Presentation from the IEEE Symposium on Visualization for Cyber Security, co-located with IEEE VIS 2015, Chicago, IL.

1. Visualizing the Insider Threat:
Challenges and tools for identifying
malicious user activity
Philip A. Legg
University of the West of England, UK
phil.legg@uwe.ac.uk

2. Introduction
• What is Insider Threat?
• Identifying Insider Threats
• Visual Analytics for Insider Threat
• Challenges and Limitations
• Conclusion

3. Insider Threat
• Someone with privileged access and knowledge of an
organisation, who uses this in such a way that is detrimental to the
operation of the organisation.
• E.g., Employees, management, stakeholders, contractors
• Examples threats could include intellectual property theft, data
fraud, system sabotage, and reputational damage.
• Typically, a threat would be initiated by a trigger and a motive
(e.g., personal financial difficulties result in theft).

4. Insider Threat
• According to the 2015 Insider Threat report by Vormetric:
“93% of U.S. organisations polled responded as being vulnerable to
insider threats”.
“59% of U.S. respondents stated that privileged users pose the
biggest threat to their organisation”
• How can we mitigate threats without impacting productivity?
• Have advances in technology created more opportunity for attack?
• Does more activity data equal more success for mitigating threats?

5. Identifying Insider Threat
• Given observations of user activity,
how can we identify insider threats?
• Generate user and role profiles
for comparative analysis.
• For each user/role:
• What devices do they use?
• What activities do they perform?
• What are the attributes of the
activity?
• What is the time-profile of each
instance?

6. Identifying Insider Threat
GroupActivity Type
_hourly_usage_
_new_activity_for_device_
_new_attribute_for_device_
_for_role
_for_user
logon
usb_insert
email
http
file
• Given a profile of user activity,
how can we identify insider
threats?
• Obtain ‘features’ that
characterize potential threats.
• New activities, or attributes
• Time of the activity/attribute
• Frequency of the activity/attribute
Examples:
logon_new_activity_for_device_for_role
A count of how many times that day the user has logged on to a
device that has not been accessed before by members of
that particular job role.
http_hourly_usage_for_user
A 24 element count for each hour of activity that involves http usage
for this particular user

7. Identifying Insider Threat
• Given daily ‘features’ for each user, how can we assess and score
user deviation?
• One approach – PCA feature decomposition.
• Suppose then that a security analyst just receives a threat score for
each user for each day…
• How do they know how the threat score is computed?
• How can they trust that this threat score is valid?
• What if they want to understand how the threat score may vary,
based on different activity?
• There is a need for Visual Analytics to examine the detection process!

8. Overview
Zoom and Filter

9. Overview
Zoom and Filter
Details on Demand

10. Overview
• Charts provide an interactive overview
of selected summary statistics (e.g.,
amount of activity, deviation of activity).
• Support filtering (date range, selection).
• Zoomed view of activity by date.
• Contextual view of activity by date.
• Activity bar chart by job role.
• Activity bar chart by individual.
Change stat
Select users

11. Filter and Zoom
• Interactive PCA [Jeong et al.]
• Scatter plot view of user daily
activity based on PCA.
• Parallel co-ordinates shows
linked view between plot and
profile features.
• Can identify groups of outliers,
and what features contribute
towards the groupings.

12. Filter and Zoom
• Dragging points on scatter plot
performs inverse PCA.
• Analyst can examine
relationship between the
projection space and the
original feature space.
• Can be used to identify the
contribution or ‘usefulness’ of
each feature for refinement of
detection model (e.g., apply
weighting function to PCA).

13. Detail View
• Activity plot that maps user
and role activity to time
(supports either polar or
Cartesian grid layout).
• Comparison of user activity
on a daily basis, and against
others in the same job role.
• Could potentially be used in
conjunction with other data if
available (e.g., HR records,
performance reviews).
Blue activity shows USB drive insert and removal
Late night usage + new observation for this role = threat!

14. Challenges and Limitations
• Gathering activity log data for Insider Threat research
• Synthetic data versus real-world data?
• How well can synthetic data represent normal and malicious activity?
• How can real organisations actually share knowledge of insider cases?
• Anomalous activity != Malicious activity
• Should we be considering hybrid anomaly-signature techniques?
• Make use of both the computational power and the human analyst.
• Insider Threat Prevention
• Ideally, organisations would like to prevent attacks rather than detect.
• Requires understanding behavioral pre-cursors of the attack.
• How can we collect and analyze data that may inform this approach?

15. Conclusion
• We demonstrate the use of a Visual Analytics tool for the purpose
of Insider Threat detection and model exploration.
• We couple this with a detection routine based on activity profiling
and feature decomposition.
• Future work is to validate approaches for Insider Threat detection
based on real-world deployment
• Just how normal are normal users really behaving, and
likewise, how malicious are the malicious users?

16. Thank you for your attention
Philip A. Legg
University of the West of England, UK
phil.legg@uwe.ac.uk