• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.10
• /
• pp.5062-5079
• /
• 2017

Malicious insider threats have increased recently, and methods of the threats are diversifying every day. These insider threats are becoming a significant problem in corporations and governments today. From a technology standpoint, detecting potential insider threats is difficult in early stage because it is unpredictable. In order to prevent insider threats in early stage, it is necessary to collect all of insiders' data which flow in network systems, and then analyze whether the data are potential threat or not. However, analyzing all of data makes us spend too much time and cost. In addition, we need a large repository in order to collect and manage these data. To resolve this problem, we develop an indicator-based behavior ontology (IB2O) that allows us to understand and interpret insiders' data packets, and then to detect potential threats in early stage in network systems including social networks and company networks. To show feasibility of the behavior ontology, we developed a prototype platform called Insider Threat Detecting Extractor (ITDE) for detecting potential insider threats in early stage based on the behavior ontology. Finally, we showed how the behavior ontology would help detect potential inside threats in network system. We expect that the behavior ontology will be able to contribute to detecting malicious insider threats in early stage.

• Convergence Security Journal
• /
• v.15 no.6_2
• /
• pp.3-10
• /
• 2015

Recent massive data breaches or major security incidents show that threats posed by insiders have greatly increased over time. Especially, authorized insiders can cause more serious problems than external hackers can. Therefore there is a growing need to introduce a system that can monitor the insider threats in real time and prevent data breaches or security incidents in early-stage. In this paper, we propose a EITMS(Enterprise Insider-Threats Management System). EITMS detects the abnormal behaviors of authorized insiders based on the normal patterns made from their roles, duties and private activities. And, in order to prevent breaches and incidents in early-stage, a scoring system that can visualize the insider threats is also included.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.4
• /
• pp.1887-1898
• /
• 2018

In this paper, a method to classify insider threat activity is introduced. The internal threats help detecting anomalous activity in the procedure performed by the user in an organization. When an anomalous value deviating from the overall behavior is displayed, we consider it as an inside threat for classification as an inside intimidator. To solve the situation, Markov Chain Model is employed. The Markov Chain Model shows the next state value through an arbitrary variable affected by the previous event. Similarly, the current activity can also be predicted based on the previous activity for the insider threat activity. A method was studied where the change items for such state are defined by a transition probability, and classified as detection of anomaly of the inside threat through values for a probability variable. We use the properties of the Markov chains to list the behavior of the user over time and to classify which state they belong to. Sequential data sets were generated according to the influence of n occurrences of Markov attribute and classified by machine learning algorithm. In the experiment, only 15% of the Cert: insider threat dataset was applied, and the result was 97% accuracy except for NaiveBayes. As a result of our research, it was confirmed that the Markov Chain Model can classify insider threats and can be fully utilized for user behavior classification.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.2
• /
• pp.267-277
• /
• 2022

Due to the increasing proportion of cloud and remote working environments, various information security incidents are occurring. Insider threats have emerged as a major issue, with cases in which corporate insiders attempting to leak confidential data by accessing it remotely. In response, insider threat detection approaches based on machine learning have been developed. However, existing machine learning methods used to detect insider threats do not take biases and variances into account, which leads to limited performance. In this paper, boosting-type ensemble learning algorithms are applied to verify the performance of malicious insider detection, conduct a close analysis, and even consider the imbalance in datasets to determine the final result. Through experiments, we show that using ensemble learning achieves similar or higher accuracy to other existing malicious insider detection approaches while considering bias-variance tradeoff. The experimental results show that ensemble learning using bagging and boosting methods reached an accuracy of over 98%, which improves malicious insider detection performance by 5.62% compared to the average accuracy of single learning models used.

• Convergence Security Journal
• /
• v.18 no.5_1
• /
• pp.45-51
• /
• 2018

As data utilization and importance becomes important, data-related accidents and damages are gradually increasing. Especially, insider threats are the most harmful threats. And these insider threats are difficult to detect by traditional security systems, so rule-based abnormal behavior detection method has been widely used. However, it has a lack of adapting flexibly to changes in new attacks and new environments. Therefore, in this paper, we propose an adaptive anomaly movement detection framework based on a statistical Markov model to detect insider threats in advance. This is designed to minimize false positive rate and false negative rate by adopting environment factors that directly influence the behavior, and learning data based on statistical Markov model. In the experimentation, the framework shows good performance with a high F2-score of 0.92 and suspicious behavior detection, which seen as a normal behavior usually. It is also extendable to detect various types of suspicious activities by applying multiple modeling algorithms based on statistical learning and environment factors.

• Journal of Platform Technology
• /
• v.11 no.2
• /
• pp.15-25
• /
• 2023

This study analyzes the limitations of the insider threat datasets used for insider threat detection research and compares and analyzes the solution-based insider threat data with public insider threat data using a security solution to overcome this. Through this, we design a data format suitable for insider threat detection and implement a system that can safely share insider threat information between different institutions and companies using blockchain technology. Currently, there is no dataset collected based on actual events in the insider threat dataset that is revealed to researchers. Public datasets are virtual synthetic data randomly created for research, and when used as a learning model, there are many limitations in the real environment. In this study, to improve these limitations, a private blockchain was designed to secure information sharing between institutions of different affiliations, and a method was derived to increase reliability and maintain information integrity and consistency through agreement and verification among participants. The proposed method is expected to collect data through an outflow threat collector and collect quality data sets that posed a threat, not synthetic data, through a blockchain-based sharing system, to solve the current outflow threat dataset problem and contribute to the insider threat detection model in the future.

• Journal of information and communication convergence engineering
• /
• v.18 no.1
• /
• pp.16-21
• /
• 2020

Owing to the convergence of the communication network with the control system and public network, security threats, such as information leakage and falsification, have become possible through various routes. If we examine closely at the security type of the current control system, the operation of the security system focuses on the threats made from outside to inside, so the study on the detection system of the security threats conducted by insiders is inadequate. Thus, this study, based on "Spotting the Adversary with Windows Event Log Monitoring," published by the National Security Agency, found that event logs can be utilized for the detection and maneuver of threats conducted by insiders, by analyzing the validity of detecting insider threats to the control system with the list of important event logs.

• Korean Security Journal
• /
• no.53
• /
• pp.283-303
• /
• 2017

This study which was started to identify the factors that change the security level of military organizations, analyzed the data collected from articles written by the active officers in the Defense Daily Journal hoping to improve the military security level by the qualitative research method called Grounded Theory, and establish causal relationship how organizational members respond to insider security threats. As a result of the analysis, the causal condition is 'the security threat of the insider', the contextual condition is 'the specificity of the military organization', the central phenomenon is 'the conflict of values as a soldier', the arbitrary condition is 'the security consciousness', Strategy is 'the responds to security threats', and the result was 'security level change'. The core categories can be presented as 'the degree of conflict of values on insider security threats' and two hypotheses have been derived. First, the members of the military organization strongly felt the conflict of values about security threat as the tendency to emphasize security was strong, and they helped to develop the security level of organization by responding strongly. Second, the stronger the tendency to focus on colleagues, respond weakly to security threats. And it undermines the security level of the organization. Finally, in order to improve the security level of the organization, it is necessary to establish a solid security consciousness and to make institutional development to support it.

• Convergence Security Journal
• /
• v.18 no.3
• /
• pp.77-85
• /
• 2018

With the convergence of communications network between control system and public network, such threats like information leakage/falsification could be fully shown in control system through diverse routes. Due to the recent diversification of security issues and violation cases of new attack techniques, the security system based on the information database that simply blocks and identifies, is not good enough to cope with the new types of threat. The current control system operates its security system focusing on the outside threats to the inside, and it is insufficient to detect the security threats by insiders with　the authority of security access. Thus, this study conducted the importance analysis based on the main event log list of "Spotting the Adversary with Windows Event Log Monitoring" announced by NSA. In the results, the matter of importance of event log for the detection of insider threats to control system was understood, and the results of this study could be contributing to researches in this area.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.5
• /
• pp.1133-1151
• /
• 2019

Insider threats in the field of information security are so important that the research is continuing centering on the institutes attached to the Carnegie Mellon University. On the other hand, we do not have any separate research institutes. In particular, insider threat research on the defense IT environment directly connected with the survival of the country is not proceeding in depth. In addition, due to the specificity of the military, defense IT security has limited research as an academic discipline, and even the establishment of concepts has not been achieved properly. In addition, because of differences in the environment, the US standard can not be borrowed as it is. This paper analyzes the defense IT environment and defines an insider (threat) suitable for the Korea military environment. I'd like to suggest the type of insider threat and how to mitigate it.