ELICIT: a system for detecting insiders who violate need-to-know

Authors:
Marcus A. Maloof;Gregory D. Stephens
Affiliations:
Department of Computer Science, Georgetown University, Washington, DC;Center for Integrated Intelligence Systems, The MITRE Corporation, McLean, VA
Venue:
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Year:
2007

Citing 9
Cited 3

An Intrusion-Detection Model

IEEE Transactions on Software Engineering - Special issue on computer security and privacy
UNICORN: misuse detection for UNICOS

Supercomputing '95 Proceedings of the 1995 ACM/IEEE conference on Supercomputing
Temporal sequence learning and data reduction for anomaly detection

ACM Transactions on Information and System Security (TISSEC)
The 1999 DARPA off-line intrusion detection evaluation

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
A framework for constructing features and models for intrusion detection systems

ACM Transactions on Information and System Security (TISSEC)
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
Bayesian Networks and Decision Graphs

Bayesian Networks and Decision Graphs
Masquerade Detection Using Truncated Command Lines

DSN '02 Proceedings of the 2002 International Conference on Dependable Systems and Networks
Intrusion detection using sequences of system calls

Journal of Computer Security

Ontological semantic technology for detecting insider threat and social engineering

Proceedings of the 2010 workshop on New security paradigms
Modeling user search behavior for masquerade detection

RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Understanding insiders: An analysis of risk-taking behavior

Information Systems Frontiers

Quantified Score

Hi-index	0.00

Visualization

Abstract

Malicious insiders do great harm and avoid detection by using their legitimate privileges to steal information that is often outside the scope of their duties. Based on information from public cases, consultation with domain experts, and analysis of a massive collection of information-use events and contextual information, we developed an approach for detecting insiders who operate outside the scope of their duties and thus violate need-to-know. Based on the approach, we built and evaluated elicit, a system designed to help analysts investigate insider threats. Empirical results suggest that, for a specified decision threshold of .5, elicit achieves a detection rate of .84 and a false-positive rate of .015, flagging per day only 23 users of 1, 548 for further scrutiny. It achieved an area under an roc curve of .92.