Data-driven model-based detection of malicious insiders via physical access logs

Carmen Cheh, Uttam Thakore, Ahmed Fawaz, Binbin Chen, William G. Temple, William H. Sanders

Research output: Contribution to journalArticlepeer-review


The risk posed by insider threats has usually been approached by analyzing the behavior of users solely in the cyber domain. In this article, we show the viability of using physical movement logs, collected via a building access control system, together with an understanding of the layout of the building housing the system's assets, to detect malicious insider behavior that manifests itself in the physical domain. In particular, we propose a systematic framework that uses contextual knowledge about the system and its users, learned from historical data gathered from a building access control system, to select suitable models for representing movement behavior. We suggest two different models of movement behavior in this article and evaluate their ability to represent normal user movement. We then explore the online usage of the learned models, together with knowledge about the layout of the building being monitored, to detect malicious insider behavior. Finally, we show the effectiveness of the developed framework using real-life data traces of usermovement in railway transit stations.

Original languageEnglish (US)
Article number26
JournalACM Transactions on Modeling and Computer Simulation
Issue number4
StatePublished - Nov 2019


  • Intrusion detection
  • Physical movement
  • Railway transportation system

ASJC Scopus subject areas

  • Modeling and Simulation
  • Computer Science Applications


Dive into the research topics of 'Data-driven model-based detection of malicious insiders via physical access logs'. Together they form a unique fingerprint.

Cite this