Proactive Detection of Insider Threats with Graph Analysis and Learning (PRODIGAL)
Abstract
Leidos developed and operated a prototype system (PRODIGAL) as a testbed for exploring a range of insider threat detection and analysis methods. The data and test environment, system components, and the core method of unsupervised detection of insider threat leads are presented to benefit others working in the insider threat domain. We discuss a set of experiments evaluating the prototypes ability to detect both known and unknown malicious insider behaviors. The experimental results show the ability to detect a large variety of insider threat scenario instances embedded in real data with no prior knowledge of what scenarios are present or when they occur. We report on an ensemble-based, unsupervised technique for detecting potential insider threat instances. When run over 16 months of real monitored computer usage activity augmented with independently developed and unknown but realistic, insider threat scenarios, this technique robustly achieves results within five percent of the best individual detectors identified after the fact. We discuss factors that contribute to the success of the ensemble method, such as the number and variety of unsupervised detectors and the use of domain knowledge encoded in detectors designed for specific activity patterns.
Document Details
- Document Type
- Technical Report
- Publication Date
- May 24, 2017
- Accession Number
- AD1058565
Entities
People
- Brian J. Phillips
- Henry G. Goldberg
- Matthew G. Reardon
Organizations
- Leidos