Visualizing the Insider Threat: Challenges and tools for identifying malicious user activity
Download as PPTX, PDF1 like528 views
Presentation from the IEEE Symposium on Visualization for Cyber Security, co-located with IEEE VIS 2015, Chicago, IL.
![Filter and Zoom
• Interactive PCA [Jeong et al.]
• Scatter plot view of user daily
activity based on PCA.
• Parallel co-ordinates shows
linked view between plot and
profile features.
• Can identify groups of outliers,
and what features contribute
towards the groupings.](https://image.slidesharecdn.com/2015-10-leggvizsec-151030151039-lva1-app6891/85/Visualizing-the-Insider-Threat-Challenges-and-tools-for-identifying-malicious-user-activity-11-320.jpg)
Ad
More Related Content
What's hot (20)
Viewers also liked (20)
Ad
Similar to Visualizing the Insider Threat: Challenges and tools for identifying malicious user activity (20)
![[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx](https://cdn.slidesharecdn.com/ss_thumbnails/threathuntingtocampaigntrackingworkshop-hitcon2020ctivillage-201213185811-thumbnail.jpg?width=560&fit=bounds){kind=tracking}
Ad
Recently uploaded (20)
Visualizing the Insider Threat: Challenges and tools for identifying malicious user activity
- 1. Visualizing the Insider Threat: Challenges and tools for identifying malicious user activity Philip A. Legg University of the West of England, UK [email protected]
- 2. Introduction • What is Insider Threat? • Identifying Insider Threats • Visual Analytics for Insider Threat • Challenges and Limitations • Conclusion
- 3. Insider Threat • Someone with privileged access and knowledge of an organisation, who uses this in such a way that is detrimental to the operation of the organisation. • E.g., Employees, management, stakeholders, contractors • Examples threats could include intellectual property theft, data fraud, system sabotage, and reputational damage. • Typically, a threat would be initiated by a trigger and a motive (e.g., personal financial difficulties result in theft).
- 4. Insider Threat • According to the 2015 Insider Threat report by Vormetric: “93% of U.S. organisations polled responded as being vulnerable to insider threats”. “59% of U.S. respondents stated that privileged users pose the biggest threat to their organisation” • How can we mitigate threats without impacting productivity? • Have advances in technology created more opportunity for attack? • Does more activity data equal more success for mitigating threats?
- 5. Identifying Insider Threat • Given observations of user activity, how can we identify insider threats? • Generate user and role profiles for comparative analysis. • For each user/role: • What devices do they use? • What activities do they perform? • What are the attributes of the activity? • What is the time-profile of each instance?
- 6. Identifying Insider Threat GroupActivity Type _hourly_usage_ _new_activity_for_device_ _new_attribute_for_device_ _for_role _for_user logon usb_insert email http file • Given a profile of user activity, how can we identify insider threats? • Obtain ‘features’ that characterize potential threats. • New activities, or attributes • Time of the activity/attribute • Frequency of the activity/attribute Examples: logon_new_activity_for_device_for_role A count of how many times that day the user has logged on to a device that has not been accessed before by members of that particular job role. http_hourly_usage_for_user A 24 element count for each hour of activity that involves http usage for this particular user
- 7. Identifying Insider Threat • Given daily ‘features’ for each user, how can we assess and score user deviation? • One approach – PCA feature decomposition. • Suppose then that a security analyst just receives a threat score for each user for each day… • How do they know how the threat score is computed? • How can they trust that this threat score is valid? • What if they want to understand how the threat score may vary, based on different activity? • There is a need for Visual Analytics to examine the detection process!
- 9. Overview Zoom and Filter Details on Demand
- 10. Overview • Charts provide an interactive overview of selected summary statistics (e.g., amount of activity, deviation of activity). • Support filtering (date range, selection). • Zoomed view of activity by date. • Contextual view of activity by date. • Activity bar chart by job role. • Activity bar chart by individual. Change stat Select users
- 11. Filter and Zoom • Interactive PCA [Jeong et al.] • Scatter plot view of user daily activity based on PCA. • Parallel co-ordinates shows linked view between plot and profile features. • Can identify groups of outliers, and what features contribute towards the groupings.
- 12. Filter and Zoom • Dragging points on scatter plot performs inverse PCA. • Analyst can examine relationship between the projection space and the original feature space. • Can be used to identify the contribution or ‘usefulness’ of each feature for refinement of detection model (e.g., apply weighting function to PCA).
- 13. Detail View • Activity plot that maps user and role activity to time (supports either polar or Cartesian grid layout). • Comparison of user activity on a daily basis, and against others in the same job role. • Could potentially be used in conjunction with other data if available (e.g., HR records, performance reviews). Blue activity shows USB drive insert and removal Late night usage + new observation for this role = threat!
- 14. Challenges and Limitations • Gathering activity log data for Insider Threat research • Synthetic data versus real-world data? • How well can synthetic data represent normal and malicious activity? • How can real organisations actually share knowledge of insider cases? • Anomalous activity != Malicious activity • Should we be considering hybrid anomaly-signature techniques? • Make use of both the computational power and the human analyst. • Insider Threat Prevention • Ideally, organisations would like to prevent attacks rather than detect. • Requires understanding behavioral pre-cursors of the attack. • How can we collect and analyze data that may inform this approach?
- 15. Conclusion • We demonstrate the use of a Visual Analytics tool for the purpose of Insider Threat detection and model exploration. • We couple this with a detection routine based on activity profiling and feature decomposition. • Future work is to validate approaches for Insider Threat detection based on real-world deployment • Just how normal are normal users really behaving, and likewise, how malicious are the malicious users?
- 16. Thank you for your attention Philip A. Legg University of the West of England, UK [email protected]
Editor's Notes
- #2: Good morning – my name is Phil Legg, I’m from the University of the West of England, and today I’d like to talk about Visualizing the Insider Threat: Challenges and tools for identifying malicious user activity.
- #3: To begin, I’ll start with looking at what do we mean by insider threat, and then I’ll discuss possible ways of identifying insider threats. I’ll present a visual analytics approach for insider threat detection, and then I’d like to spend some time looking at the challenges and limitations we face with insider threat research. Finally I’ll wrap up with my conclusions.
- #4: Types of insider threat – not just employees, but anyone with access and knowledge. Trigger – precipitating event to the act of becoming insider. Motive – objective of insider attack.
- #5: Insider threat is a real problem – businesses are beginning to wake up to this, however it’s taking some time. Security is not top of the priority list for many organisations. Opportunities have always been there – technology helps to widen access and to cover tracks. More data requires better data preprocessing to help the filtering of data – most data will be benign normal activity.
- #6: CMU-CERT insider threat datasets – typically 1000 employees, 15 roles – 18 months, login, usb, email, web, file.
- #7: Characterise threats – based on the reports of activity from previous case studies. Additional features could be derived if it was deemed appropriate.
- #8: There are a number of other techniques that can be used for assessing features – the talk by Simon Walton this afternoon describes this further of how multiple models can be used in a visual analytics loop. Detection should not be a black box – analysts need to know what led to the result that the computer is providing – especially if it can prevent a false accusation of threat. VA can help to discern how and why a user is scored.
- #9: The visual analytics tool follows the information-seeking mantra – as greg showed earlier: overview, zoom and filter, and details on demand.
- #11: Change statistics to a normalized anomaly view (e.g., scales anomalies such as e-mail and web, which surpass more indicative things such as logon and usb). IT Admin role scores highest – however all users score high – the role typically have anomaly behaviours. Director role scores second highest – significant difference between one user and his peers.
- #12: We adopt an Interactive PCA approach for examining the relationship between PCA output and the original input features. Can also study the eigenvalues of the decomposition and select different combinations to show on the scatter plot.
- #15: What are the additional sensors that we can use for insider threat? Better use and availability of employee reporting tools. Insider threat prevention – as greg showed earlier- minority report.
- #17: In the process of making the source available from the webpage shown