A Bayesian approach to insider threat detection

Insider attacks are an ever-increasing threat for organizations, with dire consequences. Rogue employees who possess legitimate access to systems, and knowledge of security policies and monitoring practices of organizations, can evade detection. Organizations remain ill-equipped in detecting, deterring and mitigating sophisticated insider attacks, as traditional security controls and detection systems are tailored to external threats. Literature on insider threat detection provides the theoretical foundation to understand the motives, behavior and patterns of insider attacks. The majority of proposed models for insider threat anomaly detection, mainly focus on processing network data. In this paper, we propose and evaluate a Bayesian Network architecture that can consider behavioral aspects in tandem with network data. Our system utilizes machine learning to understand the structure of the data, inputs specially crafted features based on theoretical foundations of insider threat and enables analysts to consider behavioral features, if such data is available. We applied our system on CMU’s synthetic dataset and our results provide justified and informed decisions on selecting parameters for Bayesian Networks and suggest that such an approach is highly effective. All attacks in the dataset were identified, with a very low number of false positives.