This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
2013 IEEE CS Security and Privacy Workshops (SPW2013)
San Francisco, CA USA
May 23-May 24
ISBN: 978-1-4799-0458-7
William T. Young, SAIC, Arlington, VA, USA
Henry G. Goldberg, SAIC, Arlington, VA, USA
Alex Memory, SAIC, Arlington, VA, USA
James F. Sartain, SAIC, Arlington, VA, USA
Ted E. Senator, SAIC, Arlington, VA, USA
This paper reports the first set of results from a comprehensive set of experiments to detect realistic insider threat instances in a real corporate database of computer usage activity. It focuses on the application of domain knowledge to provide starting points for further analysis. Domain knowledge is applied (1) to select appropriate features for use by structural anomaly detection algorithms, (2) to identify features indicative of activity known to be associated with insider threat, and (3) to model known or suspected instances of insider threat scenarios. We also introduce a visual language for specifying anomalies across different types of data, entities, baseline populations, and temporal ranges. Preliminary results of our experiments on two months of live data suggest that these methods are promising, with several experiments providing area under the curve scores close to 1.0 and lifts ranging from ×20 to ×30 over random.
Index Terms:
Feature extraction,Computers,Electronic mail,Detectors,Detection algorithms,Sociology,Statistics,anomaly detection; insider threat; experimental case study
Citation:
William T. Young, Henry G. Goldberg, Alex Memory, James F. Sartain, Ted E. Senator, "Use of Domain Knowledge to Detect Insider Threats in Computer Activities," spw, pp.60-67, 2013 IEEE CS Security and Privacy Workshops (SPW2013), 2013
Usage of this product signifies your acceptance of the Terms of Use.