions, to create an unsupervised learning framework to detect high-risk insider behaviors. Our method is based on the analysis of a bipartite graph of user and system interactions. The graph mining method detects increases in potential insider threat events following precipitating events, e.g., a limited restructuring. We apply our method to a dataset that comprises interactions between engineers and components in a software version control system spanning 22 years, and automatically detect statistically significant events. We find that there is statistically significant evidence for increasing anomalies in the committing behavior after precipitating events. Although these findings do not constitute detection of insider threat events per se, they reinforce the idea that insider operations can be motivated by the insiders’ environment and detected with the proposed method. We compare our results with algorithms based on volume-dependent statistics showing that our proposed framework outperforms those measures. This graph mining method has potential for early detection of insider threat behavior from user-system interactions, which could enable quicker mitigation.