13-11-2012, 03:16 PM
Detecting Anomalous Insiders in Collaborative Information Systems
ABSTRACT
Collaborative information systems (CISs) are deployed
within a diverse array of environments that manage
sensitive information. Current security mechanisms
detect insider threats, but they are ill-suited to monitor
systems in which users function in dynamic teams. In this
paper, we introduce the community anomaly detection
system (CADS), an unsupervised learning framework to
detect insider threats based on the access logs of
collaborative environments. The framework is based on
the observation that typical CIS users tend to form
community structures based on the subjects accessed
(e.g., patients' records viewed by healthcare providers).
CADS consists of two components: 1) relational pattern
extraction, which derives community structures and 2)
anomaly prediction, which leverages a statistical model to
determine when users have sufficiently deviated from
communities. We further extend CADS into MetaCADS
to account for the semantics of subjects (e.g., patients'
diagnoses). To empirically evaluate the framework, we
perform an assessment with three months of access logs
from a real electronic health record (EHR) system in a
large medical center. The results illustrate our models
exhibit significant performance gains over state-of-the-art
competitors. When the number of illicit users is low,
MetaCADS is the best model, but as the number grows,
commonly accessed semantics lead to hiding in a crowd,
such that CADS is more prudent.