BishtRef
Articles Journals Publishers Authors Subjects Most Cited New Papers Year Stats Open Access
journal article Apr 02, 2019

Insight Into Insiders and IT

Ivan Homoliak ORCID Flavio Toffalini Juan Guarnizo Yuval Elovici ORCID Martín Ochoa
ACM Computing Surveys Vol. 52 No. 2 pp. 1-40 · Association for Computing Machinery (ACM)
View at Publisher Save 10.1145/3303771
Abstract
Insider threats are one of today’s most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. In this work, we propose structural taxonomy and novel categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them. The objective of our categorization is to systematize knowledge in insider threat research while using an existing grounded theory method for rigorous literature review. The proposed categorization depicts the workflow among particular categories that include incidents and datasets, analysis of incidents, simulations, and defense solutions. Special attention is paid to the definitions and taxonomies of the insider threat; we present a structural taxonomy of insider threat incidents that is based on existing taxonomies and the 5W1H questions of the information gathering problem. Our survey will enhance researchers’ efforts in the domain of insider threat because it provides (1) a novel structural taxonomy that contributes to orthogonal classification of incidents and defining the scope of defense solutions employed against them, (2) an overview on publicly available datasets that can be used to test new detection solutions against other works, (3) references of existing case studies and frameworks modeling insiders’ behaviors for the purpose of reviewing defense solutions or extending their coverage, and (4) a discussion of existing trends and further research directions that can be used for reasoning in the insider threat domain.
Topics

No keywords indexed for this article. Browse by subject →

References
180
[5]
G. AlGhamdi , K. B. Laskey , E. J. Wright , D. Barbará , and K. Chang . 2006. Modeling insider behavior using multi-entity Bayesian networks . In Proceedings of the International Command and Control Research and Technology Symposium. G. AlGhamdi, K. B. Laskey, E. J. Wright, D. Barbará, and K. Chang. 2006. Modeling insider behavior using multi-entity Bayesian networks. In Proceedings of the International Command and Control Research and Technology Symposium.
[6]
G. Ali , N. A. Shaikh , and Z. A. Shaikh . 2008. Towards an automated multiagent system to monitor user activities against insider threat . In Proceedings of the International Symposium on Biometrics and Security Technologies. IEEE , Los Alamitos, CA, 1--5. G. Ali, N. A. Shaikh, and Z. A. Shaikh. 2008. Towards an automated multiagent system to monitor user activities against insider threat. In Proceedings of the International Symposium on Biometrics and Security Technologies. IEEE, Los Alamitos, CA, 1--5.
[8]
Q. Althebyan and B. Panda . 2007. A knowledge-base model for insider threat prediction . In Proceedings of the Information Assurance and Security Workshop (IAW’07) . IEEE, Los Alamitos, CA, 239--246. Q. Althebyan and B. Panda. 2007. A knowledge-base model for insider threat prediction. In Proceedings of the Information Assurance and Security Workshop (IAW’07). IEEE, Los Alamitos, CA, 239--246.
[9]
Q. Althebyan and B. Panda . 2008. Performance analysis of an insider threat mitigation model . In Proceedings of the International Conference on Digital Information Management. IEEE , Los Alamitos, CA, 703--709. Q. Althebyan and B. Panda. 2008. Performance analysis of an insider threat mitigation model. In Proceedings of the International Conference on Digital Information Management. IEEE, Los Alamitos, CA, 703--709.
[11]
D. F. Andersen , D. Cappelli , J. J. Gonzalez , M. Mojtahedzadeh , A. Moore , E. Rich , 2004 . Preliminary system dynamics maps of the insider cyber-threat problem . In Proceedings of the International Conference of the System Dynamics Society. 25--29 . D. F. Andersen, D. Cappelli, J. J. Gonzalez, M. Mojtahedzadeh, A. Moore, E. Rich, et al. 2004. Preliminary system dynamics maps of the insider cyber-threat problem. In Proceedings of the International Conference of the System Dynamics Society. 25--29.
[14]
S. R. Band D. M. Cappelli L. F. Fischer A. P. Moore E. D. Shaw and R. F. Trzeciak. 2006. Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis. Technical Report. DTIC Document. S. R. Band D. M. Cappelli L. F. Fischer A. P. Moore E. D. Shaw and R. F. Trzeciak. 2006. Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis. Technical Report. DTIC Document.
[15]
J. Banks . 1998. Handbook of Simulation: Principles , Methodology, Advances, Applications, and Practice . John Wiley 8 Sons. J. Banks. 1998. Handbook of Simulation: Principles, Methodology, Advances, Applications, and Practice. John Wiley 8 Sons.
[17]
S. M. Bellovin . 2008. The insider attack problem nature and scope . In Insider Attack and Cyber Security. Advances in Information Security , Vol. 39 . Springer , 1--4. S. M. Bellovin. 2008. The insider attack problem nature and scope. In Insider Attack and Cyber Security. Advances in Information Security, Vol. 39. Springer, 1--4.
[18]
M. Bertacchini and P. Fierens. 2008. A survey on masquerader detection approaches. In Congreso Iberoamericano de Seguridad Informática Universidad de la República de Uruguay. 46--60. M. Bertacchini and P. Fierens. 2008. A survey on masquerader detection approaches. In Congreso Iberoamericano de Seguridad Informática Universidad de la República de Uruguay. 46--60.
[26]
R. C. Brackney and R. H. Anderson . 2004 . Workshop on Understanding the Insider Threat. Technical Report. RAND Corporation. R. C. Brackney and R. H. Anderson. 2004. Workshop on Understanding the Insider Threat. Technical Report. RAND Corporation.
[28]
J. F. Buford , L. Lewis , and G. Jakobson . 2008. Insider threat detection using situation-aware MAS . In Proceedings of the International Conference on Information Fusion. IEEE , Los Alamitos, CA, 1--8. J. F. Buford, L. Lewis, and G. Jakobson. 2008. Insider threat detection using situation-aware MAS. In Proceedings of the International Conference on Information Fusion. IEEE, Los Alamitos, CA, 1--8.
[29]
CALO Project . 2015. Enron Email Dataset. Retrieved February 7, 2019 from http://www.cs.cmu.edu/∼enron/. CALO Project. 2015. Enron Email Dataset. Retrieved February 7, 2019 from http://www.cs.cmu.edu/∼enron/.
[33]
D. M. Cappelli , A. P. Moore , and R. F. Trzeciak . 2012 . The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) . Addison-Wesley . D. M. Cappelli, A. P. Moore, and R. F. Trzeciak. 2012. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison-Wesley.
[35]
T. Chen , F. Kammüller , I. Nemli , and C. W. Probst . 2015. A probabilistic analysis framework for malicious insider threats . In Proceedings of the Conference on Human Aspects of Information Security, Privacy, and Trust. 178--189 . T. Chen, F. Kammüller, I. Nemli, and C. W. Probst. 2015. A probabilistic analysis framework for malicious insider threats. In Proceedings of the Conference on Human Aspects of Information Security, Privacy, and Trust. 178--189.
[36]
R. Chinchani D. Ha A. Iyer H. Q. Ngo and S. Upadhyaya. 2010. Insider threat assessment: Model analysis and tool. In Network Security. Springer 143--174. R. Chinchani D. Ha A. Iyer H. Q. Ngo and S. Upadhyaya. 2010. Insider threat assessment: Model analysis and tool. In Network Security. Springer 143--174. 10.1007/978-0-387-73821-5_7
[37]
W. R. Claycomb , C. L. Huth , L. Flynn , D. M. McIntire , and T. B. Lewellen . 2012 . Chronological examination of insider threat sabotage: Preliminary observations . Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 3 , 4 (2012), 4 -- 20 . W. R. Claycomb, C. L. Huth, L. Flynn, D. M. McIntire, and T. B. Lewellen. 2012. Chronological examination of insider threat sabotage: Preliminary observations. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 3, 4 (2012), 4--20.
[40]
E. Cole and S. Ring . 2005 . Insider Threat: Protecting the Enterprise From Sabotage, Spying, and Theft. Syngress. E. Cole and S. Ring. 2005. Insider Threat: Protecting the Enterprise From Sabotage, Spying, and Theft. Syngress.
[41]
M. L. Collins M. C. Theis R. F. Trzeciak J. R. Strozer J. W. Clark D. L. Costa etal 2016. Common Sense Guide to Prevention and Detection of Insider Threats (5th ed.). CERT Software Engineering Institute Carnegie Mellon University Pittsburgh PA. M. L. Collins M. C. Theis R. F. Trzeciak J. R. Strozer J. W. Clark D. L. Costa et al. 2016. Common Sense Guide to Prevention and Detection of Insider Threats (5th ed.). CERT Software Engineering Institute Carnegie Mellon University Pittsburgh PA.
[42]
J. Crampton and M. Huth . 2010. Towards an access-control framework for countering insider threats . In Insider Threats in Cyber Security. Advances in Information Security , Vol. 49 . Springer, 173--195. J. Crampton and M. Huth. 2010. Towards an access-control framework for countering insider threats. In Insider Threats in Cyber Security. Advances in Information Security, Vol. 49. Springer, 173--195.
[43]
A. Cummings T. Lewellen D. McIntire A. P. Moore and R. Trzeciak. 2012. Insider Threat Study: Illicit Cyber Activity Involving Fraud in the US Financial Services Sector. Technical Report. CERT. A. Cummings T. Lewellen D. McIntire A. P. Moore and R. Trzeciak. 2012. Insider Threat Study: Illicit Cyber Activity Involving Fraud in the US Financial Services Sector. Technical Report. CERT. 10.21236/ada610430
[45]
T. Dimkov , W. Pieters , and P. Hartel . 2010. Portunes: Representing attack scenarios spanning through the physical, digital and social domain . In Proceedings of the Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security. 112--129 . T. Dimkov, W. Pieters, and P. Hartel. 2010. Portunes: Representing attack scenarios spanning through the physical, digital and social domain. In Proceedings of the Joint Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security. 112--129.
[47]
W. Eberle and L. Holder . 2009. Mining for insider threats in business transactions and processes . In Proceedings of the IEEE Symposiumon Computational Intelligence and Data Mining (CIDM’09) . IEEE, Los Alamitos, CA, 163--170. W. Eberle and L. Holder. 2009. Mining for insider threats in business transactions and processes. In Proceedings of the IEEE Symposiumon Computational Intelligence and Data Mining (CIDM’09). IEEE, Los Alamitos, CA, 163--170.
[49]
N. Einwechter . 2010. Preventing and Detecting Insider Attacks Using IDS. Retrieved February 7, 2019 from https://www.symantec.com/connect/articles/preventing-and-detecting-insider-attacks-using-ids. N. Einwechter. 2010. Preventing and Detecting Insider Attacks Using IDS. Retrieved February 7, 2019 from https://www.symantec.com/connect/articles/preventing-and-detecting-insider-attacks-using-ids.
[50]
A. El Masri , H. Wechsler , P. Likarish , and B. B. Kang . 2014. Identifying users with application-specific command streams . In Proceedings of the International Conference on Privacy, Security, and Trust. IEEE , Los Alamitos, CA, 232--238. A. El Masri, H. Wechsler, P. Likarish, and B. B. Kang. 2014. Identifying users with application-specific command streams. In Proceedings of the International Conference on Privacy, Security, and Trust. IEEE, Los Alamitos, CA, 232--238.

Showing 50 of 180 references

Cited By
202
Unveiling Shadows: Harnessing Artificial Intelligence for Insider Threat Detection

Erhan Yilmaz, Ozgu Can · 2024

Engineering, Technology & Appli...
Temporal feature aggregation with attention for insider threat detection from activity logs

Preetam Pal, Pratik Chattopadhyay · 2023

Expert Systems with Applications
Digital Twin: A Comprehensive Survey of Security Threats

Cristina Alcaraz, Javier Lopez · 2022

IEEE Communications Surveys & T...
A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations

Mohammed Nasser Al-Mhiqani, Rabiah Ahmad · 2020

Applied Sciences
Metrics
202
Citations
180
References
Details
Published
Apr 02, 2019
Vol/Issue
52(2)
Pages
1-40
License
View
Authors
I
Ivan Homoliak

STE-SUTD Cyber Security Laboratory and Brno University of Technology, Czech Republic

F
Flavio Toffalini

STE-SUTD Cyber Security Laboratory, Singapore

J
Juan Guarnizo

STE-SUTD Cyber Security Laboratory, Singapore

Y
Yuval Elovici

Ben-Gurion University of the Negev

M
Martín Ochoa

STE-SUTD Cyber Security Laboratory and Cyxtera Technologies

Cite This Article
Ivan Homoliak, Flavio Toffalini, Juan Guarnizo, et al. (2019). Insight Into Insiders and IT. ACM Computing Surveys, 52(2), 1-40. https://doi.org/10.1145/3303771
Related

You May Also Like

Data clustering

A. K. Jain, M. N. Murty · 1999

9,568 citations

Anomaly detection

Varun Chandola, Arindam Banerjee · 2009

8,799 citations

Machine learning in automated text categorization

Fabrizio Sebastiani · 2002

5,027 citations

Object tracking

Alper Yilmaz, Omar Javed · 2006

3,632 citations

A Survey on Bias and Fairness in Machine Learning

Ninareh Mehrabi, Fred Morstatter · 2021

3,466 citations