Detection of Malicious and Deceived Insiders

Project Start & End Date: 

August 2016- July 2019

Project Status: 

Completed

Project Objectives and Scope

The scope is to develop novel algorithms for detecting insiders threat based on information that is collected on the users’ behaviour with acceptable true positive and false positive rates and efficiency, and provide an explanation why a given user is suspicious. Data sources such as mouse, keyboard dynamics and file system access logs can be employed for this purpose.

Challenges

The main research challenge is developing an algorithm that can be easily adapted to different organisations. In order to mitigate this challenge we may use transfer learning techniques. As discussed before, other challenges include achieving a balance between precision, efficiency and privacy of the algorithm, and to validate it on realistic data.

Methodology/Approach

In the project we develop algorithms based on various machine learning techniques such as Graph Clustering, Supervised and Unsupervised learning, Transfer Learning and Deep learning. Features are going to be extracted from many aspects of information related to the user. User characteristics can be analyzed using host-based activity based on system calls, keystroke timings and network traces and their respective combination. The extracted features will be used for representing the user behaviour over time and to train models in the setup phase and for detection during the operational phase. If the confidence level of the algorithm falls below certain threshold, it may serve as a stimulus to investigate actions taken by a user.

Publications