Detecting Potential Insider Threats Through Email Datamining
Abstract
Despite a technology bias that focuses on external electronic threats, insiders pose the greatest threat to commercial and government organizations. One means of preventing insider theft is by stopping potential insiders from actually crossing the line. In the overwhelming number of cases, people do not join an organization with the intention of stealing or causing harm. Instead, something or often several some things happen while the individual is in the organization that precedes his malevolent actions. One of the traits identified with insiders is their feeling of alienation from the organization. By data mining emails, an employee's interests can be discerned. These interests are then used to construct social networks which are used to identify individuals with interests shared but undiscussed with other members of the organization. These individuals with clandestine interests have the potential to be insider threats. This paper describes the use of Probabilistic Latent Semantic Indexing (PLSI) extended to include users (PLSI-U) and Author Topic extended to include documents to determine topics of interest for employees from their email activity. It then applies PLSI-U and Author Topic to the Enron email corpus. The results show that by comparing the topics of emails that people send internally with the ones sent externally, a small number of employees (0.03%-1.0%) emerge as having clandestine interests and the potential to become insider threats. Most significantly, one of these individuals is Sherron Watkins, the famous whistleblower in the Enron case.
Document Details
- Document Type
- Technical Report
- Publication Date
- Mar 01, 2006
- Accession Number
- ADA453572
Entities
People
- James Okolica
Organizations
- Air Force Institute of Technology