Title :
Detecting threatening insiders with lightweight media forensics
Author :
Garfinkel, Simson L. ; Beebe, Nicole ; Lishu Liu ; Maasberg, Michele
Author_Institution :
Dept. of Comput. Sci., Naval Postgrad. Sch., Arlington, VA, USA
Abstract :
This research uses machine learning and outlier analysis to detect potentially hostile insiders through the automated analysis of stored data on cell phones, laptops, and desktop computers belonging to members of an organization. Whereas other systems look for specific signatures associated with hostile insider activity, our system is based on the creation of a “storage profile” for each user and then an automated analysis of all the storage profiles in the organization, with the purpose of finding storage outliers. Our hypothesis is that malicious insiders will have specific data and concentrations of data that differ from their colleagues and coworkers. By exploiting these differences, we can identify potentially hostile insiders. Our system is based on a combination of existing open source computer forensic tools and datamining algorithms. We modify these tools to perform a “lightweight” analysis based on statistical sampling over time. In this, our approach is both efficient and privacy sensitive. As a result, we can detect not just individuals that differ from their co-workers, but also insiders that differ from their historic norms. Accordingly, we should be able to detect insiders that have been “turned” by events or outside organizations. We should also be able to detect insider accounts that have been taken over by outsiders. Our project, now in its first year, is a three-year project funded by the Department of Homeland Security, Science and Technology Directorate, Cyber Security Division. In this paper we describe the underlying approach and demonstrate how the storage profile is created and collected using specially modified open source tools. We also present the results of running these tools on a 500GB corpus of simulated insider threat data created by the Naval Postgraduate School in 2008 under grant from the National Science Foundation.
Keywords :
data mining; data privacy; digital forensics; learning (artificial intelligence); public domain software; sampling methods; Cyber Security Division; Department of Homeland Security; National Science Foundation; Naval Postgraduate School; Science and Technology Directorate; automated stored data analysis; cell phones; data privacy; datamining algorithms; desktop computers; hostile insider detection; insider account detection; laptops; lightweight media forensics; machine learning; malicious insiders; open source computer forensic tools; outlier analysis; statistical sampling; storage outliers; storage profiles; threatening insider detection; Algorithm design and analysis; Clustering algorithms; Electronic mail; Forensics; Histograms; Media; Organizations;
Conference_Titel :
Technologies for Homeland Security (HST), 2013 IEEE International Conference on
Conference_Location :
Waltham, MA
Print_ISBN :
978-1-4799-3963-3
DOI :
10.1109/THS.2013.6698981