Insider Threat Detection Based on User Behavior Modeling and Anomaly Detection Algorithms

Kim, Junhong; Park, Minsik; Kim, Hae-Dong; Cho, Suhyoun; Kang, Pilsung

doi:10.3390/app9194018

Cited by 62 publications

(31 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Anomaly detection, also known as behaviour-based detection, assumes that behaviour that determines the attacker’s likely activity is different from the behaviour of a permitted network user [ 53 ]. IDS supporting anomaly-based detection is highly effective at finding zero-day attacks; however, it generates high volumes of false positives.…”

Section: Intrusion Detectionmentioning

confidence: 99%

Multivariable Heuristic Approach to Intrusion Detection in Network Environments

Niemiec

Kościej

Gdowski

2021

Entropy

View full text Add to dashboard Cite

The Internet is an inseparable part of our contemporary lives. This means that protection against threats and attacks is crucial for major companies and for individual users. There is a demand for the ongoing development of methods for ensuring security in cyberspace. A crucial cybersecurity solution is intrusion detection systems, which detect attacks in network environments and responds appropriately. This article presents a new multivariable heuristic intrusion detection algorithm based on different types of flags and values of entropy. The data is shared by organisations to help increase the effectiveness of intrusion detection. The authors also propose default values for parameters of a heuristic algorithm and values regarding detection thresholds. This solution has been implemented in a well-known, open-source system and verified with a series of tests. Additionally, the authors investigated how updating the variables affects the intrusion detection process. The results confirmed the effectiveness of the proposed approach and heuristic algorithm.

show abstract

Section: Intrusion Detectionmentioning

confidence: 99%

Multivariable Heuristic Approach to Intrusion Detection in Network Environments

Niemiec

Kościej

Gdowski

2021

Entropy

View full text Add to dashboard Cite

show abstract

“…From previous research [12][13][14] and descriptions related to insider threat detection and analysis based on machine learning methodology, we selected the classification and clustering concepts as well as the related techniques [15,16] for anomaly detection and misuse as the main scope of this research.…”

Section: Insider Threats Based On Machine Learning Approachmentioning

confidence: 99%

Study on Inside Threats Based on Analytic Hierarchy Process

Seo

Kim

2020

Symmetry

View full text Add to dashboard Cite

Insider threats that occur within organizations cause more serious damage than external threats. However, there are many factors that are difficult to determine, such as the definition, classification, and severity of security breaches; hence, it is necessary to analyze system logs and user behavior-based scenarios within organizations. The reality is that qualitative judgment criteria are different for everyone to apply, and there is no detailed verification procedure to compare them objectively. In this study, realistic insider threats were examined through the definition, classification, and correlation/association analysis of various human–machine logs of acts associated with security breaches that occur in an organization. In addition, a quantitative process and decision-making tool were developed for insider threats by establishing various internal information leakage scenarios. As a result, insider threats were assessed quantitatively and a decision-making process was completed that enabled case analysis based on several insider threat scenarios. This study will enable precise modeling of insider threats that occur in real organizations and will support an objective process and a decision-making system to establish a range of required information for security protection measures.

show abstract

“…Consequently, the following MC pairwise transitional training matrix T MC was created, as indicated by Equation (14). For comprehensive training, this was repeated 2 n (n < 10) times.…”

Section: Final Mrimentioning

confidence: 99%

“…Thus, if the activities of malicious codes are analyzed in detail, existing and potential threats can be considered simultaneously. This is because if the type of malware detected during static/dynamic analysis of malicious code is reclassified, and the malicious activities (MAs) [14] involved are identified and quantified, the purpose, means, and strategy of an attacker attacking his/her organization can be inferred. This is a critical process for improving the organization's information protection system and establishing an intelligent cyber defense strategy.…”

Section: Introductionmentioning

confidence: 99%

Decision-Making Method for Estimating Malware Risk Index

Kim

2019

Applied Sciences

View full text Add to dashboard Cite

Most recent cyberattacks have employed new and diverse malware. Various static and dynamic analysis methods are being introduced to detect and defend against these attacks. The malware that is detected by these methods includes advanced present threat (APT) attacks, which allow additional intervention by attackers. Such malware presents a variety of threats (DNS, C&C, Malicious IP, etc.) This threat information used to defend against variants of malicious attacks. However, the intelligence that is detected in this manner is used in the blocking policies of information-security systems. Consequently, it is difficult for staff who perform Computer Emergence Response Team security control to determine the extent to which cyberattacks such as malware are a potential threat. Additionally, it is difficult to use this intelligence to establish long-term defense strategies for specific APT attacks or implement intelligent internal security systems. Therefore, a decision-making model that identifies threat sources and malicious activities (MAs) that occur during the static and dynamic analysis of various types of collected malware and performs machine learning based on a quantitative analysis of these threat sources and activities is proposed herein. This model estimates malware risk indices (MRIs) in detail using an analytic hierarchy process to analyze malware and the probabilities of MAs. The analysis results were significant, as the consistency index of the estimated MRI values for 51300 types of malware, which were collected during a specific control period, was maintained at <0.051.

show abstract

Insider Threat Detection Based on User Behavior Modeling and Anomaly Detection Algorithms

Cited by 62 publications

References 24 publications

Multivariable Heuristic Approach to Intrusion Detection in Network Environments

Multivariable Heuristic Approach to Intrusion Detection in Network Environments

Study on Inside Threats Based on Analytic Hierarchy Process

Decision-Making Method for Estimating Malware Risk Index

Contact Info

Product

Resources

About