Issue No.03 - May/June (2012 vol.9)
pp: 332-344
You Chen , Vanderbilt University, Nashville
Bradley Malin , Vanderbilt University, Nashville
Collaborative information systems (CISs) are deployed within a diverse array of environments that manage sensitive information. Current security mechanisms detect insider threats, but they are ill-suited to monitor systems in which users function in dynamic teams. In this paper, we introduce the community anomaly detection system (CADS), an unsupervised learning framework to detect insider threats based on the access logs of collaborative environments. The framework is based on the observation that typical CIS users tend to form community structures based on the subjects accessed (e.g., patients' records viewed by healthcare providers). CADS consists of two components: 1) relational pattern extraction, which derives community structures and 2) anomaly prediction, which leverages a statistical model to determine when users have sufficiently deviated from communities. We further extend CADS into MetaCADS to account for the semantics of subjects (e.g., patients' diagnoses). To empirically evaluate the framework, we perform an assessment with three months of access logs from a real electronic health record (EHR) system in a large medical center. The results illustrate our models exhibit significant performance gains over state-of-the-art competitors. When the number of illicit users is low, MetaCADS is the best model, but as the number grows, commonly accessed semantics lead to hiding in a crowd, such that CADS is more prudent.
Privacy, social network analysis, data mining, insider threat detection.
You Chen, Bradley Malin, "Detecting Anomalous Insiders in Collaborative Information Systems", IEEE Transactions on Dependable and Secure Computing, vol.9, no. 3, pp. 332-344, May/June 2012, doi:10.1109/TDSC.2012.11
[1] L.A. Adamic and E. Adar, "Friends and Neighbors on the Web," Social Networks, vol. 25, no. 3, pp. 211-230, 2003.
[2] M. Alawneh and I. Abbadi, "Preventing Information Leakage between Collaborating Organisations," Proc. 10th Int'l Conf. Electronic Commerce, pp. 185-194, 2008.
[3] V. Bellotti and S. Bly, "Walking Away from the Desktop Computer: Distributed Collaboration and Mobility in a Product Design Team," Proc. ACM Conf. Computer Supported Cooperative Work, pp. 209-218, 1996.
[4] F. Benaben, J. Touzi, V. Rajsiri, and H. Pingaud, "Collaborative Information System Design," Proc. Int'l Conf. Assoc. Information and Management, pp. 281-296, 2006.
[5] A.A. Boxwala, J. Kim, J.M. Grillo, and L.O. Machado, "Using Statistical and Machine Learning to Help Institutions Detect Suspicious Access to Electronic Health Records," J. Am. Medical Informatics Assoc., vol. 18, pp. 498-505, 2011.
[6] J. Byun and N. Li, "Purpose Based Access Control for Privacy Protection in Relational Database Systems," Int'l J. Very Large Data Bases, vol. 17, pp. 603-619, 2008.
[7] S. Chakraborty and I. Ray, "TrustBac: Integrating Trust Relationships into the RBAC Model for Access Control in Open Systems," Proc. 11th ACM Symp. Access Control Models and Technologies, pp. 49-58, 2006.
[8] H. Chen, F. Wang, and D. Zeng, "Intelligence and Security Informatics for Homeland Security: Information, Communication, and Transportation," IEEE Trans. Intelligent Transportation Systems, vol. 5, no. 4, pp. 329-341, Dec. 2004.
[9] H. Chen, D. Zeng, H. Atabakhsh, W. Wyzga, and J. Schroeder, "COPLINK: Managing Law Enforcement Data and Knowledge," Comm. ACM, vol. 46, no. 1, pp. 28-34, 2003.
[10] Y. Chen and B. Malin, "Detection of Anomalous Insiders in Collaborative Environments via Relational Analysis of Access Logs," Proc. First ACM Conf. Data and Application Security Security and Privacy, pp. 63-74, 2011.
[11] Y. Chen, S. Nyemba, W. Zhang, and B. Malin, "Leveraging Social Networks to Detect Anomalous Insider Actions in Collaborative Environments," Proc. IEEE Ninth Intelligence and Security Informatics, pp. 119-124, 2011.
[12] P. Cheng, P. Rohatgi, C. Keser, P.A. Karger, and G.M. Wagner, "Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control," Research Report RC24190 (W0702-085), IBM, 2007.
[13] J. Crampton and M. Huth, Towards an Access-Control Framework for Countering Insider Threats. Springer, 2010.
[14] W. Eberle and L. Holder, "Applying Graph-Based Anomaly Detection Approaches to the Discovery of Insider Threats," Proc. IEEE Int'l Conf. Intelligence and Security Informatics, pp. 206-208, 2009.
[15] L. Eldenburg, N. Soderstrom, V. Willis, and A. Wu, "Behavioral Changes Following the Collaborative Development of an Accounting Information System," Accounting, Organizations and Soc., vol. 35, no. 2, pp. 222-237, 2010.
[16] J. George, G. Easton, J. Nunamaker, and G. Northcraft, "A Study of Collaborative Group Work with and without Computer-Based Support," Information Systems Research, vol. 1, no. 4, pp. 394-415, 1990.
[17] C. Georgiadis, I. Mavridis, G. Pangalos, and R. Thomas, "Flexible Team-Based Access Control Using Contexts," Proc. Sixth ACM Symp. Access Control Models and Technologies, pp. 21-27, 2001.
[18] D. Giuse, "Supporting Communication in an Integrated Patient Record System," Proc. Ann. Symp. Am. Medical Informatics Assoc., p. 1065, 2003.
[19] T. Gruber, "Collective Knowledge Systems: Where the Social Web Meets the Semantic Web," J. Web Semantics, vol. 6, no. 1, pp. 4-13, 2007.
[20] C. Gunter, D. Liebovitz, and B. Malin, "Experience-Based Access Management: A Life-Cycle Framework for Identity and Access Management Systems," IEEE Security and Privacy Magazine, vol. 9, no. 5, pp. 48-55, Sept./Oct. 2011.
[21] S. Hirose, K. Yamanishi, T. Nakata, and R. Fukimaki, "Network Anomaly Detection Based on Eigen Equation Compression," Proc. 15th ACM SIGKDD Int'l Conf. Knowledge Discovery and Data Mining, pp. 1185-1194, 2009.
[22] C. Huang, T. Li, H. Wang, and C. Chang, "A Collaborative Support Tool for Creativity Learning: Idea Storming Cube," Proc. IEEE Seventh Int'l Conf. Advanced Learning Technologies, pp. 31-35, 2007.
[23] S. Javanmardi and C. Lopes, "Modeling Trust in Collaborative Information Systems," Proc. Int'l Conf. Colla borative Computing: Networking, Applications and Worksharing, pp. 299-302, 2007.
[24] R. Kannan, S. Vempala, and A. Vetta, "On Clusterings: Good, Bad and Spectral," J. ACM, vol. 51, no. 3, pp. 497-515, 2004.
[25] J. Kim, J. Grillo, A. Boxwala, X. Jiang, R. Mandelbaum, B. Patel, D. Mikels, S. Vinterbo, and L. Ohno-Machado, "Anomaly and Signature Filtering Improve Classifier Performance for Detection of Suspicious Access to EHRs," Proc. Ann. Symp. Am. Medical Informatics Assoc., pp. 723-731, 2011.
[26] M. Kuhlmann, D. Shohat, and G. Schimpf, "Role Mining-Revealing Business Roles for Security Administration Using Data Mining Technology," Proc. Eighth ACM Symp. Access Control Models and Technologies, pp. 179-186, 2003.
[27] D. Kulkarni and A. Tripathi, "Context-Aware Role-Based Access Control in Pervasive Computing Systems," Proc. 13th ACM Symp. Access Control Models and Technologies, pp. 113-122, 2008.
[28] A. Lee and T. Yu, "Towards a Dynamic and Composable Model of Trust," Proc. 14th ACM Symp. Access Control Models and Technologies, pp. 217-226, 2009.
[29] J. Leskovec, K. Lang, A. Dasgupta, and M. Mahoney, "Statistical Properties of Community Structure in Large Social and Information Networks," Proc. 17th Int'l Conf. World Wide Web, pp. 695-704, 2008.
[30] J. Leskovec, K.J. Lang, A. Dasgupta, and M.W. Mahoney, Community Structure in Large Networks: Natural Cluster Sizes and the Absence of Large Well-Defined Clusters, Computing Research Repository, abs/0810.1355, 2008.
[31] Y. Liao and V.R. Vemuri, "Use of $k$ -Nearest Neighbor Classifier for Intrusion Detection," J. Computer Security, vol. 21, no. 5, pp. 439-448, 2002.
[32] J. Lotspiech, S. Nusser, and F. Pestoni, "Anonymous Trust: Digital Rights Management Using Broadcast Encryption," Proc. IEEE, vol. 92, no. 6, pp. 898-902, June 2004.
[33] B. Malin, S. Nyemba, and J. Paulett, "Learning Relational Policies from Electronic Health Record Access Logs," J. Biomedical Informatics, vol. 44, no. 2, pp. 333-342, 2011.
[34] N. Menachemi and R. Brooks, "Reviewing the Benefits and Costs of Electronic Health Records and Associated Patient Safety Technologies," J. Medical Systems, vol. 30, no. 3, pp. 159-168, 2008.
[35] I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. Calo, and J. Lobo, "Mining Roles with Semantic Meanings," Proc. 13th ACM Symp. Access Control Models and Technologies, pp. 21-30, 2008.
[36] M. Newman, "Properties of Highly Clustered Networks," Physical Rev. E, vol. 68, no. 026121, pp. 1-6, 2003.
[37] C.C. Noble and D.J. Cook, "Graph-Based Anomaly Detection," Proc. Ninth ACM SIGKDD Int'l Conf. Knowledge Discovery and Data Mining, pp. 631-636, 2003.
[38] J. Park, R. Sandhu, and G. Ahn, "Role-Based Access Control on the Web," ACM Trans. Information System Security, vol. 4, no. 1, pp. 37-71, 2001.
[39] M. Peleg, D. Beimel, D. Dori, and Y. Denekamp, "Situation-Based Access Control: Privacy Management via Modeling of Patient Data Access Scenarios," J. Biomedical Informatics, vol. 41, no. 6, pp. 1028-1040, 2008.
[40] D. Pokrajac, A. Lazarevic, and L. Latecki, "Incremental Local Outlier Detection for Data Streams," Proc. IEEE Symp. Computational Intelligence and Data Mining, pp. 504-515, 2007.
[41] R. Popp, "Countering Terrorism through Information Technology," Comm. ACM, vol. 47, no. 3, pp. 36-43, 2004.
[42] C. Probst, R.R. Hansen, and F. Nielson, "Where Can an Insider Attack?," Proc. Workshop Formal Aspects in Security and Trust, pp. 127-142, 2006.
[43] L. Røstad and O. Edsberg, "A Study of Access Control Requirements for Healthcare Systems Based on Audit Trails from Access Logs," Proc. 22nd Ann. Computer Security Applications Conf., pp. 175-186, 2006.
[44] E. Schultz, "A Framework for Understanding and Predicting Insider Attacks," Computers and Security, vol. 21, no. 6, pp. 526-531, 2002.
[45] J. Shi and J. Malik, "Normalized Cuts and Image Segmentation," IEEE Trans. Pattern Analysis and Machine Intelligence, vol. 22, no. 8, pp. 888-905, Aug. 2002.
[46] J. Shlens, A Tutorial on Principal Component Analysis, Inst. of Nonlinear Science, Univ. of California, 2005.
[47] M. Shyu, S. Chen, K. Sarinnapakorn, and L. Chang, "A Novel Anomaly Detection Scheme Based on Principal Component Classifier," Proc. IEEE Third Foundations and New Directions of Data Mining Workshop, pp. 172-179, 2003.
[48] S. Stolfo, S. Bellovin, S. Hershkop, A. Keromytis, S. Sinclair, and S.W. Smith, Insider Attack and Cyber Security: Beyond the Hacker. Springer, 2008.
[49] J. Sun, H. Qu, D. Chakrabarti, and C. Faloutsos, "Neighborhood Formation and Anomaly Detection in Bipartite Graph," Proc. IEEE Fifth Int'l Conf. Data Mining, pp. 418-425, 2005.
[50] J. Tang, Z. Chen, A. Fu, and D. Cheung, "Enhancing Effectiveness of Outlier Detections for Low Density Patterns," Proc. Sixth Pacific-Asia Conf. Knowledge Discovery and Data Mining, pp. 535-7548, 2002.
[51] R. Thomas and S. Sandhu, "Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management," Proc. IFIP 11th Int'l Conf. Database Security, pp. 166-181, 1997.
[52] T. Tuglular and E. Spafford, "A Framework for Characterization of Insider Computer Misuse," Unpublished paper, 1997.
[53] J. Vaidya, V. Atluri, Q. Guo, and N. Adam, "Migrating to Optimal RBAC with Minimal Perturbation," Proc. 13th ACM Symp. Access Control Models and Techologies, pp. 11-20, 2008.
[54] J. Vaidya, V. Atluri, and J. Warner, "Roleminer: Mining Roles Using Subset Enumeration," Proc. 13th ACM Conf. Computer and Comm. Security, pp. 144-153, 2006.
[55] L. von Ahn, "Games with a Purpose," Computer, vol. 39, no. 6, pp. 96-98, June 2006.
[56] W. Zhang, C. Gunter, D. Liebovitz, J. Tian, and B. Malin, "Role prediction Using Electronic Medical Record System Audits," Proc. Ann. Symp. Am. Medical Informatics Assoc., pp. 858-867, 2011.