A Taxonomic Classification of Insider Threats: Existing Techniques, Future Directions & Recommendations
DOI:
https://doi.org/10.13052/jcsm2245-1439.1225Keywords:
Insider threats, anomaly detection, attack deterrence, intrusive applications, machine learningAbstract
In the last two decades, the number of rapidly increasing cyber incidents (i.e., data theft and privacy breaches) shows that it is becoming enormously difficult for conventional defense mechanisms and architectures to neutralize modern cyber threats in a real-time situation. Disgruntled and rouge employees/agents and intrusive applications are two notorious classes of such modern threats, referred to as Insider Threats, which lead to data theft and privacy breaches. To counter such state-of-the-art threats, modern defense mechanisms require the incorporation of active threat analytics to proactively detect and mitigate any malicious intent at the employee or application level. Existing solutions to these problems intensively rely on co-relation, distance-based risk metrics, and human judgment. Especially when humans are kept in the loop for access-control policy-related decision-making against advanced persistent threats. As a consequence, the situation can escalate and lead to privacy/data breaches in case of insider threats. To confront such challenges, the security community has been striving to identify anomalous intent for advanced behavioral anomaly detection and auto-resiliency (the ability to deter an ongoing threat by policy tuning). Towards this dimension, we aim to review the literature in this domain and evaluate the effectiveness of existing approaches per our proposed criteria. According to our knowledge, this is one of the first endeavors toward developing evaluation-based standards to assess the effectiveness of relevant approaches in this domain while considering insider employees and intrusive applications simultaneously. There have been efforts in literature towards describing and understanding insider threats in general. However, none have addressed the detection and deterrence element in its entirety, hence making our contribution one of a kind. Towards the end of this article, we enlist and discuss the existing data sets. The data sets can help understand the attributes that play crucial roles in insider threat detection. In addition, they can be beneficial for testing the newly designed security solutions in this domain. We also present recommendations for establishing a baseline standard for analyzing insider-threat data sets. This baseline standard could be used in the future to design resilient architectures and provide a road map for organizations to enhance their defense capabilities against insider threats.
Downloads
References
(2016) CERT Threat Test Dataset. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=508099
(2018) Insider Threat Report. URL http://crowdresearchpartners.com
(2022a) As mobile usage skyrockets, nearly half of consumers do not protect personal data. www.mcafee.com/cs-cz/consumer-corporate/newsroompress-releases/press-release.html?news_id=9042347b-54f5-4149-bd16-f72357b35f13
(2022a) Cost of insider threats: Global. https://static.poder360.com.br/2022/01/pfpt-us-tr-the-cost-of-insider-threats-ponemon-report.pdf
(2022b) Identity and Access Management Suite, Beta Systems. URL https://www.betasystems-iam.com/en/products/garancy-iam-suite/
(2022b) Malware hits millions of android users. https://techstory.in/malware-hits-millions-of-android-users-the-apps-you-need-to-delete/
A M, K P, M B (2012) Preventing and Profiling Malicious Insider Attacks. Tech. rep., Defense Science and Technology Organization
Agrafiotis I, Erola A, Goldsmith M, Creese S (2016) A tripwire grammar for insider threat detection. In: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, ACM, MIST ’16, pp 105–108
Aziz B, Foley SN, Herbert J, Swart G (2006) Reconfiguring role based access control policies using risk semantics. J High Speed Netw 15(3):261–273, URL http://dl.acm.org/citation.cfm?id=2692141.2692146
Bisgin H, Mohsen F, Nwobodo V, Havens R (2021) Enhancing malware detection in android application by incorporating broadcast receivers. International Journal of Information Privacy, Security and Integrity 5(1):36–68, DOI: 10.1504/IJIPSI.2021.119168, URL https://www.inderscienceonline.com/doi/abs/10.1504/IJIPSI.2021.119168, https://www.inderscienceonline.com/doi/pdf/10.1504/IJIPSI.2021.119168
Bishop M, Conboy HM, Phan H, Simidchieva BI, Avrunin GS, Clarke LA, Osterweil LJ, Peisert S (2014) Insider threat identification by process analysis. In: 2014 IEEE Security and Privacy Workshops, pp 251–264, DOI: 10.1109/SPW.2014.40
Biskup J (2011) History-dependent inference control of queries by dynamic policy adaption. In: Li Y (ed) Data and Applications Security and Privacy XXV, Springer Berlin Heidelberg, Berlin, Heidelberg, pp 106–121
Brdiczka O, Liu J, Price B, Shen J, Patil A, Chow R, Bart E, Ducheneaut N (2012) Proactive insider threat detection through graph learning and psychological context. In: Security and Privacy Workshops (SPW), 2012 IEEE Symposium on, pp 142–149
Cappelli DM, Moore AP, Trzeciak RF (2012) The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison-Wesley
Chakraborty S, Ray I (2006) Trustbac: Integrating trust relationships into the rbac model for access control in open systems. In: Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies, ACM, New York, NY, USA, SACMAT ’06, pp 49–58
Chen T, Kammüller F, Nemli I, Probst CW (2015) A probabilistic analysis framework for malicious insider threats. In: Human Aspects of Information Security, Privacy, and Trust, Springer International Publishing, pp 178–189
Cole E (2017) Defending Against the Wrong Enemy. Tech. rep., SANS Insider Threat Survey
Dimmock N, Belokosztolszki A, Eyers D, Bacon J, Moody K (2004) Using trust and risk in role-based access control policies. In: Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies, ACM, New York, NY, USA, SACMAT ’04, pp 156–162
Feng F, Lin C, Peng D, Li J (2008) A trust and context based access control model for distributed systems. In: 2008 10th IEEE International Conference on High Performance Computing and Communications, pp 629–634, DOI: 10.1109/HPCC.2008.37
Gates CS, Chen J, Li N, Proctor RW (2014) Effective risk communication for android apps. IEEE Transactions on Dependable and Secure Computing 11(3):252–265, DOI: 10.1109/TDSC.2013.58
Gheyas IA, Abdallah AE (2016) Detection and prediction of insider threats to cyber security: a systematic literature review and meta-analysis. Big Data Analytics 1(1):6
Glasser J, Lindauer B (2013) Bridging the gap: A pragmatic approach to pp 98–104, DOI: 10.1109/SPW.2013.37
Hamed A, Ben Ayed HK (2016) Privacy risk assessment and users’ awareness for mobile apps permissions. In: 2016 IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA), pp 1–8, DOI: 10.1109/AICCSA.2016.7945694
Hu Y, Kong W, Ding D, Yan J (2018) Method-level permission analysis based on static call graph of android apps. In: 2018 5th International Conference on Dependable Systems and Their Applications (DSA), pp 8–14, DOI: 10.1109/DSA.2018.00014
IBM (2021) IBM QRadar, SIEM. URL https://www.ibm.com/downloads/cas/OP62GKAR
IBM (2022) Resource Access Control Facility (RACF). URL https://www.ibm.com/products/resource-access-control-facility
Jovanovic B (2022) Virus alert: 31 antivirus statistics and trends. https://dataprot.net/statistics/antivirus-statistics/
Khariwal K, Singh J, Arora A (2020) Ipdroid: Android malware detection using intents and permissions. In: 2020 Fourth World Conference on Smart Trends in Systems, Security and Sustainability (WorldS4), pp 197–202, DOI: 10.1109/WorldS450073.2020.9210414
Legg PA, Buckley O, Goldsmith M, Creese S (2017) Automated insider threat detection system using user and role-based profile assessment. IEEE Systems Journal 11(2):503–512
Lindauer B (2020) Insider threat test dataset. Carnegie Mellon University, DOI: https://doi.org/10.1184/R1/12841247.v1
Ma J, Adi K, Mejri M, Logrippo L (2010) Risk analysis in access control systems. In: 2010 Eighth International Conference on Privacy, Security and Trust, pp 160–166
Mohsen F (2021) More than a million Android Apps with Two Privacy Scores. DOI: 10.34894/CW7PAH, URL https://doi.org/10.34894/CW7PAH
Mohsen F, Abdelhaq H, Bisgin H, Jolly A, Szczepanski M (2018) Countering intrusiveness using new security-centric ranking algorithm built on top of elasticsearch. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp 1048–1057, DOI: 10.1109/TrustCom/BigDataSE.2018.00147
Mohsen F, Abdelhaq H, Bisgin H (2022a) Security-centric ranking algorithm and two privacy scores to mitigate intrusive apps. Concurrency and Computation: Practice and Experience 34(14):e6571, DOI: https://doi.org/10.1002/cpe.6571, URL https://onlinelibrary.wiley.com/doi/abs/10.1002/cpe.6571
Mohsen F, Karastoyanova D, Azzopardi G (2022b) The manifest and store data of 870,515 Android mobile applications. DOI: 10.34894/H0YJFT, URL https://doi.org/10.34894/H0YJFT
Mohsen F, Karastoyanova D, Azzopardi G (2022c) To remove or not remove mobile apps? a data-driven predictive model approach. DOI: 10.48550/ARXIV.2206.03905, URL https://arxiv.org/abs/2206.03905
Montenegro F, Bisgin H, Mohsen F, Sobers NM (2021) Predicting intrusiveness of android apps by applying lstm networks on their descriptions. In: Arai K, Kapoor S, Bhatia R (eds) Proceedings of the Future Technologies Conference (FTC) 2020, Volume 1, Springer International Publishing, Cham, pp 1–15
Nissanke N, Khayat EJ (2004) Risk based security analysis of permissions in rbac. In: WOSIS
Nurse JRC, Buckley O, Legg PA, Goldsmith M, Creese S, Wright GRT, Whitty M (2014) Understanding insider threat: A framework for characterising attacks. In: 2014 IEEE Security and Privacy Workshops, pp 214–228
Oracle (2012) Application Access Controls Governor. URL https://docs.oracle.com/cd/E37379_01/doc.8643/e36194.pdf
Quattrone A, Kulik L, Tanin E, Ramamohanarao K, Gu T (2015) Privacypalisade: Evaluating app permissions and building privacy into smartphones. In: 2015 10th International Conference on Information, Communications and Signal Processing (ICICS), pp 1–5, DOI: 10.1109/ICICS.2015.7459926
R Z, X C, J S, F X, Y P (2014) Detecting insider threat based on document access behavior analysis. In: Web Technologies and Applications, Lecture Notes in Computer Science, Springer, vol 8710, pp 98–104
Rashid T, Agrafiotis I, Nurse JR (2016) A new take on detecting insider threats: Exploring the use of hidden markov models. In: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, ACM, New York, NY, USA, MIST ’16, pp 47–56
Rashidi B, Fung C, Nguyen A, Vu T, Bertino E (2018) Android user privacy preserving through crowdsourcing. IEEE Transactions on Information Forensics and Security 13(3):773–787, DOI: 10.1109/TIFS.2017.2767019
Rauf U (2018) A taxonomy of bio-inspired cyber security approaches: Existing techniques and future directions. Arabian Journal for Science and Engineering DOI: https://doi.org/10.1007/s13369-018-3117-2
Rauf U, Mohsin M, Mazurczyk W (2019a) Cyber regulatory networks: Towards a bio-inspired auto-resilient framework for cyber-defense. In: Bio-inspired Information and Communication Technologies, Springer International Publishing, Cham, pp 156–174, DOI: http://dx.doi.org/10.1007/978-3-030-24202-2_12
Rauf U, Shehab M, Qamar N, Sameen S (2019b) Bio-inspired approach to thwart against insider threats: An access control policy regulation framework. In: Bio-inspired Information and Communication Technologies, Springer International Publishing, pp 39–57, DOI: https://doi.org/10.1007/978-3-030-24202-2_4
Rauf U, Shehab M, Qamar N, Sameen S (2021) Formal approach to thwart against insider attacks: A bio-inspired auto-resilient policy regulation framework. Future Generation Computer Systems 117:412–425, DOI: https://doi.org/10.1016/j.future.2020.11.009, URL https://www.sciencedirect.com/science/article/pii/S0167739X20330338
S Anthony (2022) Malware Hits Millions of Android Users. https://www.tomsguide.com/news/malware-hits-10-million-android-users-delete-these-apps-right-now, online; accessed 10 September 2022
Salim F, Reid J, Dawson E, Dulleck U (2011) An approach to access control under uncertainty. In: 2011 Sixth International Conference on Availability, Reliability and Security, pp 1–8, DOI: 10.1109/ARES.2011.11
SAP (2022) Sap access control 12.0. https://help.sap.com/docs/SAP_ACCESS_CONTROL.
Shannon CE (1948) A mathematical theory of communication. The Bell System Technical Journal 27:379–423, URL http://plan9.bell-labs.com/cm/ms/what/shannonday/shannon1948.pdf
Ted E, Goldberg HG, Memory A, Young WT, Rees B, Pierce R, Huang D, Reardon M, Bader DA, Chow E, et al (2013) Detecting insider threats in a real corporate database of computer usage activity. In: Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining, pp 1393–1401
Published
How to Cite
Issue
Section
License
Copyright (c) 2023 Journal of Cyber Security and Mobility
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
