Temporal Behavior in Network Traffic as a Basis for Insider Threat Detection

2020 
Insider threats are a costly and dangerous problem for government and non-government organizations alike. Considering an insider’s inherently privileged level of access on a network, the main principle of network defense-keep potential threats and outsiders out-does not apply to insider threats. Current defenses are largely based on the detection of insider threat indicators which are often manually compiled from past events. This approach is limited in scalability, has difficulty generalizing to new threats, and fails to consider the wide range of behaviors within an organization. In this work, we describe a system that detects potential insider threats through the characterization of temporal behavior on a network. Our approach is completely unsupervised, based on the assumption that there are many different behavioral norms within a network. After testing the system on an operational network with over 8,000 hosts, we show through a series of case studies that the approach is effective in detecting behavioral anomalies suitable for follow up by a human analyst.
    • Correction
    • Source
    • Cite
    • Save
    • Machine Reading By IdeaReader
    9
    References
    0
    Citations
    NaN
    KQI
    []