Using Machine Learning To Predict The Insider Threat In A Network Environment
Abstract
In the past, cybersecurity professionals relied upon Security Event and Information Management systems to ingest network, server, and host logs to assist in detecting suspicious and malicious activity in the network. Detecting threat activities also included manually inspecting packet captures to glean clues of nefarious activity. Our research involves machine learning. We developed a model that observes the packet headers characteristics when a user accessed a remote file server. Data sets were introduced and host-server configurations were used to determine if our classification model was consistent in identifying file access behavior. We were able to predict and classify file access behavior, such as uploading, downloading, deleting, and moving files on a file server, based upon using headers. The results from deriving the classifications were similar when using different host-server configurations and files. Our research demonstrated potential avenues to study file access behavior on an enterprise network. Information repositories like file servers, SharePoint, and online data hosting sites such as Dropbox present a surface threat for information theft. Classifying file access behavior with these online resources presents a valuable goal for cybersecurity.
Document Details
- Document Type
- Technical Report
- Publication Date
- Mar 01, 2021
- Accession Number
- AD1150700
Entities
People
- Natasha K. Niemann
- Raymond G. Blockmon
Organizations
- Naval Postgraduate School