Leveraging social networks to detect anomalous insider actions in collaborative environments

Chen, You; Nyemba, Steve; Zhang, Wen; Malin, Bradley

doi:10.1109/isi.2011.5984061

Cited by 17 publications

(13 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Note that some of the patterns found in Wikipedia are short-lived and have big-network-span (1,2,3,4,6,7,9), while others affect smaller portion of the network, but extend in a longer time period (5,8,10). If we use anomaly detection methods based on single edge/node analysis, we will not discover the full range of patterns and many of the events reported in Table 3 will be missed.…”

Section: Resultsmentioning

confidence: 99%

“…This includes algorithms to detect unusual behavior in social, email and phone call networks [8,12,13], computer network traffic [14,17,32], smart grid sensor data [6] and water distribution networks [19]. Most of these approaches focus on link and node behavior anomalies [2,5,18,27,28,9].…”

Section: Related Workmentioning

confidence: 99%

“…While detecting anomalous nodes and edges is complementary to our method, global approaches are often non sensitive enough in detecting anomalies that involve small parts of the network. Recently, Chen et al [8] proposed a method for anomalous community evolution discovery, which considers six possible types of community-dynamics anomalies: grown, shrunk, merged, split, born and vanished. In contrast, we aim to find regions in which the anomalous behavior persists in space (connected subnetworks) and time.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

NetSpot: Spotting Significant Anomalous Regions on Dynamic Networks

Bogdanov

Faloutsos

Mongiovì

et al. 2013

Proceedings of the 2013 SIAM International Conference on Data Mining

View full text Add to dashboard Cite

How to spot and summarize anomalies in dynamic networks such as road networks, communication networks and social networks? An anomalous event, such as a traffic accident, a denial of service attack or a chemical spill, can affect several near-by edges and make them behave abnormally, over several consecutive time-ticks. We focus on spotting and summarizing such significant anomalous regions, spanning space (i.e. nearby edges), as well as time.Our first contribution is the problem formulation, namely finding all such Significant Anomalous Regions (SAR). The next contribution is the design of novel algorithms: an expensive, exhaustive algorithm, as well as an efficient approximation, called NetSpot. Compared to the exhaustive algorithm, NetSpot is up to one order of magnitude faster in real data, while achieving less than 4% average relative error rate. In synthetic datasets, it is more than 30 times faster and solves large problem instances that are otherwise infeasible. The final contribution is the validation on real data: we demonstrate the utility of NetSpot for inferring accidents on road networks and detecting patterns of anomalous access to subnetworks of Wikipedia. We also study NetSpot's scalability in large social, transportation and synthetic evolving networks, spanning in total up to 50 million edges.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

NetSpot: Spotting Significant Anomalous Regions on Dynamic Networks

Bogdanov

Faloutsos

Mongiovì

et al. 2013

Proceedings of the 2013 SIAM International Conference on Data Mining

View full text Add to dashboard Cite

show abstract

“…This is because the current set of approaches tend to assume that either training information is available to build robust classifiers or that the user has committed a large number of actions that deviate from “normal” behavior. Given these limitations, the main contributions of this paper, which is an extension of [28], are as follow:…”

Section: Introductionmentioning

confidence: 99%

“…Our model then assesses if the similarity of the network with and without the user are significantly different. In contrast to [28], we provide justification for certain modeling decisions and the similarity measures employed.…”

Section: Introductionmentioning

confidence: 99%

Specializing network analysis to detect anomalous insider actions

et al. 2012

Self Cite

View full text Add to dashboard Cite

Collaborative information systems (CIS) enable users to coordinate efficiently over shared tasks in complex distributed environments. For flexibility, they provide users with broad access privileges, which, as a side-effect, leave such systems vulnerable to various attacks. Some of the more damaging malicious activities stem from internal misuse, where users are authorized to access system resources. A promising class of insider threat detection models for CIS focuses on mining access patterns from audit logs, however, current models are limited in that they assume organizations have significant resources to generate label cases for training classifiers or assume the user has committed a large number of actions that deviate from “normal” behavior. In lieu of the previous assumptions, we introduce an approach that detects when specific actions of an insider deviate from expectation in the context of collaborative behavior. Specifically, in this paper, we introduce a specialized network anomaly detection model, or SNAD, to detect such events. This approach assesses the extent to which a user influences the similarity of the group of users that access a particular record in the CIS. From a theoretical perspective, we show that the proposed model is appropriate for detecting insider actions in dynamic collaborative systems. From an empirical perspective, we perform an extensive evaluation of SNAD with the access logs of two distinct environments: the patient record access logs a large electronic health record system (6,015 users, 130,457 patients and 1,327,500 accesses) and the editing logs of Wikipedia (2,394,385 revisors, 55,200 articles and 6,482,780 revisions). We compare our model with several competing methods and demonstrate SNAD is significantly more effective: on average it achieves 20–30% greater area under an ROC curve.

show abstract