KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

A study on Classification of Insider threat using Markov Chain Model

  • Kim, Dong-Wook (Department of Computer Engineering, University of Gachon) ;
  • Hong, Sung-Sam (Department of Computer Engineering, University of Gachon) ;
  • Han, Myung-Mook (Department of Computer Engineering, University of Gachon)
  • Received : 2017.10.04
  • Accepted : 2017.03.05
  • Published : 2018.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, a method to classify insider threat activity is introduced. The internal threats help detecting anomalous activity in the procedure performed by the user in an organization. When an anomalous value deviating from the overall behavior is displayed, we consider it as an inside threat for classification as an inside intimidator. To solve the situation, Markov Chain Model is employed. The Markov Chain Model shows the next state value through an arbitrary variable affected by the previous event. Similarly, the current activity can also be predicted based on the previous activity for the insider threat activity. A method was studied where the change items for such state are defined by a transition probability, and classified as detection of anomaly of the inside threat through values for a probability variable. We use the properties of the Markov chains to list the behavior of the user over time and to classify which state they belong to. Sequential data sets were generated according to the influence of n occurrences of Markov attribute and classified by machine learning algorithm. In the experiment, only 15% of the Cert: insider threat dataset was applied, and the result was 97% accuracy except for NaiveBayes. As a result of our research, it was confirmed that the Markov Chain Model can classify insider threats and can be fully utilized for user behavior classification.

Keywords

References

  1. Anderson, Robert H., and Richard Brackney, "Understanding the insider threat," in Proc. of a March 2004 Workshop, 2004. https://www.rand.org/pubs/conf_proceedings/CF196.html
  2. Eldardiry, Hoda, et al., "Multi-domain information fusion for insider threat detection," Security and Privacy Workshops (SPW), 2013 IEEE. IEEE, p. 45-51. 2013.
  3. Malek Ben Salem, Shlomo Hershkop, Salvatore J. Stolfo, "A Survey of Insider Attack Detection Research," Insider Attack and Cyber Security Advances in Information Security, 2008
  4. Liu, A., et al. "A comparison of system call feature for insider threat detection," in Proc. of the 6th Annual IEEE Systems, Man & Cybernetics, Information Assurance Workshop. p. 341-347. 2005.
  5. Chen, You, and Bradley Malin, "Detection of anomalous insiC in collaborative environments via relational analysis of access logs," in Proc. of the first ACM conference on Data and application security and privacy. ACM, p. 63-74. 2011.
  6. Grinstead, Charles Miller, and James Laurie Snell. "Introduction to probability." American Mathematical Soc., p.405-469. 2012.
  7. http://www.cert.org/insider-threat/tools/index.cfm
  8. Eberle, William, Jeffrey Graves, and Lawrence Holder, "Insider threat detection using a graph-based approach." Journal of Applied Security Research 6.1 p32-81. 2010. https://doi.org/10.1080/19361610.2011.529413
  9. Wen-Hua Ju and Yehuda Vardi, "A hybrid high-order markov chain model for computer intrusion detection," Journal of Computational and Graphical Statistics, June, p 277-295, 2001.
  10. Dawn M. Cappelli, Andrew P. Moore, Randall F. Trzeciak, "The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)," Addison-Wesley Professional, 2012. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=30310
  11. Y. Liao and V. R. Vemuri, "Using Text Categorization Techniques for Intrusion Detection," 11 USENIX Security Symposium, 2002. https://dl.acm.org/citation.cfm?id=720290
  12. Cortes, C., Vapnik, V., "Support-vector networks," Machine Learning, 20 (3): 273, 1995. https://doi.org/10.1007/BF00994018
  13. Press, William H., Teukolsky, Saul A., Vetterling, William T., Flannery, B. P. Section 16.5. Support Vector Machines. Numerical Recipes: The Art of Scientific Computing 3 Edition. New York: Cambridge University Press. 2007.
  14. STOLFO, Salvatore J., et al., "A comparative evaluation of two algorithms for windows registry anomaly detection," Journal of Computer Security, 13.4: 659-693. 2005. https://doi.org/10.3233/JCS-2005-13403