Insider threat simulation and performance analysis of insider detection algorithms with role based models

摘要

Insider threat problems are widespread in industry today. They have resulted in hugelosses to organizations. The security reports by leading organizations point out the fact that therehave been many more insider attacks in recent years than any other form of attack. Detection ofthese insider threats is a top priority. One problem facing the detection mechanisms is that thereal data for modeling is not easily available. This thesis describes a simulator which cansimulate the insiders and generate access information in the form of logs.Currently there are many methods which use data mining algorithms to detect insiderattacks. Role based detection is a well known mechanism to accurately distinguish insiderbehavior from the normal behavior. The thesis focuses on the advantages of using role basedmechanisms for insider threat detection. Five algorithms have been chosen and performanceanalysis of these under various scenarios is carried out. The thesis discusses these results indetail.The simulator is built on the Scalable Simulation Framework (SSF). It is an extension ofthe Boeing simulator, JANUS. The simulator uses behavior files to model an insider/normal userand generates the access information using Markov chains.