IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Support vector domain description
Pattern Recognition Letters - Special issue on pattern recognition in practice VI
The NIST model for role-based access control: towards a unified standard
RBAC '00 Proceedings of the fifth ACM workshop on Role-based access control
Mean Shift: A Robust Approach Toward Feature Space Analysis
IEEE Transactions on Pattern Analysis and Machine Intelligence
Mean Shift Based Clustering in High Dimensions: A Texture Classification Example
ICCV '03 Proceedings of the Ninth IEEE International Conference on Computer Vision - Volume 2
Security Policies to Mitigate Insider Threat in the Document Control Domain
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Intrusion Detection in RBAC-administered Databases
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Estimating the Support of a High-Dimensional Distribution
Neural Computation
Applying role based access control and genetic algorithms to insider threat detection
Proceedings of the 44th annual Southeast regional conference
Insider attack and real-time data mining of user behavior
IBM Journal of Research and Development - Business optimization
Detecting anomalous access patterns in relational databases
The VLDB Journal — The International Journal on Very Large Data Bases
One-Class Classification by Combining Density and Class Probability Estimation
ECML PKDD '08 Proceedings of the 2008 European Conference on Machine Learning and Knowledge Discovery in Databases - Part I
Real life challenges in access-control management
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
The WEKA data mining software: an update
ACM SIGKDD Explorations Newsletter
Leveraging one-class SVM and semantic analysis to detect anomalous content
ISI'05 Proceedings of the 2005 IEEE international conference on Intelligence and Security Informatics
| Hi-index | 0.00 |
Insider threat problems are widespread in industry today, resulting in large losses of intellectual property. Reputable reports assert that attacks from within an organization are on the rise, making detection of insider-based attacks a top priority. This paper evaluates the effectiveness of using role-based differentiation of user behavior as a tool in detecting insider attack behavior. This differentiation is natural in contexts where role-based access control (RBAC) mechanisms are in place. Using synthetically generated traffic (which puts placement and intensity of insider behavior under experimental control), we train five different algorithms on "normal" behavior with and without RBAC differentiation, and measure the accuracy of detecting malicious behavior with, and without RBAC, as a function of insider behavior. We find that in some contexts RBAC differentiation significantly reduces these errors. However, in our experiments two of the five algorithms had statistically significant increases in false positives under RBAC as opposed to non-RBAC. However, these increases are small compared to the very large gain in detection capability that RBAC brings, and we conclude that RBAC is very much worth considering as a tool for insider threat detection.