Cyber insider detection is challenging due to the difficulty in differentiating legitimate activities from malicious ones. This chapter will begin by providing a brief review of exiting works in the machine learning community that offer treatments to cyber insider detection. The reviewwill lead to our recent research advance that focuses on early detection of ongoing insider mission instead of trying to determine whether individual events are malicious or not.Multiple automated software agents are assumed to possess different account privileges on different hosts, to perform different dimensions of a complex insider mission. This work develops an integrated approach that utilizes Hidden Markov Models to estimate the suspicious level of insider activities, and then fuses these suspiciousness values across insider activity dimensions to estimate the progression of an insider mission. The fusion across cyber insider dimensions is accomplished using a combination of Fuzzy rules and Ordered Weighted Average functions. Experimental results based on simulated data show that the integrated approach detects the insider mission with high accuracy and in a timely manner, even in the presence of obfuscation techniques.
All Science Journal Classification (ASJC) codes
- Artificial Intelligence