Learning from Access Log to Mitigate Insider Threats
As the quantity of data collected, stored, and processed in information systems has grown, so too have insider threats. This type of threat is realized when authorized individuals misuse their privileges to violate privacy or security policies. Over the past several decades, various technologies have been introduced to mitigate the insider threat, which can be roughly partitioned into two categories: 1) prospective and 2) retrospective. Prospective technologies are designed to specify and manage a user’s rights, such that misuse can be detected and prevented before it transpires. Conversely, retrospective technologies permit users to invoke privileges aim, but investigate the legitimacy of such actions after the fact. Despite the existence of such strategies, administrators need to answer several critical questions to put them into practice. First, given a specific circumstance, which type of strategy (i.e., prospective vs. retrospective) should be adopted? Second, given the type of strategy, which is the best approach to support it in an operational manner? Existing approaches addressing them neglect that the data captured by information systems may be able to inform the decision making. As such, the overarching goal of this dissertation is to investigate how best to answer these questions using data-driven approaches. This dissertation makes three technical contributions. The first contribution is in the introduction of a novel approach to quantify tradeoffs for prospective and retrospective strategies, under which each strategy is translated into a classification model, whereby the misclassification costs for each model are compared to facilitate decision support. This dissertation then introduces several data-driven approaches to realize the strategies. The second contribution is for prospective strategies, with a specific focus on role-based access control (RBAC). This dissertation introduces an approach to evolve an existing RBAC based on evidence in an access log, which relies on a strategy to promote roles from candidates. The third contribution is for retrospective strategies, whereby this dissertation introduces an auditing framework that can leverage workflow information to facilitate misuse detection. These methods are empirically validated in three months of access log (million accesses) derived from a real-world information system.