• DocumentCode
    1707520
  • Title

    A comparison of system call feature representations for insider threat detection

  • Author

    Liu, Alexander ; Martin, Cheryl ; Hetherington, Tom ; Matzner, Sara

  • Author_Institution
    Signal & Inf. Sci. Lab., Texas Univ. at Austin, TX, USA
  • fYear
    2005
  • Firstpage
    340
  • Lastpage
    347
  • Abstract
    This paper investigates anomaly detection techniques that have been successful for detecting external threats and applies them to the insider threat problem. The "insider threat" involves the actions of a trusted and privileged user who is inappropriately accessing or disseminating sensitive information or otherwise compromising information systems. In contrast, the "external threat" involves the actions of an outsider attempting to compromise or gain access to the information systems. Although approaches for automatically detecting external threat instances have been quite successful (i.e., intrusion detection systems), there is very little similar work for the insider threat. In the past, anomaly detection systems have proven useful for detecting external threat. Anomaly detection at the system call level offers a high degree of information assurance in terms of tamper-resistance and system activity coverage. Therefore, we investigate three system-call-based feature representations: n-grams of system call names, histograms of system call names, and individual system calls with associated parameters. We find that none of these representations consistently performs as well when dealing with the internal threat as previous results show for external threat detection. However, parameter-based features for certain system calls do show some sensitivity to detecting the insider threat, and we plan to explore and enhance this sensitivity in future work.
  • Keywords
    information systems; security of data; anomaly detection system; external threat detection; histograms; information access; information assurance; information dissemination; information systems; insider threat detection; intrusion detection system; outlier detection; sensitive information; system call feature representation; system call names; tamper resistance; trust; user privilege; Business; Computer vision; Data security; Government; Histograms; Information systems; Intrusion detection; Monitoring; Operating systems; Testing;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC
  • Print_ISBN
    0-7803-9290-6
  • Type

    conf

  • DOI
    10.1109/IAW.2005.1495972
  • Filename
    1495972