Detecting the Misappropriation of Sensitive Information through Bottleneck Monitoring

Abstract

The insider threat has proved a tough nut to crack. Previous work in this area has been dominated by efforts to model normal user behavior through statistical measures and then detect substantial anomalies. Unfortunately, while these methods have shown some ability in the detection of masqueraders, broader applications have proved ineffectual due to extremely high false alarm rates. In this paper, the authors describe an alternative approach, Stochastic Long-String Analysis with Feedback (SL-SAFE), that can achieve high levels of accuracy in detecting the unauthorized access and distribution of sensitive/proprietary information by insiders -- the single most costly type of computer crime. SL-SAFE succeeds in this task by means of a stochastic sampling of bottlenecks through which information must flow to be useful to the malicious insider. Further, it achieves a low (and shrinking) false alarm rate by validating its suspicions through public information sources and eliciting feedback from the information owner.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2005
Accession Number
ADA454839

Entities

People

  • Matthew Broadhead
  • Terrance Goan

Organizations

  • Stottler Henke Associates

Tags

Communities of Interest

  • Cyber
  • Ground and Sea Platforms

DTIC Thesaurus Topics

  • Anomaly Detection
  • Authentication
  • Change Detection
  • Computers
  • Cybersecurity
  • Detection
  • Detectors
  • False Alarms
  • Information Security
  • Insider Threats
  • Intrusion
  • Intrusion Detection
  • Knowledge Management
  • Monitoring
  • Operating Systems
  • Security
  • Warning Systems

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Economics
  • Sensor Fusion and Tracking Systems.