07: Case Study: Insider Threat Detection¶
In this session we will cover:
- Postgraduate Taught Experience Survey (PTES)
- Case Study: Insider Threat Detection
- Q&A about Portfolio Tasks
Case Study: Insider Threat Detection¶
Insider threat is where those who have insider knowledge and/or access utilise this to pose a threat to an organisation. This could be data theft, sabotage or disruption of systems, intellectual property theft, sharing of confidential information, the list goes on...
Chelsea Manning (formerly Bradley Manning) - She is a former United States Army soldier who was convicted by court-martial in July 2013 of violations of the Espionage Act and other offenses, after disclosing to WikiLeaks nearly 750,000 classified, or unclassified but sensitive, military and diplomatic documents [Wikipedia]
Edward Snowden - an American former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and subcontractor. His disclosures revealed numerous global surveillance programs, many run by the NSA and the Five Eyes Intelligence Alliance with the cooperation of telecommunication companies and European governments, and prompted a cultural discussion about national security and individual privacy. [Wikipedia]
Greg Chung - "For years, Mr. Chung stole critical trade secrets from Boeing relating to the Space Shuttle and the Delta IV rocket" ... between 1985 to 2003 ... more than 250,000 pages of documents [justive.gov]
How to detect insider threat?¶
Given an insider threat may have permitted access and/or knowledge, how do we detect them to be a threat?
- Are there changes in their behaviour that we can identify and monitor?
- What attributes do we have machine data for (e.g., log data), and what attributes do we have human data for? (e.g., conversations, arguments, sightings, etc...).
- What about data that intersects both machine and human - e.g, email conversations? social media interactions?
- Need to consider both the cyber element, as well as the human/off-line element - both are entwined.
Yeah, but how do we get data about insider threat?!¶
- Carnegie Melon University: Insider Threat Test Dataset : Based on their paper "Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data" - multiple generated datasets of varying difficulty.
- Email conversations related to insider threat: Enron dataset - also available on Kaggle
- We can also generate our own data model - this is what we will use today
import pandas as pd
login_data = pd.read_csv('http://www.cems.uwe.ac.uk/~pa-legg/sdav/data/example/login_data.csv')
email_data = pd.read_csv('http://www.cems.uwe.ac.uk/~pa-legg/sdav/data/example/email_data.csv')
web_data = pd.read_csv('http://www.cems.uwe.ac.uk/~pa-legg/sdav/data/example/web_data.csv')
file_data = pd.read_csv('http://www.cems.uwe.ac.uk/~pa-legg/sdav/data/example/file_data.csv')
usb_data = pd.read_csv('http://www.cems.uwe.ac.uk/~pa-legg/sdav/data/example/usb_data.csv')
employee_data = pd.read_csv('http://www.cems.uwe.ac.uk/~pa-legg/sdav/data/example/employee_data.csv')