Upload
phil-legg
View
308
Download
0
Embed Size (px)
Citation preview
Visualizing the Insider Threat: Challenges and tools for identifying
malicious user activityPhilip A. Legg
University of the West of England, [email protected]
Introduction• What is Insider Threat?
• Identifying Insider Threats
• Visual Analytics for Insider Threat
• Challenges and Limitations
• Conclusion
Insider Threat• Someone with privileged access and knowledge of an organisation, who uses this in such a way that is detrimental to the operation of the organisation.
• E.g., Employees, management, stakeholders, contractors
• Examples threats could include intellectual property theft, data fraud, system sabotage, and reputational damage.
• Typically, a threat would be initiated by a trigger and a motive (e.g., personal financial difficulties result in theft).
Insider Threat• According to the 2015 Insider Threat report by Vormetric:
“93% of U.S. organisations polled responded as being vulnerable to insider threats”.
“59% of U.S. respondents stated that privileged users pose the biggest threat to their organisation”
• How can we mitigate threats without impacting productivity?• Have advances in technology created more opportunity for attack?• Does more activity data equal more success for mitigating threats?
Identifying Insider Threat• Given observations of user activity, how
can we identify insider threats?• Generate user and role profiles for
comparative analysis.
• For each user/role:• What devices do they use?• What activities do they perform?• What are the attributes of the
activity?• What is the time-profile of each
instance?
Identifying Insider ThreatGroupActivity Type
_hourly_usage_
_new_activity_for_device_
_new_attribute_for_device__for_role
_for_user
logon
usb_insert
http
file
• Given a profile of user activity, how can we identify insider threats?
• Obtain ‘features’ that characterize potential threats.
• New activities, or attributes• Time of the activity/attribute• Frequency of the activity/attribute
Examples:
logon_new_activity_for_device_for_roleA count of how many times that day the user has logged on to a
device that has not been accessed before by members of that particular job role.
http_hourly_usage_for_userA 24 element count for each hour of activity that involves http usage
for this particular user
Identifying Insider Threat• Given daily ‘features’ for each user, how can we assess and score user
deviation?• One approach – PCA feature decomposition.
• Suppose then that a security analyst just receives a threat score for each user for each day…
• How do they know how the threat score is computed?• How can they trust that this threat score is valid?• What if they want to understand how the threat score may vary, based on
different activity?
• There is a need for Visual Analytics to examine the detection process!
Overview
Zoom and Filter
Overview
Zoom and Filter
Details on Demand
Overview• Charts provide an interactive overview of selected summary statistics (e.g., amount of activity, deviation of activity).
• Support filtering (date range, selection).• Zoomed view of activity by date.• Contextual view of activity by date.• Activity bar chart by job role.• Activity bar chart by individual.
Change stat
Select users
Filter b
y Role
Filter and Zoom• Interactive PCA [Jeong et al.]
• Scatter plot view of user daily activity based on PCA.
• Parallel co-ordinates shows linked view between plot and profile features.
• Can identify groups of outliers, and what features contribute towards the groupings.
Filter and Zoom• Dragging points on scatter plot performs inverse PCA.
• Analyst can examine relationship between the projection space and the original feature space.
• Can be used to identify the contribution or ‘usefulness’ of each feature for refinement of detection model (e.g., apply weighting function to PCA).
Detail View• Activity plot that maps user and role activity to time (supports either polar or Cartesian grid layout).
• Comparison of user activity on a daily basis, and against others in the same job role.
• Could potentially be used in conjunction with other data if available (e.g., HR records, performance reviews).
Blue activity shows USB drive insert and removalLate night usage + new observation for this role = threat!
Challenges and Limitations• Gathering activity log data for Insider Threat research
• Synthetic data versus real-world data?• How well can synthetic data represent normal and malicious activity?• How can real organisations actually share knowledge of insider cases?
• Anomalous activity != Malicious activity• Should we be considering hybrid anomaly-signature techniques?• Make use of both the computational power and the human analyst.
• Insider Threat Prevention• Ideally, organisations would like to prevent attacks rather than detect.• Requires understanding behavioral pre-cursors of the attack.• How can we collect and analyze data that may inform this approach?
Conclusion• We demonstrate the use of a Visual Analytics tool for the purpose of Insider Threat detection and model exploration.
• We couple this with a detection routine based on activity profiling and feature decomposition.
• Future work is to validate approaches for Insider Threat detection based on real-world deployment
• Just how normal are normal users really behaving, and likewise, how malicious are the malicious users?
Thank you for your attention
Philip A. LeggUniversity of the West of England, UK
Source to be available from:
http://www.plegg.me.uk
http://www.github.com/phillegg