Browse > Article
http://dx.doi.org/10.3837/tiis.2017.10.020

Indicator-based Behavior Ontology for Detecting Insider Threats in Network Systems  

Kauh, Janghyuk (The 2nd Institute 3rd Directorate, Agency for Defense Development (ADD))
Lim, Wongi (The 2nd Institute 3rd Directorate, Agency for Defense Development (ADD))
Kwon, Koohyung (The 2nd Institute 3rd Directorate, Agency for Defense Development (ADD))
Lee, Jong-Eon (Tactical Communication Team, Hanwha Systems)
Kim, Jung-Jae (Dept. of Computer Science, Kwangwoon University)
Ryu, Minwoo (Korea Telecom R&D Center, Korea Telecom (KT))
Cha, Si-Ho (Dept. of Multimedia Science, Chungwoon University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.11, no.10, 2017 , pp. 5062-5079 More about this Journal
Abstract
Malicious insider threats have increased recently, and methods of the threats are diversifying every day. These insider threats are becoming a significant problem in corporations and governments today. From a technology standpoint, detecting potential insider threats is difficult in early stage because it is unpredictable. In order to prevent insider threats in early stage, it is necessary to collect all of insiders' data which flow in network systems, and then analyze whether the data are potential threat or not. However, analyzing all of data makes us spend too much time and cost. In addition, we need a large repository in order to collect and manage these data. To resolve this problem, we develop an indicator-based behavior ontology (IB2O) that allows us to understand and interpret insiders' data packets, and then to detect potential threats in early stage in network systems including social networks and company networks. To show feasibility of the behavior ontology, we developed a prototype platform called Insider Threat Detecting Extractor (ITDE) for detecting potential insider threats in early stage based on the behavior ontology. Finally, we showed how the behavior ontology would help detect potential inside threats in network system. We expect that the behavior ontology will be able to contribute to detecting malicious insider threats in early stage.
Keywords
Semantics; insider threat; behavior indicator; ontology; network system; security;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Protege 5.0, Available online: http://protege.stanford.edu (accessed on 21 November 2016)
2 Horrocks, I., Patel-Schneider, P.F., Boley, H., Tabet, S., Grosof, B., Dean, M., "SWRL: A semantic web rule language combining OWL and RuleML." Available online: http://www.w3.org/Submission/2004/SUBM-SWRL-20040521/ (accessed on 21 November 2016).
3 van Heerden, R. P., Irwin, B., Burke, I., "Classifying network attack scenarios using an Ontology," in Proc. of of the 7th International Conference on Information-Warfare & Security (ICIW 2012), pp. 311-324, January 2012.
4 Aleman-Meza, B., Burns, P., Eavenson, M., Palaniswami, D., Sheth, A. P., "An Ontological Approach to the Document Access Problem of Insider Threat," in Proc. of IEEE Intl. In Conference on Intelligence and Security Informatics (ISI-2005), 2005.
5 Symonenko, S., Liddy, E. D., Yilmazel, O., Del Zoppo, R., Brown, E., Downey, M., "Semantic analysis for monitoring insider threats," in Proc. of International Conference on Intelligence and Security Informatics, Springer Berlin Heidelberg, pp. 492-500, June 2004.
6 Greitzer, F. L., Hohimer, R. E., "Modeling human behavior to anticipate insider attacks," Journal of Strategic Security, vol. 4, no. 2, pp. 25-48, 2001.   DOI
7 Raskin, V., Taylor, J. M., Hempelmann, C. F., "Ontological semantic technology for detecting insider threat and social engineering," in Proc. of the 2010 workshop on New security paradigms ACM, pp. 115-128, September 2010.
8 Nirenburg, S., Raskin, V., "Ontological Semantics," MIT Press, 2004
9 Advanced Research and Development Activity (ARDA), Available online: http://www.ic-arda.org/ (accessed on 21 November 2016)
10 Karande, M. H. A., Kulkarni, M. P. A., Gupta, S. S., Gupta, D., "Security against Web Application Attacks Using Ontology Based Intrusion Detection System," in Proc. of 2015 International Conference on Communication Networks (ICCN), Gwalior, India, November 2015.
11 CERT, http://www.cert.org/insider-threat/tools/index.cfm (accessed on 21 November 2016)
12 Wang, H., Wang, S., "Cyber warfare: steganography vs. steganalysis," Communications of the ACM, vol 47, no. 10, pp. 76-82, 2004.   DOI
13 Stephens, G. D., Maloof, M. A., "U.S. Patent No. 8,707,431," Washington, DC: U.S. Patent and Trademark Office, 2014
14 Coalition, D. S., "DAML-S: Semantic markup for Web services," in Proc. of the International Semantic Web Workshop (SWWS-01), 2001.
15 Apache Jena, "TDB Architecture," Available online: https://jena.apache.org/documentation/tdb/architecture.html (accessed on 21 November 2016).
16 I. Agrafiotis, J. R. C. Nurse, O. Buckley, P. A. Legg, M. Goldsmith, S. Creese, "Insider Threat Attack steps," Corporate Insider Threat Detection (CITD), Available online: https://www.cs.ox.ac.uk/files/7011/Attack%20steps.pdf (accessed on 21 November 2016).
17 Klyne, G., & Carroll, J. J., "Resource description framework (RDF): Concepts and abstract syntax," W3C Recommendation, 2006.
18 Apache Jena, "Reasoners and rule engines: Jena inference support." Available online: https://jena.apache.org/documentation/inference/ (accessed on 21 November 2016).
19 Kroll and Economist Intelligence Unit, "Annual Global Fraud Report. 2015/2016," 2016.
20 PricewaterhouseCoopers LLP, "Cybercrime: Protecting against the growing threat-Events and Trends," 2012.
21 Obrst, L., Chase, P., Markeloff, R., "Developing an Ontology of the Cyber Security Domain," in Proc. of CEUE Workshop on STIDS, pp. 49-56, October 2012.
22 Spitzner, L., "Honeypots: Catching the insider threat," in Proc. of 19th Annual IEEE Computer Security Applications Conference, 2003, pp. 170-179, 2003.
23 CERT Insider Threat Center, "2014 U.S. State of Cybercrime Survey," 2014, Available online: http://resources.sei.cmu.edu/asset_files/Presentation/2014_017_001_298322.pdf (accessed on 21 November 2016).
24 IBM, "IBM 2015 Cyber Security Intelligence Index," 2015, Available online: http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=ST&infotype=SA&htmlfid=SEJ03278USEN&attachment=SEJ03278USEN.PDF&ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US (accessed on 21 November 2016)
25 F. L. Greitzer, A. P. Moore, D. M. Cappelli, D. H. Andrews, L. A. Carroll, and T. D. Hull, "Combating the Insider Cyber Threat," IEEE Security & Privacy, pp. 61-64, 2007.
26 Robert N. Rose, "The Future Of Insider Threats," 2016, Available online: http://www.forbes.com/sites/realspin/2016/08/30/the-future-of-insider-threats/2/#3240ea4e3381 (accessed on 21 November 2016)
27 Berners-Lee, T., Hendler, J., Lasslia, O., "The semantic web," Scientific American, pp. 28-37, 2001.
28 R. Anderson, T. Bozek, T. Longstaff, W. Meitzler, M. Skroch, K. Van Wyk, "Research on Mitigating the Insider Treat to Information Systems," in Proc. of the Insider Workshop, August 2000.
29 Costa, D. L., Collins, M. L., Perl, S. J., Albrethsen, M. J., Silowash, G. J., Spooner, D. L., "An Ontology for Insider Threat Indicators," in Proc. of 10th International Conference on Semantic Technology for Intelligence, Defense, and Security (STIDS), 2015.