Modeling Insider User Behavior Using Multi-Entity Bayesian Network

Authors: Ghazi A. AlGhamdi, Kathryn Blackmond Laskey, Edward J. Wright, Daniel Barbara, KC Chang


This paper tackles a key aspect of the information security problem: modeling the behavior of insider threats. The specific problem addressed by this paper is the identification of malicious insider behavior in trusted computing environments. Although most security techniques in intrusion detection systems (IDS’s) focus on protecting the system boundaries from outside attacks, defending against an insider who attempts to misuse privileges is an equally significant problem for network security. It is usually assumed that users who are given access to network resources can be trusted. However, the eighth annual CSI/FBI 2003 report found that insider abuse of network access was the most cited form of attack or abuse. 80% of respondents were concerned about insider abuse, although 92% of the responding organizations employed some form of access control mechanism. Therefore, though insider users are legally granted access to network resources, it is essential to protect against misuse by insiders. This paper presents a scalable model to represent insider behavior. We provide simulation experiments to demonstrate the ability of the model to detect threat behavior. Information security objectives can be accomplished through a layered approach that represents several lines of defense. This approach constitutes one of these lines of defense.

For more information, contact IET