Data-driven model-based detection of malicious insiders via physical access logs

Carmen Cheh, Binbin Chen, William G. Temple, William H. Sanders

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The risk posed by insider threats has usually been approached by analyzing the behavior of users solely in the cyber domain. In this paper, we show the viability of using physical movement logs, collected via a building access control system, together with an understanding of the layout of the building housing the system’s assets, to detect malicious insider behavior that manifests itself in the physical domain. In particular, we propose a systematic framework that uses contextual knowledge about the system and its users, learned from historical data gathered from a building access control system, to select suitable models for representing movement behavior. We then explore the online usage of the learned models, together with knowledge about the layout of the building being monitored, to detect malicious insider behavior. Finally, we show the effectiveness of the developed framework using real-life data traces of user movement in railway transit stations.

Original languageEnglish (US)
Title of host publicationQuantitative Evaluation of Systems - 14th International Conference, QEST 2017, Proceedings
EditorsNathalie Bertrand, Luca Bortolussi
PublisherSpringer-Verlag
Pages275-291
Number of pages17
ISBN (Print)9783319663340
DOIs
StatePublished - Jan 1 2017
Event14th International Conference on Quantitative Evaluation of Systems, QEST 2017 - Berlin, Germany
Duration: Sep 5 2017Sep 7 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10503 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other14th International Conference on Quantitative Evaluation of Systems, QEST 2017
CountryGermany
CityBerlin
Period9/5/179/7/17

Fingerprint

Data-driven
Access control
Model-based
Control systems
Access Control
Layout
Control System
Historical Data
Railway
Viability
Trace
Model
Movement
Framework
Knowledge

Keywords

  • Cyber-physical systems
  • Insider threat
  • Intrusion detection
  • Physical access
  • Physical movement
  • User behavior

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Cheh, C., Chen, B., Temple, W. G., & Sanders, W. H. (2017). Data-driven model-based detection of malicious insiders via physical access logs. In N. Bertrand, & L. Bortolussi (Eds.), Quantitative Evaluation of Systems - 14th International Conference, QEST 2017, Proceedings (pp. 275-291). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10503 LNCS). Springer-Verlag. https://doi.org/10.1007/978-3-319-66335-7_17

Data-driven model-based detection of malicious insiders via physical access logs. / Cheh, Carmen; Chen, Binbin; Temple, William G.; Sanders, William H.

Quantitative Evaluation of Systems - 14th International Conference, QEST 2017, Proceedings. ed. / Nathalie Bertrand; Luca Bortolussi. Springer-Verlag, 2017. p. 275-291 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10503 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Cheh, C, Chen, B, Temple, WG & Sanders, WH 2017, Data-driven model-based detection of malicious insiders via physical access logs. in N Bertrand & L Bortolussi (eds), Quantitative Evaluation of Systems - 14th International Conference, QEST 2017, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10503 LNCS, Springer-Verlag, pp. 275-291, 14th International Conference on Quantitative Evaluation of Systems, QEST 2017 , Berlin, Germany, 9/5/17. https://doi.org/10.1007/978-3-319-66335-7_17
Cheh C, Chen B, Temple WG, Sanders WH. Data-driven model-based detection of malicious insiders via physical access logs. In Bertrand N, Bortolussi L, editors, Quantitative Evaluation of Systems - 14th International Conference, QEST 2017, Proceedings. Springer-Verlag. 2017. p. 275-291. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-66335-7_17
Cheh, Carmen ; Chen, Binbin ; Temple, William G. ; Sanders, William H. / Data-driven model-based detection of malicious insiders via physical access logs. Quantitative Evaluation of Systems - 14th International Conference, QEST 2017, Proceedings. editor / Nathalie Bertrand ; Luca Bortolussi. Springer-Verlag, 2017. pp. 275-291 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{abed8ca010b745a88d9d674d259e0e9e,
title = "Data-driven model-based detection of malicious insiders via physical access logs",
abstract = "The risk posed by insider threats has usually been approached by analyzing the behavior of users solely in the cyber domain. In this paper, we show the viability of using physical movement logs, collected via a building access control system, together with an understanding of the layout of the building housing the system’s assets, to detect malicious insider behavior that manifests itself in the physical domain. In particular, we propose a systematic framework that uses contextual knowledge about the system and its users, learned from historical data gathered from a building access control system, to select suitable models for representing movement behavior. We then explore the online usage of the learned models, together with knowledge about the layout of the building being monitored, to detect malicious insider behavior. Finally, we show the effectiveness of the developed framework using real-life data traces of user movement in railway transit stations.",
keywords = "Cyber-physical systems, Insider threat, Intrusion detection, Physical access, Physical movement, User behavior",
author = "Carmen Cheh and Binbin Chen and Temple, {William G.} and Sanders, {William H.}",
year = "2017",
month = "1",
day = "1",
doi = "10.1007/978-3-319-66335-7_17",
language = "English (US)",
isbn = "9783319663340",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer-Verlag",
pages = "275--291",
editor = "Nathalie Bertrand and Luca Bortolussi",
booktitle = "Quantitative Evaluation of Systems - 14th International Conference, QEST 2017, Proceedings",

}

TY - GEN

T1 - Data-driven model-based detection of malicious insiders via physical access logs

AU - Cheh, Carmen

AU - Chen, Binbin

AU - Temple, William G.

AU - Sanders, William H.

PY - 2017/1/1

Y1 - 2017/1/1

N2 - The risk posed by insider threats has usually been approached by analyzing the behavior of users solely in the cyber domain. In this paper, we show the viability of using physical movement logs, collected via a building access control system, together with an understanding of the layout of the building housing the system’s assets, to detect malicious insider behavior that manifests itself in the physical domain. In particular, we propose a systematic framework that uses contextual knowledge about the system and its users, learned from historical data gathered from a building access control system, to select suitable models for representing movement behavior. We then explore the online usage of the learned models, together with knowledge about the layout of the building being monitored, to detect malicious insider behavior. Finally, we show the effectiveness of the developed framework using real-life data traces of user movement in railway transit stations.

AB - The risk posed by insider threats has usually been approached by analyzing the behavior of users solely in the cyber domain. In this paper, we show the viability of using physical movement logs, collected via a building access control system, together with an understanding of the layout of the building housing the system’s assets, to detect malicious insider behavior that manifests itself in the physical domain. In particular, we propose a systematic framework that uses contextual knowledge about the system and its users, learned from historical data gathered from a building access control system, to select suitable models for representing movement behavior. We then explore the online usage of the learned models, together with knowledge about the layout of the building being monitored, to detect malicious insider behavior. Finally, we show the effectiveness of the developed framework using real-life data traces of user movement in railway transit stations.

KW - Cyber-physical systems

KW - Insider threat

KW - Intrusion detection

KW - Physical access

KW - Physical movement

KW - User behavior

UR - http://www.scopus.com/inward/record.url?scp=85028638862&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85028638862&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-66335-7_17

DO - 10.1007/978-3-319-66335-7_17

M3 - Conference contribution

AN - SCOPUS:85028638862

SN - 9783319663340

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 275

EP - 291

BT - Quantitative Evaluation of Systems - 14th International Conference, QEST 2017, Proceedings

A2 - Bertrand, Nathalie

A2 - Bortolussi, Luca

PB - Springer-Verlag

ER -