Anomaly Detection in Multiple Scale for Insider Threat Analysis

Kim, Yoohwan; Sheldon, Frederick T; Hively, Lee M

Title: Anomaly Detection in Multiple Scale for Insider Threat Analysis

Conference · Sun Jan 01 00:00:00 EST 2012

OSTI ID:1047615

Kim, Yoohwan ^[1]; Sheldon, Frederick T ^[1]; Hively, Lee M ^[1]

ORNL

We propose a method to quantify malicious insider activity with statistical and graph-based analysis aided with semantic scoring rules. Different types of personal activities or interactions are monitored to form a set of directed weighted graphs. The semantic scoring rules assign higher scores for the events more significant and suspicious. Then we build personal activity profiles in the form of score tables. Profiles are created in multiple scales where the low level profiles are aggregated toward more stable higherlevel profiles within the subject or object hierarchy. Further, the profiles are created in different time scales such as day, week, or month. During operation, the insider s current activity profile is compared to the historical profiles to produce an anomaly score. For each subject with a high anomaly score, a subgraph of connected subjects is extracted to look for any related score movement. Finally the subjects are ranked by their anomaly scores to help the analysts focus on high-scored subjects. The threat-ranking component supports the interaction between the User Dashboard and the Insider Threat Knowledge Base portal. The portal includes a repository for historical results, i.e., adjudicated cases containing all of the information first presented to the user and including any additional insights to help the analysts. In this paper we show the framework of the proposed system and the operational algorithms.

OSTI does not have a digital full text copy available. For more information, please see document availability, search WorldCat, or search Google Scholar.

Cite

Export

Save

Research Organization:: Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States)

Sponsoring Organization:: USDOE

DOE Contract Number:: DE-AC05-00OR22725

OSTI ID:: 1047615

Resource Relation:: Conference: Cyber Security and Information Intelligence Workshop, Oak Ridge, TN, USA, 20111012, 20111014

Country of Publication:: United States

Language:: English

Similar Records

Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams

Conference · Wed Feb 01 00:00:00 EST 2017 · OSTI ID:1047615

Tuor, Aaron R.; Kaplan, Samuel P.; Hutchinson, Brian J.; +2 more

Deep Learning for Unsupervised Insider Threat Detection in Structured Cyber Security Data Streams

Conference · Sat Feb 17 00:00:00 EST 2018 · OSTI ID:1047615

Tuor, Aaron R.; Kaplan, Samuel P.; Hutchinson, Brian J.; +2 more

Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams

Conference · Wed Feb 01 00:00:00 EST 2017 · OSTI ID:1047615

Tuor, Aaron R.; Kaplan, Samuel P.; Hutchinson, Brian J.; +2 more

Related Subjects

99 GENERAL AND MISCELLANEOUS//MATHEMATICS, COMPUTING, AND INFORMATION SCIENCE
ALGORITHMS
DETECTION
KNOWLEDGE BASE
SECURITY
COMPUTERS
Insider attacks
security
internal network peering points
behavior-based threat detection
threat ranking

Title: Anomaly Detection in Multiple Scale for Insider Threat Analysis

Citation Formats

Similar Records

Related Subjects