Insiders are employees that must be trusted with access to sensitive information, and because of that trust can be a major threat. Insiders have compromised organizations in multiple domains including manufacturing, finance, government, and even scientific research. Even worse, insiders attacks are consistently catalogued as the most costly given the elevated privilege that insiders have in terms of trust and access. This makes the insider issue one of the most challenging problems in computer security.
As with many other complex systems (e.g., the Internet, online social networks, and the brain), information systems consist of a large number of interacting elements (e.g., users, services, devices, files) in which the aggregate activity of the system cannot be derived by analyzing individual contributions, i.e., their aggregate behavior is nonlinear. Graphs, where nodes represent the elements and edges capture the interactions between the elements of the system, have been used across multiple domains to capture the interactions between the elements of complex systems. The use of graphs to study the structure of complex systems has revealed some plausible explanations for the emergence of collective behavior in these systems such as the understanding of regular and anomalous behavior. In this work, we treat the malicious insider as an anomaly and use bipartite graphs to detect their anomalous behaviors.
The resulting focus on malicious patterns, as opposed to malicious nodes, implements an assumption that the malicious insider is not intrinsically hostile. Rather, malicious behaviors can emerge over time or in respect to specific conditions. Static graphical analysis is based on the analysis of graph snapshots and cannot integrate temporal patterns. In contrast, the study of temporal graphs, where information of single graph snapshots is aggregated, tends to reflect more accurately the evolution of the system as nodes and edges appear and disappear over time. The focus of this work is to understand the malicious behaviors over time rather than identifying the static malicious nodes.
To understand such complex systems, empirical data with detailed temporal information is a prerequisite. Correct temporal information is much more readily available as a source of ground truth than correctly labeled insider threat datasets. In the context of information systems, temporally annotated datasets are widely available thanks to the presence of user-system interaction logs. This enables the use of graph mining analytics for the understanding of anomalous behavior such as the one that insiders might pose.
For the purposes of this project, we characterize and detect anomalous events in an information system based on a centralized version control system. We identify time intervals during which significant changes in the structure of the temporal graphs may correspond to functional change points, e.g., a precipitating events. This problem has also been referred to as change point detection.
We model user-system interactions in a version control system as a temporal bipartite graph where interactions occur exclusively between two types of nodes, (i) users and (ii) software components. Note that the edges in this graph are only between these two types of nodes. A one-mode projection of this graph is the user graph in which two nodes (users) are connected if they have interacted at least once with the same component. Our methodology includes studying the evolution of the one-mode user graph to identify topological properties that characterize the system’s normal behavior. Among these observed properties, those that do not follow the norm of the regular pattern are assumed to indicate the presence of an anomalous event. Such an event may indicate a potential insider incident or, at least, an event that requires further investigation.
In particular, the user graph allows us to explore the impact of precipitating events in user-system interactions. Precipitating events are key events that have the potential to trigger insiders to become a threat to their employer. We hypothesized that precipitating events impact the behavior of interactions between users and components in the version control system by changing patterns of committing behavior. To test this hypothesis, we model and compare the volume of interactions between users over similar or related components as opposed to non-related components over time. To capture sets of users with similar patterns of interaction, we rely on the notion of community structure to identify communities, or clusters, i.e., groups of nodes having higher probability of being connected to each other than to members of other groups. We show that the volume of interactions between users that contribute to unrelated components increases when precipitating events are announced. This indicates the impact of precipitating events in increasing the likelihood of a change in the interacting behavior between users and components, which might be a signal to monitor before an insider attack is committed.