The Journal of the Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회논문지)

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on Method for Insider Data Leakage Detection

내부자 정보 유출 탐지 방법에 관한 연구

  • Kim, Hyun-Soo (Dept of Computer Science, Agency for Defense Development)
  • Received : 2017.07.11
  • Accepted : 2017.08.11
  • Published : 2017.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

Organizations are experiencing an ever-growing concern of how to prevent confidential information leakage from internal employees. Those who have authorized access to organizational data are placed in a position of power that could well be abused and could cause significant damage to an organization. In this paper, we investigate the task of detecting such insider through a method of modeling a user's normal behavior in order to detect anomalies in that behavior which may be indicative of an data leakage. We make use of Hidden Markov Models to learn what constitutes normal behavior, and then use them to detect significant deviations from that behavior. Experiments have been made to determine the optimal HMM parameters and our result shows detection capability of 20% false positive and 80% detection rate.

최근 많은 기업 및 기관에서 내부정보가 유출되는 사고가 지속적으로 발생하고 있으며, 이러한 내부정보 유출사고는 대부분 권한 있는 내부자에 의해 발행하고 있다. 본 논문에서는 은닉 마르코프 모델(HMM)을 이용하여 내부자의 정상행위에서 생성된 정보를 모델링한 후 내부자들의 비정상행위를 탐지하는 내부정보 유출 탐지 기법에 대해 제안한다. 보안시스템들의 로그를 통해 내부자들의 행위에 대한 특징을 추출하여 입력 시퀀스를 생성하고, HMM 모델에 학습하여 정상행위에 대한 모델을 생성한다. 이상행위에 대한 판정은 사용자 행위에 대한 관측열을 정상행위 모델에 적용하여 확률값을 계산하고, 이 값을 특정 임계값과 비교하여 이상행위를 탐지한다. 실험을 통해 내부자 정보유출 행위를 탐지하기 위한 최적의 HMM 매개변수를 결정하였고, 실험결과 제안한 시스템이 내부자 정보유출 행위에 대해 20%의 오탐율과 80%의 탐지율을 보여주었다.

Keywords

References

  1. Fyffe, George. "Addressing the insider threat." Network security 2008.3 (2008): 11-14. https://doi.org/10.1016/S1353-4858(08)70031-X
  2. Schultz, E. Eugene. "A framework for understanding and predicting insider attacks." Computers & Security 21.6 (2002): 526-531. DOI: http://dx.doi.org/10.1016/S0167-4048(02)01009-X
  3. Magklaras, G. B., and S. M. Furnell. "Insider threat prediction tool: Evaluating the probability of IT misuse." Computers & Security 21.1 (2001): 62-73. DOI: http://dx.doi.org/10.1016/S0167-4048(02)00109-8
  4. Theoharidou, Marianthi, et al. "The insider threat to information systems and the effectiveness of ISO17799." Computers & Security 24.6 (2005): 472-484. DOI: http://dx.doi.org/10.1016/j.cose.2005.05.002
  5. Kwang-su Im et al. "A Study on Influence of Information Security Stress and Behavioral Intention for Characteristic factors of Information Security Policy Perceived by Employee", The Journal of The Institue of Inernet Broadcasting and Communication(JIIBC), Vol.16, No.6, pp.243-253, 2016 DOI: https://doi.org/10.7236/JIIBC.2016.16.6.243
  6. Liu, Alexander, et al. "A comparison of system call feature representations for insider threat detection." Information Assurance Workshop, 2005. IAW'05. Proceedings from the Sixth Annual IEEE SMC. IEEE, 2005. DOI: http://dx.doi.org/10.1109/IAW.2005.1495972
  7. Young-baek Kwon, In-seok Kim. "A study on Anomaly Signal Detection and Management Model using Big Data." The Journal of The Institue of Inernet Broadcasting and Communication(JIIBC) Vol.16 No.6, 2016 DOI: https://doi.org/10.7236/JIIBC.2016.16.6.287
  8. Maloof, Marcus, and Gregory Stephens. "Elicit: A system for detecting insiders who violate need-to-know." Recent Advances in Intrusion Detection. Springer Berlin/Heidelberg, 2007. DOI: http://dx.doi.org/10.1007/978-3-540-74320-0_8
  9. Patcha, Animesh, and Jung-Min Park. "An overview of anomaly detection techniques: Existing solutions and latest technological trends." Computer networks 51.12 (2007): 3448-3470. DOI: http://dx.doi.org/10.1016/j.comnet.2007.02.001
  10. Legg, Philip A., et al. "Automated insider threat detection system using user and role-based profile assessment." IEEE Systems Journal (2015). DOI: http://dx.doi.org/10.1109/JSYST.2015.2438442
  11. Gavai, Gaurang, et al. "Supervised and Unsupervised methods to detect Insider Threat from Enterprise Social and Online Activity Data." JoWUA 6.4 (2015): 47-63.
  12. Eldardiry, Hoda, et al. "Multi-source fusion for anomaly detection: using across-domain and across-time peer-group consistency checks." JoWUA 5.2 (2014): 39-58.
  13. Rashid, Tabish, Ioannis Agrafiotis, and Jason RC Nurse. "A New Take on Detecting Insider Threats: Exploring the use of Hidden Markov Models." Proceedings of the 2016 International Workshop on Managing Insider Security Threats. ACM, 2016. DOI: http://dx.doi.org/10.1145/2995959.2995964
  14. Parveen, Pallabi, et al. "Unsupervised ensemble based learning for insider threat detection." Privacy, Security, Risk and Trust (PASSAT), 2012 International Conference on and 2012 International Confernece on Social Computing (SocialCom). IEEE, 2012. DOI: http://dx.doi.org/10.1109/SocialCom-PASSAT.2012.106