Remember Me
Or use your Academic/Social account:


Or use your Academic/Social account:


You have just completed your registration at OpenAire.

Before you can login to the site, you will need to activate your account. An e-mail will be sent to you with the proper instructions.


Please note that this site is currently undergoing Beta testing.
Any new content you create is not guaranteed to be present to the final version of the site upon release.

Thank you for your patience,
OpenAire Dev Team.

Close This Message


Verify Password:
Verify E-mail:
*All Fields Are Required.
Please Verify You Are Human:
fbtwitterlinkedinvimeoflicker grey 14rssslideshare1
Legg, P. A. (2015)
Publisher: IEEE
Languages: English
Types: Unknown
One of the greatest challenges for managing organisational cyber security is the threat that comes from those who operate within the organisation. With entitled access and knowledge of organisational processes, insiders who choose to attack have the potential to cause serious impact, such as financial loss, reputational damage, and in severe cases, could even threaten the existence of the organisation. Security analysts therefore require sophisticated tools that allow them to explore and identify user activity that could be in- dicative of an imminent threat to the organisation. In this work, we discuss the challenges associated with identifying insider threat activity, along with the tools that can help to combat this problem. We present a visual analytics approach that incorporates multiple views, including a user selection tool that indicates anomalous behaviour, an interactive Principal Component Analysis (iPCA) tool that aids the analyst to assess the reasoning behind the anomaly detection results, and an activity plot that visualizes user and role activity over time. We demonstrate our approach using the Carnegie Mellon University CERT Insider Threat Dataset to show how the visual analytics workflow supports the Information-Seeking mantra.
  • The results below are discovered through our pilot algorithms. Let us know how we are doing!

    • [1] M. Bishop, S. Engle, S. Peisert, S. Whalen, and C. Gates. We have met the enemy and he is us. In Proc. of the 2008 workshop on New security paradigms (NSPW'08), Lake Tahoe, California, USA, pages 1-12. ACM, September 2008.
    • [2] M. Bishop, B. Simidchieva, H. Conboy, H. Phan, L. Osterwell, L. Clarke, G. Avrunin, and S. Peisert. Insider threat detection by process analysis. In IEEE Security and Privacy Workshops (SPW). IEEE, 2014.
    • [3] O. Brdiczka, J. Liu, B. Price, J. Shen, A. Patil, R. Chow, E. Bart, and N. Ducheneaut. Proactive insider threat detection through graph learning and psychological context. In Proc. of the IEEE Symposium on Security and Privacy Workshops (SPW'12), San Francisco, California, USA, pages 142-149. IEEE, May 2012.
    • [4] D. M. Cappelli, A. P. Moore, and R. F. Trzeciak. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes. Addison-Wesley Professional, 1st edition, 2012.
    • [5] W. Eberle, J. Graves, and L. Holder. Insider threat detection using a graph-based approach. Journal of Applied Security Research, 6(1):32- 81, 2010.
    • [6] H. Eldardiry, E. Bart, J. Liu, J. Hanley, B. Price, and O. Brdiczka. Multidomain information fusion for insider threat detection. In Security and Privacy Workshops (SPW), 2013 IEEE, pages 45-51, May 2013.
    • [7] J. Glasser and B. Lindauer. Bridging the gap: A pragmatic approach to generating insider threat data. 2013 IEEE Security and Privacy Workshops, 0:98-104, 2013.
    • [8] F. L. Greitzer and R. E. Hohimer. Modeling human behavior to anticipate insider attacks. Journal of Strategic Security, 4(2):25-48, 2011.
    • [9] M. Harris. Visualizing insider activity and uncovering insider threats. Technical report, 2015.
    • [10] D. H. Jeong, C. Ziemkiewicz, B. Fisher, W. Ribarsky, and R. Chang. iPCA: An interactive system for PCA-based visual analytics. In Proceedings of the 11th Eurographics / IEEE - VGTC Conference on Visualization, EuroVis'09, pages 767-774, Chichester, UK, 2009. The Eurographs Association, John Wiley and Sons, Ltd.
    • [11] C. Kintzel, J. Fuchs, and F. Mansmann. Monitoring large ip spaces with clockview. In Proceedings of the 8th International Symposium on Visualization for Cyber Security, VizSec '11, pages 2:1-2:10, New York, NY, USA, 2011. ACM.
    • [12] B. Klimt and Y. Yang. The enron corpus: A new dataset for email classification research. In J.-F. Boulicaut, F. Esposito, F. Giannotti, and D. Pedreschi, editors, Machine Learning: ECML 2004, volume 3201 of Lecture Notes in Computer Science, pages 217-226. Springer Berlin Heidelberg, 2004.
    • [13] P. A. Legg, O. Buckley, M. Goldsmith, and S. Creese. Visual analytics of e-mail sociolinguistics for user behavioural analysis. Journal of Internet Services and Information Security (JISIS), 4(4):1-13, 2014.
    • [14] P. A. Legg, O. Buckley, M. Goldsmith, and S. Creese. Automated insider threat detection system using user and role-based profile assessment. Systems Journal, IEEE, PP(99):1-10, 2015.
    • [15] P. A. Legg, O. Buckley, M. Goldsmith, and S. Creese. Caught in the act of an insider attack: Detection and assessment of insider threat. In IEEE International Symposium on Technologies for Homeland Security (HST 2015), 2015.
    • [16] P. A. Legg, D. H. S. Chung, M. L. Parry, R. Bown, M. W. Jones, I. W. Griffiths, and M. Chen. Transformation of an uncertain video search pipeline to a sketch-based visual analytics loop. Visualization and Computer Graphics, IEEE Transactions on, 19(12):2109-2118, Dec 2013.
    • [17] P. A. Legg, N. Moffat, J. R. C. Nurse, J. Happa, I. Agrafiotis, M. Goldsmith, and S. Creese. Towards a conceptual model and reasoning structure for insider threat detection. Journal of Wireless Mobile Networks, Ubiquitous Computing and Dependable Applications, 4(4):20-37, 2013.
    • [18] R. Miller and M. Maxim. I have to trust someone... don't I? Dealing with insider threats to cyber-security. Technical report.
    • [19] K. Nance and R. Marty. Identifying and visualizing the malicious insider threat using bipartite graphs. In System Sciences (HICSS), 2011 44th Hawaii International Conference on, pages 1-9, Jan 2011.
    • [20] J. R. Nurse, O. Buckley, P. A. Legg, M. Goldsmith, S. Creese, G. R. Wright, and M. Whitty. Understanding insider threat: A framework for characterising attacks. In IEEE Symposium on Security and Privacy (SP). IEEE, 2014.
    • [21] P. Parveen and B. Thuraisingham. Unsupervised incremental sequence learning for insider threat detection. In Intelligence and Security Informatics (ISI), 2012 IEEE International Conference on, pages 141-143, June 2012.
    • [22] T. E. Senator, H. G. Goldberg, A. Memory, W. T. Young, B. Rees, R. Pierce, D. Huang, M. Reardon, D. A. Bader, E. Chow, et al. Detecting insider threats in a real corporate database of computer usage activity. In Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining, pages 1393-1401. ACM, 2013.
    • [23] F. Stoffel, F. Fischer, and D. A. Keim. Finding anomalies in time-series using visual correlation for interactive root cause analysis. In Proceedings of the Tenth Workshop on Visualization for Cyber Security, VizSec '13, pages 65-72, New York, NY, USA, 2013. ACM.
    • [24] Vormetric. Insider threat report, 2015.
    • [25] S. Walton, E. Maguire, and M. Chen. Multiple queries with conditional attributes (QCATs) for anomaly detection and visualization. In Proceedings of the Eleventh Workshop on Visualization for Cyber Security, VizSec '14, pages 17-24, New York, NY, USA, 2014. ACM.
    • [26] J. Zhao, N. Cao, Z. Wen, Y. Song, Y.-R. Lin, and C. Collins. Fluxflow: Visual analysis of anomalous information spreading on social media. Visualization and Computer Graphics, IEEE Transactions on, 20(12):1773- 1782, Dec 2014.
  • No related research data.
  • No similar publications.

Share - Bookmark

Download from

Cite this article