An Insider Threat Detection Method Based on Business Process Mining

An Insider Threat Detection Method Based on Business Process Mining

Taiming Zhu, Yuanbo Guo, Ankang Ju, Jun Ma, Xuan Wang
DOI: 10.4018/ijbdcn.2017070107
(Individual Articles)
No Current Special Offers


Current intrusion detection systems are mostly for detecting external attacks, but the “Prism Door” and other similar events indicate that internal staff may bring greater harm to organizations in information security. Traditional insider threat detection methods only consider the audit records of personal behavior and failed to combine it with business activities, which may miss the insider threat happened during a business process. The authors consider operators' behavior and correctness and performance of the business activities, propose a business process mining based insider threat detection system. The system firstly establishes the normal profiles of business activities and the operators by mining the business log, and then detects specific anomalies by comparing the content of real-time log with the corresponding normal profile in order to find out the insiders and the threats they have brought. The relating anomalies are defined and the corresponding detection algorithms are presented. The authors have performed experimentation using the ProM framework and Java programming, with five synthetic business cases, and found that the system can effectively identify anomalies of both operators and business activities that may be indicative of potential insider threat.
Article Preview

1. Introduction

The insider threat is a long-term problem that faced by most organizations. It usually results in significant damage and could range from financial theft and intellectual property theft to the destruction of property and business process. Compared with attacks from external network incurred by hardware or software vulnerabilities, the insider threats are more harmful and more difficult to detect. The main causes of insider threats are as follows: First, part of employees may lack security awareness and violate the safety regulations by accident. Second, part of employees intentionally bypasses the security measures for their own convenience and efficiency in the works. Last but not least, some employees choose to leak the organization’s confidential information or sabotage the systems because of their resentment or other’s inducement. In general, insider threat a comprehensive problem, which consists of human factors and systemic factors. How to detect and prevent the insider threat has become a huge challenge for all organizations.

For organizations, various types of business activities are the main activities carried out during their daily operations, one of the main tasks is to ensure the successful completion of each business process. In order to improve the efficiency, more and more organizations begin to use various business systems to accomplish business activities. However, most business systems usually only consider how to ensure the achievement of normal business functions during the design phase and ignore the safety demands of business activities. This could make the business system vulnerable to insider threats and get caught in different kinds of anomalies, or even lead to the destruction and disclosure of critical business data in severe cases. Therefore, in this paper, we see this problem from the perspective of business activity and try to detect insider threat by a comprehensive analysis of operators’ abnormal behavior and anomalies emerged during business process execution.

Business processes are a series of activities completed by a group of people in organizations in order to achieve specific goals. The order between activities is strictly defined, so as to the content, modalities and responsibilities of each activity. In addition to the staff, the execution of a business process usually depends on specific business system and software program, which is a complex activity that involves human, machine, software and other multiple factors. Clearly, it can provide more comprehensive information support to insider threat detection by inspecting the daily work of organizations from the perspective of business process and establishing a normal business process model.

Since the actual business activity involves many factors, its process model must also be multidimensional, not only to reflect the sequence between business events, but also to reflect the behavior information of operators, the features of business cases and the time and frequency information of business events. There is no doubt that traditional pre-designed manual modeling methods are unable to meet this requirement. Manual modeling usually relies on limited expert knowledge and only provides an idealized view of part of factors in business activities, and cannot take complex realistic conditions into consideration, so it is often out of touch with reality and mostly useless. To solve this problem, most organizations turn to the log-based process mining method, which has many advantages. System log is easily available and has mostly no impact on the running system. Detailed information about the execution of a business system is recorded in the log and facilitates managers to understand what happened during the process. Finally, mining business process through the system log is more objective and efficient.

Complete Article List

Search this Journal:
Volume 20: 1 Issue (2024): Forthcoming, Available for Pre-Order
Volume 19: 1 Issue (2023): Forthcoming, Available for Pre-Order
Volume 18: 2 Issues (2022): 1 Released, 1 Forthcoming
Volume 17: 2 Issues (2021)
Volume 16: 2 Issues (2020)
Volume 15: 2 Issues (2019)
Volume 14: 2 Issues (2018)
Volume 13: 2 Issues (2017)
Volume 12: 2 Issues (2016)
Volume 11: 2 Issues (2015)
Volume 10: 4 Issues (2014)
Volume 9: 4 Issues (2013)
Volume 8: 4 Issues (2012)
Volume 7: 4 Issues (2011)
Volume 6: 4 Issues (2010)
Volume 5: 4 Issues (2009)
Volume 4: 4 Issues (2008)
Volume 3: 4 Issues (2007)
Volume 2: 4 Issues (2006)
Volume 1: 4 Issues (2005)
View Complete Journal Contents Listing