This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Detecting Insider Theft of Trade Secrets
November/December 2009 (vol. 7 no. 6)
pp. 14-21
Deanna Caputo, The MITRE Corporation, McLean
Marcus Maloof, Georgetown University, Washington
Gregory Stephens, The MITRE Corporation, McLean
Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if access controls are set properly, they don't protect against rogue employees who legitimately need to access sensitive information. Since 2002, researchers at MITRE have investigated methods for detecting insiders who misuse their legitimate access to steal information. A three-year, internally funded research effort developed and evaluated a research prototype of a system called Elicit (Exploit Latent Information to Counter Insider Threats) to help analysts identify insider threats. Work on Elicit prompted a team of engineers and social scientists to experimentally explore how malicious insiders use information differently from a benign baseline group. This article presents results from the research prototype evaluation, discusses preliminary results from the double-blind study of malicious insiders, and offers some essential aspects for detecting insider threats gleaned from these efforts.

1. M.M. Blair, "New Ways Needed to Assess New Economy," Los Angeles Times, 13 Nov. 2000, p. B7.
2. R.R. Rantala, Cybercrime against Businesses, 2005, Bureau of Justice Statistics Special Report, Sept. 2008; www.ojp.usdoj.gov/bjs/pub/pdfcb05.pdf.
3. M.A. Maloof and G.D. Stephens, "ELICIT: A System for Detecting Insiders Who Violate Need-to-Know," Recent Advances in Intrusion Detection, LNCS 4637, Springer, 2007, pp. 146–166.
4. D.D. Caputo et al., "An Empirical Approach to Identify Information Misuse by Insiders," Recent Advances in Intrusion Detection, LNCS 5230, Springer, 2008, pp. 402–403.
5. G.G. Christoph et al., "UNICORN: Misuse Detection for UNICOS," Proc. IEEE/ACM Supercomputing 95 Conf. (SC 95), IEEE Press, 1995, p. 56.
6. R. Cathey et al., "Misuse Detection for Information Retrieval Systems," Proc. 12th Int'l Conf. Information and Knowledge Management, ACM Press, 2003, pp. 183–193.
7. M. Maybury et al., "Analysis and Detection of Malicious Insiders," Proc. 2005 Int'l Conf. Intelligence Analysis, MITRE, 2005; https://analysis.mitre.org/proceedings/Final_Papers_Files 280_Camera_Ready_Paper.pdf .
8. G. Gross, "VA Data Loss Could Prompt Federal Privacy Law," Network World, 5 June. 2006; www.networkworld.com/news/2006060506-va-data-loss-could-prompt.html .
9. E. Kowalski, D. Cappelli, and A. Moore, "U.S. Secret Service and CERT/SEI Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector," US Secret Service and CERT Program, Software Engineering Inst., Carnegie Mellon Univ., Jan. 2008.

Index Terms:
computer security, insider threats, computer misuse, Elicit, Exploit Latent Information to Counter Insider Threats, MITRE
Citation:
Deanna Caputo, Marcus Maloof, Gregory Stephens, "Detecting Insider Theft of Trade Secrets," IEEE Security & Privacy, vol. 7, no. 6, pp. 14-21, Nov.-Dec. 2009, doi:10.1109/MSP.2009.110
Usage of this product signifies your acceptance of the Terms of Use.