ComputingReviews.com

Data-driven model-based detection of malicious insiders via physical access logs
Cheh C., Thakore U., Fawaz A., Chen B., Temple W., Sanders W. ACM Transactions on Modeling and Computer Simulation29(4):1-25,2019.Type:Article

Date Reviewed: 03/08/21

Employees with security clearance will perhaps continue to pose the ultimate security threat to businesses, organizations, and security researchers. What kinds of data and algorithms should be effectively used to monitor and thwart risky employees? Cheh et al. offer some insights for identifying malicious insiders based on recorded physical access logs.

The authors present a framework for portraying user actions, to identify different models for delving into user behavior via historical data. Two distinct Markov models are used to identify the physical pathways in use at railway transit stations. The security threat model identifies users with legal or illegal physical access to the station rooms.

The malicious insider detection framework consists of components for discovering “the spatial and temporal properties of user movement behavior,” and then ascertaining and applying an appropriate model to guesstimate the likelihood of anomalous access in the railway system blueprint. The framework includes offline and online phases. In the offline phase, “characterization of users based on their past movement behavior, and construction of models based on users’ characteristics and past movement.” The online phase computes the magnitude of uncharacteristic accesses by users.

To evaluate the effectiveness of the advocated framework, the authors use data on the physical card accesses of 590 users to a railway station with 62 rooms. The information on several thousand physical accesses includes date and time, door code, user credential, and access type. The results of the data analysis reveal that the Markov model is effective in forecasting subsequent user movements based on historical physical accesses, and the unique pathways of users are appropriate for discovering regular and irregular movement behavior. The simulation results show the framework’s reliability and competency.

The authors present accurate and efficient algorithms for detecting normal and abnormal access to physical computer rooms and resources. System administrators and cybersecurity experts should read this insightful paper.

Reviewer: Amos Olagunju

Review #: CR147207 (2106-0151)

Reproduction in whole or in part without permission is prohibited. Copyright 2024 ComputingReviews.com™
Terms of Use | Privacy Policy