Visualizing the Insider Threat: Challenges and tools for identifying malicious user activity
1. Visualizing the Insider Threat:
Challenges and tools for identifying
malicious user activity
Philip A. Legg
University of the West of England, UK
phil.legg@uwe.ac.uk
2. Introduction
• What is Insider Threat?
• Identifying Insider Threats
• Visual Analytics for Insider Threat
• Challenges and Limitations
• Conclusion
3. Insider Threat
• Someone with privileged access and knowledge of an
organisation, who uses this in such a way that is detrimental to the
operation of the organisation.
• E.g., Employees, management, stakeholders, contractors
• Examples threats could include intellectual property theft, data
fraud, system sabotage, and reputational damage.
• Typically, a threat would be initiated by a trigger and a motive
(e.g., personal financial difficulties result in theft).
4. Insider Threat
• According to the 2015 Insider Threat report by Vormetric:
“93% of U.S. organisations polled responded as being vulnerable to
insider threats”.
“59% of U.S. respondents stated that privileged users pose the
biggest threat to their organisation”
• How can we mitigate threats without impacting productivity?
• Have advances in technology created more opportunity for attack?
• Does more activity data equal more success for mitigating threats?
5. Identifying Insider Threat
• Given observations of user activity,
how can we identify insider threats?
• Generate user and role profiles
for comparative analysis.
• For each user/role:
• What devices do they use?
• What activities do they perform?
• What are the attributes of the
activity?
• What is the time-profile of each
instance?
6. Identifying Insider Threat
GroupActivity Type
_hourly_usage_
_new_activity_for_device_
_new_attribute_for_device_
_for_role
_for_user
logon
usb_insert
email
http
file
• Given a profile of user activity,
how can we identify insider
threats?
• Obtain ‘features’ that
characterize potential threats.
• New activities, or attributes
• Time of the activity/attribute
• Frequency of the activity/attribute
Examples:
logon_new_activity_for_device_for_role
A count of how many times that day the user has logged on to a
device that has not been accessed before by members of
that particular job role.
http_hourly_usage_for_user
A 24 element count for each hour of activity that involves http usage
for this particular user
7. Identifying Insider Threat
• Given daily ‘features’ for each user, how can we assess and score
user deviation?
• One approach – PCA feature decomposition.
• Suppose then that a security analyst just receives a threat score for
each user for each day…
• How do they know how the threat score is computed?
• How can they trust that this threat score is valid?
• What if they want to understand how the threat score may vary,
based on different activity?
• There is a need for Visual Analytics to examine the detection process!
10. Overview
• Charts provide an interactive overview
of selected summary statistics (e.g.,
amount of activity, deviation of activity).
• Support filtering (date range, selection).
• Zoomed view of activity by date.
• Contextual view of activity by date.
• Activity bar chart by job role.
• Activity bar chart by individual.
Change stat
Select users
11. Filter and Zoom
• Interactive PCA [Jeong et al.]
• Scatter plot view of user daily
activity based on PCA.
• Parallel co-ordinates shows
linked view between plot and
profile features.
• Can identify groups of outliers,
and what features contribute
towards the groupings.
12. Filter and Zoom
• Dragging points on scatter plot
performs inverse PCA.
• Analyst can examine
relationship between the
projection space and the
original feature space.
• Can be used to identify the
contribution or ‘usefulness’ of
each feature for refinement of
detection model (e.g., apply
weighting function to PCA).
13. Detail View
• Activity plot that maps user
and role activity to time
(supports either polar or
Cartesian grid layout).
• Comparison of user activity
on a daily basis, and against
others in the same job role.
• Could potentially be used in
conjunction with other data if
available (e.g., HR records,
performance reviews).
Blue activity shows USB drive insert and removal
Late night usage + new observation for this role = threat!
14. Challenges and Limitations
• Gathering activity log data for Insider Threat research
• Synthetic data versus real-world data?
• How well can synthetic data represent normal and malicious activity?
• How can real organisations actually share knowledge of insider cases?
• Anomalous activity != Malicious activity
• Should we be considering hybrid anomaly-signature techniques?
• Make use of both the computational power and the human analyst.
• Insider Threat Prevention
• Ideally, organisations would like to prevent attacks rather than detect.
• Requires understanding behavioral pre-cursors of the attack.
• How can we collect and analyze data that may inform this approach?
15. Conclusion
• We demonstrate the use of a Visual Analytics tool for the purpose
of Insider Threat detection and model exploration.
• We couple this with a detection routine based on activity profiling
and feature decomposition.
• Future work is to validate approaches for Insider Threat detection
based on real-world deployment
• Just how normal are normal users really behaving, and
likewise, how malicious are the malicious users?
16. Thank you for your attention
Philip A. Legg
University of the West of England, UK
phil.legg@uwe.ac.uk
Notes de l'éditeur
Good morning – my name is Phil Legg, I’m from the University of the West of England, and today I’d like to talk about Visualizing the Insider Threat: Challenges and tools for identifying malicious user activity.
To begin, I’ll start with looking at what do we mean by insider threat, and then I’ll discuss possible ways of identifying insider threats. I’ll present a visual analytics approach for insider threat detection, and then I’d like to spend some time looking at the challenges and limitations we face with insider threat research. Finally I’ll wrap up with my conclusions.
Types of insider threat – not just employees, but anyone with access and knowledge.
Trigger – precipitating event to the act of becoming insider.
Motive – objective of insider attack.
Insider threat is a real problem – businesses are beginning to wake up to this, however it’s taking some time.
Security is not top of the priority list for many organisations.
Opportunities have always been there – technology helps to widen access and to cover tracks.
More data requires better data preprocessing to help the filtering of data – most data will be benign normal activity.
Characterise threats – based on the reports of activity from previous case studies.
Additional features could be derived if it was deemed appropriate.
There are a number of other techniques that can be used for assessing features – the talk by Simon Walton this afternoon describes this further of how multiple models can be used in a visual analytics loop.
Detection should not be a black box – analysts need to know what led to the result that the computer is providing – especially if it can prevent a false accusation of threat.
VA can help to discern how and why a user is scored.
The visual analytics tool follows the information-seeking mantra – as greg showed earlier: overview, zoom and filter, and details on demand.
Change statistics to a normalized anomaly view (e.g., scales anomalies such as e-mail and web, which surpass more indicative things such as logon and usb).
IT Admin role scores highest – however all users score high – the role typically have anomaly behaviours.
Director role scores second highest – significant difference between one user and his peers.
We adopt an Interactive PCA approach for examining the relationship between PCA output and the original input features.
Can also study the eigenvalues of the decomposition and select different combinations to show on the scatter plot.
What are the additional sensors that we can use for insider threat? Better use and availability of employee reporting tools.
Insider threat prevention – as greg showed earlier- minority report.
In the process of making the source available from the webpage shown