Detection of Malicious and Deceived Insiders — ST Engineering

Project Start & End Date:

August 2016- July 2019

Project Status:

Completed

Project Objectives and Scope

The scope is to develop novel algorithms for detecting insiders threat based on information that is collected on the users’ behaviour with acceptable true positive and false positive rates and efficiency, and provide an explanation why a given user is suspicious. Data sources such as mouse, keyboard dynamics and file system access logs can be employed for this purpose.

Challenges

The main research challenge is developing an algorithm that can be easily adapted to different organisations. In order to mitigate this challenge we may use transfer learning techniques. As discussed before, other challenges include achieving a balance between precision, efficiency and privacy of the algorithm, and to validate it on realistic data.

Methodology/Approach

In the project we develop algorithms based on various machine learning techniques such as Graph Clustering, Supervised and Unsupervised learning, Transfer Learning and Deep learning. Features are going to be extracted from many aspects of information related to the user. User characteristics can be analyzed using host-based activity based on system calls, keystroke timings and network traces and their respective combination. The extracted features will be used for representing the user behaviour over time and to train models in the setup phase and for detection during the operational phase. If the confidence level of the algorithm falls below certain threshold, it may serve as a stimulus to investigate actions taken by a user.

Publications

Insight Into Insiders and IT: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Countermeasures

Ivan Homoliak, Flavio Toffalini, Juan David Guarnizo, Yuval Elovici, Martín Ochoa

ACM Computer Surveys

April 2019

Careful-Packing: A practical and scalable anti-tampering software protection enforced by trusted computing

Flavio Toffalini, Martín Ochoa, Sun Jun, and Jianying Zhou

9th ACM Conference on Data and Application Security and Privacy (CODASPY 2019)

March 2019

Detection of Masqueraders Based on Graph Partitioning of File System Access Events

Flavio Toffalini, Ivan Homoliak, Athul Harilal and Martin Ochoa

2018 IEEE Security and Privacy Workshops (SPW)

May 2018

The Wolf Of SUTD (TWOS): A Dataset of Malicious Insider Threat Behavior Based on a Gamified Competition.

Athul Harilal, Flavio Toffalini, Ivan Homoliak, John Castellanos, Juan David Guarnizo, Soumik Mondal and Martin Ochoa

JoWUA - Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications

March 2018

TWOS: A Dataset of Malicious Insider Threat Behavior Based on a Gamified Competition

Athul Harilal, Flavio Toffalini, John Castellanos, Juan David Guarnizo, Ivan Homoliak and Martin Ochoa

2017 International Workshop on Managing Insider Security Threats (MIST)

October 2017

Principal Investigator(s)

BINDER, Alexander

TANG, Swee Pang Vincent

Deputy Technical Director, Programme Group, Electronics, ST Engineering