• Journal of Platform Technology
• /
• v.11 no.2
• /
• pp.15-25
• /
• 2023

This study analyzes the limitations of the insider threat datasets used for insider threat detection research and compares and analyzes the solution-based insider threat data with public insider threat data using a security solution to overcome this. Through this, we design a data format suitable for insider threat detection and implement a system that can safely share insider threat information between different institutions and companies using blockchain technology. Currently, there is no dataset collected based on actual events in the insider threat dataset that is revealed to researchers. Public datasets are virtual synthetic data randomly created for research, and when used as a learning model, there are many limitations in the real environment. In this study, to improve these limitations, a private blockchain was designed to secure information sharing between institutions of different affiliations, and a method was derived to increase reliability and maintain information integrity and consistency through agreement and verification among participants. The proposed method is expected to collect data through an outflow threat collector and collect quality data sets that posed a threat, not synthetic data, through a blockchain-based sharing system, to solve the current outflow threat dataset problem and contribute to the insider threat detection model in the future.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.12 no.4
• /
• pp.1887-1898
• /
• 2018

In this paper, a method to classify insider threat activity is introduced. The internal threats help detecting anomalous activity in the procedure performed by the user in an organization. When an anomalous value deviating from the overall behavior is displayed, we consider it as an inside threat for classification as an inside intimidator. To solve the situation, Markov Chain Model is employed. The Markov Chain Model shows the next state value through an arbitrary variable affected by the previous event. Similarly, the current activity can also be predicted based on the previous activity for the insider threat activity. A method was studied where the change items for such state are defined by a transition probability, and classified as detection of anomaly of the inside threat through values for a probability variable. We use the properties of the Markov chains to list the behavior of the user over time and to classify which state they belong to. Sequential data sets were generated according to the influence of n occurrences of Markov attribute and classified by machine learning algorithm. In the experiment, only 15% of the Cert: insider threat dataset was applied, and the result was 97% accuracy except for NaiveBayes. As a result of our research, it was confirmed that the Markov Chain Model can classify insider threats and can be fully utilized for user behavior classification.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.2
• /
• pp.267-277
• /
• 2022

Due to the increasing proportion of cloud and remote working environments, various information security incidents are occurring. Insider threats have emerged as a major issue, with cases in which corporate insiders attempting to leak confidential data by accessing it remotely. In response, insider threat detection approaches based on machine learning have been developed. However, existing machine learning methods used to detect insider threats do not take biases and variances into account, which leads to limited performance. In this paper, boosting-type ensemble learning algorithms are applied to verify the performance of malicious insider detection, conduct a close analysis, and even consider the imbalance in datasets to determine the final result. Through experiments, we show that using ensemble learning achieves similar or higher accuracy to other existing malicious insider detection approaches while considering bias-variance tradeoff. The experimental results show that ensemble learning using bagging and boosting methods reached an accuracy of over 98%, which improves malicious insider detection performance by 5.62% compared to the average accuracy of single learning models used.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.3
• /
• pp.1722-1737
• /
• 2019

We developed an insider threat detection model to be used by organizations that repeat tasks at regular intervals. The model identifies the best combination of different feature selection algorithms, unsupervised learning algorithms, and standard scores. We derive a model specifically optimized for the organization by evaluating each combination in terms of accuracy, AUC (Area Under the Curve), and TPR (True Positive Rate). In order to validate this model, a four-year log was applied to the system handling sensitive information from public institutions. In the research target system, the user log was analyzed monthly based on the fact that the business process is processed at a cycle of one year, and the roles are determined for each person in charge. In order to classify the behavior of a user as abnormal, the standard scores of each organization were calculated and classified as abnormal when they exceeded certain thresholds. Using this method, we proposed an optimized model for the organization and verified it.

• Journal of Information Science Theory and Practice
• /
• v.7 no.1
• /
• pp.52-71
• /
• 2019

An insider threat is a threat that comes from people within the organization being attacked. It can be described as a function of the motivation, opportunity, and capability of the insider. Compared to managing the dimensions of opportunity and capability, assessing one's motivation in committing malicious acts poses more challenges to organizations because it usually involves a more obtrusive process of psychological examination. The existing body of research in psycholinguistics suggests that automated text analysis of electronic communications can be an alternative for predicting and detecting insider threat through unobtrusive behavior monitoring. However, a major challenge in employing this approach is that it is difficult to minimize the risk of missing any potential threat while maintaining an acceptable false alarm rate. To deal with the trade-off between the risk of missed catches and the false alarm rate, we propose a unified psycholinguistic framework that consolidates multiple text analyzers to carry out sentiment analysis, emotion analysis, and topic modeling on electronic communications for unobtrusive psychological assessment. The user scenarios presented in this paper demonstrated how the trade-off issue can be attenuated with different text analyzers working collaboratively to provide more comprehensive summaries of users' psychological states.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.13 no.4
• /
• pp.125-139
• /
• 2017

In this paper, we developed a framework to detect and predict insider information leakage by collecting and restoring network traffic. For automated behavior analysis, many meta information and behavior information obtained using network traffic collection are used as machine learning features. By these features, we created and learned behavior model, network model and protocol-specific models. In addition, the ensemble model was developed by digitizing and summing the results of various models. We developed a function to present information leakage candidates and view meta information and behavior information from various perspectives using the visual analysis. This supports to rule-based threat detection and machine learning based threat detection. In the future, we plan to make an ensemble model that applies a regression model to the results of the models, and plan to develop a model with deep learning technology.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.13 no.2
• /
• pp.1-11
• /
• 2017

In this paper, we design and implement PADIL(Prediction And Detection of Information Leakage) system that predicts and detect information leakage behavior of insider by analyzing network traffic and applying a variety of machine learning methods. we defined the five-level information leakage model(Reconnaissance, Scanning, Access and Escalation, Exfiltration, Obfuscation) by referring to the cyber kill-chain model. In order to perform the machine learning for detecting information leakage, PADIL system extracts various features by analyzing the network traffic and extracts the behavioral features by comparing it with the personal profile information and extracts information leakage level features. We tested various machine learning methods and as a result, the DecisionTree algorithm showed excellent performance in information leakage detection and we showed that performance can be further improved by fine feature selection.

• The Journal of Society for e-Business Studies
• /
• v.23 no.4
• /
• pp.153-169
• /
• 2018

Previous e-financial anomalies analysis and detection technology collects large amounts of electronic financial transaction logs generated from electronic financial business systems into big-data-based storage space. And it detects abnormal transactions in real time using detection rules that analyze transaction pattern profiling of existing customers and various accident transactions. However, deep analysis such as attempts to access e-finance by insiders of financial institutions with large scale of damages and social ripple effects and stealing important information from e-financial users through bypass of internal control environments is not conducted. This paper analyzes the management status of e-financial security programs of financial companies and draws the possibility that they are allies in security control of insiders who exploit vulnerability in management. In order to efficiently respond to this problem, it will present a comprehensive e-financial security management environment linked to insider threat monitoring as well as the existing e-financial transaction detection system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.763-773
• /
• 2017

In recent years, personal information leakage and technology leakage accidents are frequently occurring. According to the survey, the most important part of this spill is the 'insider' within the organization, and the leakage of technology by insiders is considered to be an increasingly important issue because it causes huge damage to the organization. In this paper, we try to learn the normal behavior of employees using machine learning to prevent insider threats, and to investigate how to detect abnormal behavior. Experiments on the detection of abnormal behavior by implementing an Autoencoder composed of Recurrent Neural Network suitable for learning time series data among the neural network models were conducted and the validity of this method was verified.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2023.07a
• /
• pp.217-218
• /
• 2023

내부자 위협이란, 조직의 보안 및 데이터, 시스템에 대한 내부 정보에 접근하는 현 임직원 및 전 임직원, 계약자와 같이, 동일한 조직 내부의 사람들로부터 발생하는 위협을 의미한다. 일반적으로 내부자들은 업무를 위하여, 시스템에 대한 합법적인 접근 권한을 가지며, 만약 이러한 권한이 오남용되는 경우에는 조직에 매우 심각한 피해를 입힐 수 있다. 이러한 내부자 위협은 외부로부터의 위협보다 방어 및 탐지가 훨씬 어려운 한계점이 있으며, 그 피해 규모가 매우 방대하다는 문제점도 존재한다. 이에 따라, 본 논문에서는 내부자 위협을 탐지하기 위하여, 이메일을 통한 기밀정보를 유출하는 유형의 위협에 대응하는 방안을 제안한다. 제안하는 방안은 조직 내에서 이메일을 발신하는 경우를 대상으로, 파일이 포함된 이메일에 발신자를 식별하기 위하여, 파일에 키 값 및 서명을 삽입하며, 발신되는 이메일을 모니터링하여 첨부된 파일의 유형을 파악함으로써, 동적 그래프를 통하여 시각화한다. 내부 시스템 및 네트워크에서의 보안관제 담당자 및 관리자는 시각화된 그래프를 확인함으로써, 직관적으로 정보 유출을 파악하고 대응할 수 있을 것으로 판단된다. 본 논문에서 제안하는 방안을 통하여, 조직 내의 내부자 위협을 탐지할 수 있으며, 데이터 유출 사고가 발생하는 경우, 유출자를 빠르게 식별하고 초기에 대응할 수 있을 것으로 판단된다.