Combating Insider Threats by User Profiling from Activity Logging Data

摘要

In cybersecurity, malicious insider threats represent a huge issue for organizations and may pose the greatest threat category. Combating the insider risks need an understanding of the behavior of each insider. Markov chains (MC) are particularly well suited to model behaviors from network traffic, they were extensively used for modeling and clustering actions. In this article, we explore Markov process to model profiles for individual users rather than modeling actions. That is, for every set of actions, there is a Markov chain labeled by that action flow that specifies the state transition probabilities resulting from each unique user. This modeling is appropriate to add a temporal component to data stream clustering, and its static nature can be dynamically adapted to each user's profile. From the network traffic, we demonstrate that potential insider threats can be pointed by formulating the request associated to a given threat scenario in form of a sequence of actions and scoring it against each user's pre-established MC model.