Abstract:
The paper considers the task of insider detection in a group of analysts who work with a data warehouse, presented as a raw table with a huge amount of attributes. The main difference in the behavior of a legitimate analyst and an insider is that the latter collects data redundant for his/her functionality during his/her work cycle. Thus, to detect an insider, it is enough to detect the regular fact of redundancy on his/her requests of data, which he/she can consider and use to damage a company. The paper presents the mathematical model of insider behavior, the formal definition of the main difference in the behavior of a legitimate analyst and an insider, and the results of modeling. The conditions when it is possible to use statistical criteria to solve the task are found.
Keywords:insider threat; redundant data collection; statistical criteria; mathematical model; systems simulation.
Fulltext:
PDF file (378 kB)