A Framework for Detecting Insider Threats using Psychological Triggers

Takayuki Sasaki
2012 Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications  
Malicious insiders are difficult to detect and prevent, because insiders such as employees have legitimate rights to access organization's resources in order to carry out their responsibilities. To overcome this problem, we have developed a framework that detects suspicious insiders using a psychological trigger that impels malicious insiders to behave suspiciously. Also, we have proposed an architecture comprising an announcer, a monitor, and an analyzer. First, the announcer creates an event
more » ... called a "trigger") that impels malicious insiders to behave suspiciously. Then the monitors record suspicious actions such as file/e-mail deletions. Finally, the analyzer identifies the suspicious insiders by comparing the number of deletions before/after the trigger. In this paper, we extend monitoring reaction from only "data deletion" to "stop further malicious activities". This extension allows a wider variety of use cases such as "finding private web browsing" and "finding use of unnecessary applications". Also, we extend the architecture so as to monitor servers as well as clients. The server monitoring architecture is required in the case of server side data deletions, i.e., e-mail or file deletions at the server side. Moreover, we describe the effectiveness of our approach in such cases.
doi:10.22667/jowua.2012.03.31.099 dblp:journals/jowua/Sasaki12 fatcat:innbjj7ufzatdareko5jhdx274