Insider threat detection approach for tobacco industry based on heterogeneous graph embedding

In the tobacco industry,insider employee attack is a thorny problem that is difficult to detect.To solve this issue,this paper proposes an insider threat detection method based on heterogeneous graph embedding.First,the interrelationships between logs are fully considered,and log entries are converted into heterogeneous graphs based on these relationships.Second,the heterogeneous graph embedding is adopted and each log entry is represented as a low-dimensional feature vector.Then,normal logs and malicious logs are classified into different clusters by clustering algorithm to identify malicious logs.Finally,the effectiveness and superiority of the method is verified through experiments on the CERT dataset.The experimental results show that this method has better performance compared to some baseline methods.

Anomaly Detection Based on Discrete Wavelet Transformation for Insider Threat Classification

Unlike external attacks,insider threats arise from legitimate users who belong to the organization.These individuals may be a potential threat for hostile behavior depending on their motives.For insider detection,many intrusion detection systems learn and prevent known scenarios,but because malicious behavior has similar patterns to normal behavior,in reality,these systems can be evaded.Furthermore,because insider threats share a feature space similar to normal behavior,identifying them by detecting anomalies has limitations.This study proposes an improved anomaly detection methodology for insider threats that occur in cybersecurity in which a discrete wavelet transformation technique is applied to classify normal vs.malicious users.The discrete wavelet transformation technique easily discovers new patterns or decomposes synthesized data,making it possible to distinguish between shared characteristics.To verify the efficacy of the proposed methodology,experiments were conducted in which normal users and malicious users were classified based on insider threat scenarios provided in Carnegie Mellon University’s Computer Emergency Response Team(CERT)dataset.The experimental results indicate that the proposed methodology with discrete wavelet transformation reduced the false-positive rate by 82%to 98%compared to the case with no wavelet applied.Thus,the proposed methodology has high potential for application to similar feature spaces.

Detection of Insider Selective Forwarding Attack Based on Monitor Node and Trust Mechanism in WSN

The security problems of wireless sensor networks (WSN) have attracted people’s wide attention. In this paper, after we have summarized the existing security problems and solutions in WSN, we find that the insider attack to WSN is hard to solve. Insider attack is different from outsider attack, because it can’t be solved by the traditional encryption and message authentication. Therefore, a reliable secure routing protocol should be proposed in order to defense the insider attack. In this paper, we focus on insider selective forwarding attack. The existing detection mechanisms, such as watchdog, multipath retreat, neighbor-based monitoring and so on, have both advantages and disadvantages. According to their characteristics, we proposed a secure routing protocol based on monitor node and trust mechanism. The reputation value is made up with packet forwarding rate and node’s residual energy. So this detection and routing mechanism is universal because it can take account of both the safety and lifetime of network. Finally, we use OPNET simulation to verify the performance of our algorithm.

Ensemble Strategy for Insider Threat Detection from User Activity Logs

In the information era,the core business and confidential information of enterprises/organizations is stored in information systems.However,certain malicious inside network users exist hidden inside the organization;these users intentionally or unintentionally misuse the privileges of the organization to obtain sensitive information from the company.The existing approaches on insider threat detection mostly focus on monitoring,detecting,and preventing any malicious behavior generated by users within an organization’s system while ignoring the imbalanced ground-truth insider threat data impact on security.To this end,to be able to detect insider threats more effectively,a data processing tool was developed to process the detected user activity to generate information-use events,and formulated a Data Adjustment(DA)strategy to adjust the weight of the minority and majority samples.Then,an efficient ensemble strategy was utilized,which applied the extreme gradient boosting(XGBoost)model combined with the DA strategy to detect anomalous behavior.The CERT dataset was used for an insider threat to evaluate our approach,which was a real-world dataset with artificially injected insider threat events.The results demonstrated that the proposed approach can effectively detect insider threats,with an accuracy rate of 99.51%and an average recall rate of 98.16%.Compared with other classifiers,the detection performance is improved by 8.76%.

Insider Attack Detection Using Deep Belief Neural Network in Cloud Computing

Cloud computing is a high network infrastructure where users,owners,third users,authorized users,and customers can access and store their information quickly.The use of cloud computing has realized the rapid increase of information in every field and the need for a centralized location for processing efficiently.This cloud is nowadays highly affected by internal threats of the user.Sensitive applications such as banking,hospital,and business are more likely affected by real user threats.An intruder is presented as a user and set as a member of the network.After becoming an insider in the network,they will try to attack or steal sensitive data during information sharing or conversation.The major issue in today's technological development is identifying the insider threat in the cloud network.When data are lost,compromising cloud users is difficult.Privacy and security are not ensured,and then,the usage of the cloud is not trusted.Several solutions are available for the external security of the cloud network.However,insider or internal threats need to be addressed.In this research work,we focus on a solution for identifying an insider attack using the artificial intelligence technique.An insider attack is possible by using nodes of weak users’systems.They will log in using a weak user id,connect to a network,and pretend to be a trusted node.Then,they can easily attack and hack information as an insider,and identifying them is very difficult.These types of attacks need intelligent solutions.A machine learning approach is widely used for security issues.To date,the existing lags can classify the attackers accurately.This information hijacking process is very absurd,which motivates young researchers to provide a solution for internal threats.In our proposed work,we track the attackers using a user interaction behavior pattern and deep learning technique.The usage of mouse movements and clicks and keystrokes of the real user is stored in a database.The deep belief neural network is designed using a restricted Boltzmann machine(RBM)so that the layer of RBM communicates with the previous and subsequent layers.The result is evaluated using a Cooja simulator based on the cloud environment.The accuracy and F-measure are highly improved compared with when using the existing long short-term memory and support vector machine.

Insiders' Hedging for Jump Diffusion Processes with Applications to Index Tracking

The hedging problem for insiders is very important in the financial market.The locally risk minimizing hedging was adopted to solve this problem.Since the market was incomplete,the minimal martingale measure was chosen as the equivalent martingale measure.By the F-S decomposition,the expression of the locally risk minimizing strategy was presented.Finally,the local risk minimization was applied to index tracking and its relationship with tracking error variance (TEV)-minimizing strategy was obtained.

A Multi-Leveled Approach to Intrusion Detection and the Insider Threat

When considering Intrusion Detection and the Insider Threat, most researchers tend to focus on the network architecture rather than the database which is the primary target of data theft. It is understood that the network level is adequate for many intrusions where entry into the system is being sought however it is grossly inadequate when considering the database and the authorized insider. Recent writings suggest that there have been many attempts to address the insider threat phenomena in regards to database technologies by the utilization of detection methodologies, policy management systems and behavior analysis methods however, there appears to be a lacking in the development of adequate solutions that will achieve the level of detection that is required. While it is true that Authorization is the cornerstone to the security of the database implementation, authorization alone is not enough to prevent the authorized entity from initiating malicious activities in regards to the data stored within the database. Behavior of the authorized entity must also be considered along with current data access control policies. Each of the previously mentioned approaches to intrusion detection at the database level has been considered individually, however, there has been limited research in producing a multileveled approach to achieve a robust solution. The research presented outlines the development of a detection framework by introducing a process that is to be implemented in conjunction with information requests. By utilizing this approach, an effective and robust methodology has been achieved that can be used to determine the probability of an intrusion by the authorized entity, which ultimately address the insider threat phenomena at its most basic level.

Evaluation of Hypervisor Stability towards Insider Attacks

Virtualization technology plays a key role in cloud computing.Thus,the security issues of virtualization tools（hypervisors,emulators,etc.） should be under precise consideration.However,threats of insider attacks are underestimated.The virtualization tools and hypervisors have been poorly protected from this type of attacks.Furthermore,hypervisor is one of the most critical elements in cloud computing infrastructure.Firstly,hypervisor vulnerabilities analysis is provided.Secondly,a formal model of insider attack on hypervisor is developed.Consequently,on the basis of the formal attack model,we propose a new methodology of hypervisor stability evaluation.In this paper,certain security countermeasures are considered that should be integrated in hypervisor software architecture.

The Influence of Differential Leadership on Employees’Affective Commitment:A Perspective of the Insiders and Outsiders

From the perspective of the insiders and outsiders,this study explores the influence of differential leadership on employees’affective commitment and the moderating effect of leader’s self-enhancing humor and individual traditionality.The results show that the differential leadership has a positive impact on the organizational affective commitment of employees,the leader’s self-enhancing humor and the employees’traditionality play a positive regulatory role respectively.Moreover,compared with the outsiders,the low traditionality has a stronger influence on the relationship between differential leadership and organizational affective commitment of the insiders.This paper enriches the research on the influence of leadership style on employee’s affective commitment,proposes and verifies the moderation of leader’s self-enhancing humor and employee’s traditionality,which complements the boundary conditions for the effectiveness of differential leadership style.

An insider user authentication method based on improved temporal convolutional network

With the rapid development of information technology,information system security and insider threat detection have become important topics for organizational management.In the current network environment,user behavioral bio-data presents the characteristics of nonlinearity and temporal sequence.Most of the existing research on authentication based on user behavioral biometrics adopts the method of manual feature extraction.They do not adequately capture the nonlinear and time-sequential dependencies of behavioral bio-data,and also do not adequately reflect the personalized usage characteristics of users,leading to bottlenecks in the performance of the authentication algorithm.In order to solve the above problems,this paper proposes a Temporal Convolutional Network method based on an Efficient Channel Attention mechanism(ECA-TCN)to extract user mouse dynamics features and constructs an one-class Support Vector Machine(OCSVM)for each user for authentication.Experimental results show that compared with four existing deep learning algorithms,the method retains more adequate key information and improves the classification performance of the neural network.In the final authentication,the Area Under the Curve(AUC)can reach 96%.

“攘外”勿忘“安内”——谈insider威胁研究(上)

引言 媒体连篇累牍的关于黑客入侵的报道,在引导人们增强信息安全意识的同时,也把人们的注意力强烈地导向到重视防范来自外部的信息安全事件。这固然是重要的,但却是片面的。对信息安全保障的威胁,从来就来自“内”、“外”两个方面,而且外因通过内因起作用,堡垒最容易从内部攻破。尽管各种威胁列表中一般总不忘把“Insider threat(内部人员威胁)”列入其中,但由于缺乏有效的内部人员威胁解决方案,甚至很少有这方面的研究项目,大多数人对内部人员威胁的认识仅限于泛泛的概念层面上,长此以往。

“攘外”勿忘“安内”——谈insider威胁研究(下)

第二次兰德会议 第二次兰德会议围绕着三个议题展开了讨论:1.长期的研究挑战和目标;2.insider威胁模型;3.使用商业和政府定制产品的短期解决方案.在会议报告中,还包括了10篇附录,分别就非技术解决方案、insider威胁理论模型等做了研究.

信息安全Insider问题研究与对策

本文分析了信息安全人才现状，研究了信息安全与Insider的关系，提出了信息安全人才培养使用的对策与建议，为我军从事信息技术与信息安全专业人才培养提供决策参考依据。

Performance Evaluation of an Anomaly-Detection Algorithm for Keystroke-Typing Based Insider Detection

Keystroke dynamics is the process to identify or authenticate individuals based on their typing rhythm behaviors. Several classifications have been proposed to verify a user＇s legitimacy, and the performances of these classifications should be confirmed to identify the most promising research direction. However, classification research contains several experiments with different conditions such as datasets and methodologies. This study aims to benchmark the algorithms to the same dataset and features to equally measure all performances. Using a dataset that contains the typing rhythm of 51 subjects, we implement and evaluate 15 classifiers measured by Fl-measure, which is the harmonic mean of a false-negative identification rate and false-positive identification rate. We also develop a methodology to process the typing data. By considering a case in which the model will reject the outsider, we tested the algorithms on an open set. Additionally, we tested different parameters in random forest and k nearest neighbors classifications to achieve better results and explore the cause of their high performance. We also tested the dataset on one-class classification and explained the results of the experiment. The top-performing classifier achieves an Fl-measure rate of 92% while using the normalized typing data of 50 subjects to train and the remaining data to test. The results, along with the normalization methodology, constitute a benchmark for comparing the classifiers and measuring the performance of keystroke dynamics for insider detection.

Private Keyword-Search for Database Systems Against Insider Attacks

The notion of searchable encrypted keywords introduced an elegant approach to retrieve encrypted data without the need of decryption. Since the introduction of this notion, there are two main searchable encrypted keywords techniques, symmetric searchable encryption （SSE） and public key encryption with keyword search （PEKS）. Due to the complicated key management problem in SSE, a number of concrete PEKS constructions have been proposed to overcome it. However, the security of these PEKS schemes was only weakly defined in presence of outsider attacks;therefore they suffer from keyword guessing attacks from the database server as an insider. How to resist insider attacks remains a challenging problem. We propose the first searchable encrypted keywords against insider attacks （SEK-IA） framework to address this problem. The security model of SEK-IA under public key environment is rebuilt. We give a concrete SEK-IA construction featured with a constant-size trapdoor and the proposed scheme is formally proved to be secure against insider attacks. The performance evaluations show that the communication cost between the receiver and the server in our SEK-IA scheme remains constant, independent of the sender identity set size, and the receiver needs the minimized computational cost to generate a trapdoor to search the data from multiple senders.

A Donsker Delta Functional Approach to Optimal Insider Control and Applications to Finance

We study optimal insider control problems,i.e.,optimal control problems of stochastic systemswhere the controller at any time t,in addition to knowledge about the history of the system up to this time,also has additional information related to a future value of the system.Since this puts the associated controlled systems outside the context of semimartingales,we apply anticipative white noise analysis,including forward integration and Hida-Malliavin calculus to study the problem.Combining this with Donsker delta functionals,we transform the insider control problem into a classical(but parametrised)adapted control system,albeit with a non-classical performance functional.We establish a sufficient and a necessary maximum principle for such systems.Then we apply the results to obtain explicit solutions for some optimal insider portfolio problems in financial markets described by Itô-Lévy processes.Finally,in the Appendix,we give a brief survey of the concepts and results we need from the theory of white noise,forward integrals and Hida-Malliavin calculus.

“Swimming Ducks Forecast the Coming of Spring”—The predictability of aggregate insider trading on future market returns in the Chinese market

This study systematically examines the ability of aggregate insider trading to predict future market returns in the Chinese A-share market. After controlling for the contrarian investment strategy, aggregate executive(large shareholder)trading conducted over the past six months can predict 66%(72.7%) of market returns twelve months in advance. Aggregate insider trading predicts future market returns very accurately and is stronger for insiders who have a greater information advantage(e.g., executives and controlling shareholders).Corporate governance also affects the predictability of insider trading. The predictability of executive trading is weakest in central state-owned companies,probably because the "quasi-official" status of the executives in those companies effectively curbs their incentives to benefit from insider trading.The predictive power of large shareholder trading in private-owned companies is higher than that in state-owned companies, probably due to their stronger profit motivation and higher involvement in business operations. This study complements the literature by examining an emerging market and investigating how the institutional context and corporate governance affect insider trading.

“The Insider’s Guide to Beijing rates as one of the best,new,imaginative and informative guidebooks in a long time”—South China Morning Post

Immersion Guides,Beijing’s leading English-language publisher of guidebooks for Beijing and beyond,is proud to present the 2008 edition of the Insider’s Guide to Beijing (November 2007,ISBN: 978-7-5085-1172-6,90 yuan).This is not the run-of-the-mill guide- book written by travelers who spend a few harried days getting to know their destination.Combining the knowledge of 40 long-term residents, this is the guidebook that knows Beijing inside and out.Now in its fourth edition,this'Beijing Bible'(Beijing Today) is the most compre- hensive resource available for both travelers and residents. Fully updated annually to keep pace with the rate of change in Beijing,the Insider’s Guide provides readers with practical informa-

Insider Trading with a Random Deadline under Partial Observations:Maximal Principle Method

For a revised model of Caldentey and Stacchetti(Econometrica,2010)in continuous-time insider trading with a random deadline which allows market makers to observe some information on a risky asset,a closed form of its market equilibrium consisting of optimal insider trading intensity and market liquidity is obtained by maximum principle method.It shows that in the equilibrium,(i)as time goes by,the optimal insider trading intensity is exponentially increasing even up to infinity while both the market liquidity and the residual information are exponentially decreasing even down to zero;(ii)the more accurate information observed by market makers,the stronger optimal insider trading intensity is such that the total expect profit of the insider is decreasing even go to zero while both the market liquidity and the residual information are decreasing;(iii)the longer the mean of random time,the weaker the optimal insider trading intensity is while the more both the residual information and the expected profit are,but there is a threshold of trading time,half of the mean of the random time,such that if and only if after it the market liquidity is increasing with the mean of random time increasing.

Insider trading under trading ban regulation in China's A-share market

This study examines the effects of China's 2008 trading ban regulation on the insider trading of large shareholders in China's A-share market.It finds no evidence of insider trading during the ban period(one month before the announcement of a financial report),due to high regulation risk.However,the ban only constrains the profitability of insider trades during the ban period,while trades outside it remain highly profitable.Informed insider trading before the ban period is 2.83 times more profitable than uninformed trading.The regulation has changed insider trading patterns,but has been ineffective in preventing insider trading by large shareholders due to rigid administrative supervision and a lack of civil litigation and flexible market monitoring.This study enhances understanding of large shareholders' trading behavior and has important implications for regulators.