Detecting Masquerading Users in a Document Management System

A Document Management System (DMS) is a repository of digital documents that provides functionality for check-in, check-out and shared editing. In a DMS, security mechanisms like encryption of documents and enforcement of policies are implemented to protect from information leakage. These security schemes, essentially applications of Digital Rights Management technologies, while effective against external attacks, are ineffective against insider attacks. The typical insider in a DMS already has access to documents and hence, his capabilities for information leakage are much higher. In this work, we address an important, yet unexplored problem of masquerading users in a DMS, a threat for which the DMS inherently has no protection. We approach the problem by monitoring the pattern and mannerism of user actions on documents and building a profile of each user using the resulting logs. In order to illustrate our ideas, we built user profiles of 41 users working on Microsoft Word and applied two algorithms, viz., IPAM and Naïve Bayes to distinguish between them. When supplied with appropriately interpreted command sequences of a DMS, IPAM was able to distinguish between users effectively, while Naïve Bayes failed to produce any meaningful results. We recorded an average detection rate of 58% with a false positive of 14%.