Ioannis Agrafiotis

Identifying attack patterns for insider threat detection

The threat that insiders pose to businesses, institutions and governmental organisations continues to be of serious concern. Recent industry surveys provide unequivocal evidence to support the significance of this threat and its prevalence in enterprises today. 1 In an attempt to address this challenge, several approaches and systems have been proposed by practitioners and researchers. These focus on defining the insider threat and exploring the human and psychological factors involved, through to the detection and deterrence of these threats via technological and behavioural theories. 2 , 3 , 4 , 5 , 6 Insider threats pose major concerns to businesses, institutions and governmental organisations. Few solutions to this problem consider all the technical, organisational and behavioural aspects. In new research, Ioannis Agrafiotis, Jason RC Nurse, Oliver Buckley, Phil Legg, Sadie Creese and Michael Goldsmith define attack patterns that could be key in assisting insider-threat detection, based on 120 real-world case studies. They present their findings, representing each case study as a series of attack steps and identify common trends between different attacks.

Two sides of the coin: measuring and communicating the trustworthiness of online information

Information is the currency of the digital age – it is constantly communicated, exchanged and bartered, most commonly to support human understanding and decision-making. While the Internet and Web 2.0 have been pivotal in streamlining many of the information creation and dissemination processes, they have significantly complicated matters for users as well. Most notably, the substantial increase in the amount of content available online has introduced an information overload problem, while also exposing content with largely unknown levels of quality, leaving many users with the difficult question of, what information to trust? In this article we approach this problem from two perspectives, both aimed at supporting human decision-making using online information. First, we focus on the task of measuring the extent to which individuals should trust a piece of openly-sourced information (e.g., from Twitter, Facebook or a blog); this considers a range of factors and metrics in information provenance, quality and infrastructure integrity, and the person’s own preferences and opinion. Having calculated a measure of trustworthiness for an information item, we then consider how this rating and the related content could be communicated to users in a cognitively-enhanced manner, so as to build confidence in the information only where and when appropriate. This work concentrates on a range of potential visualisation techniques for trust, with special focus on radar graphs, and draws inspiration from the fields of Human-Computer Interaction (HCI), System Usability and Risk Communication. The novelty of our contribution stems from the comprehensive approach taken to address this very topical problem, ensuring that the trustworthiness of openly-sourced information is adequately measured and effectively communicated to users, thus enabling them to make informed decisions.

Reaching for Informed Revocation: Shutting Off the Tap on Personal Data

We introduce a revocation model for handling personal data in cyberspace. The model is motivated by a series of focus groups undertaken by the EnCoRe project aimed at understanding the control requirements of a variety of data subjects. We observe that there is a lack of understanding of the various technical options available for implementing revocation preferences, and introduce the concept of informed revocation by analogy to Faden and Beauchamp’s informed consent. We argue that we can overcome the limitations associated with informed consent via the implementation of EnCoRe technology solutions. Finally, we apply our model and demonstrate its validity to a number of data-handling scenarios which have arisen in the context of the EnCoRe research project. We have found that data subjects tend to alter their default privacy preferences when they are informed of all the different types of revocation available to them.

A New Take on Detecting Insider Threats: Exploring the Use of Hidden Markov Models

The threat that malicious insiders pose towards organisations is a significant problem. In this paper, we investigate the task of detecting such insiders through a novel method of modelling a users normal behaviour in order to detect anomalies in that behaviour which may be indicative of an attack. Specifically, we make use of Hidden Markov Models to learn what constitutes normal behaviour, and then use them to detect significant deviations from that behaviour. Our results show that this approach is indeed successful at detecting insider threats, and in particular is able to accurately learn a users behaviour. These initial tests improve on existing research and may provide a useful approach in addressing this part of the insider-threat challenge.

Building Confidence in Information-Trustworthiness Metrics for Decision Support

In light of the significant amount of information available online today and its potential application to a range of situations, the importance of identifying trustworthy information, and secondly, of building user confidence in that information is paramount. With this in mind, we have developed a novel trustworthiness metric which is designed to provide a relative score based on several key factors that influence trust, such as informations provenance and quality, and the integrity of the infrastructure through which the information passes. In this paper we consider whether providing insight into the various factors that make-up the resulting trustworthiness score actually helps to build trust in the metric itself, and whether users can successfully understand the advice being conveyed. Specifically, we present here the results of experiments which explore whether or not the visual interface that enables users to understand how the metric is composed of a combination of scores, across a range of factors, is a feature they are cognitively able to process, and whether it might help to build confidence in the trustworthiness advice being provided.

Validating an Insider Threat Detection System: A Real Scenario Perspective

There exists unequivocal evidence denoting the dire consequences which organisations and governmental institutions face from insider threats. While the in-depth knowledge of the modus operandi that insiders possess provides ground for more sophisticated attacks, organisations are ill-equipped to detect and prevent these from happening. The research community has provided various models and detection systems to address the problem, but the lack of real data due to privacy and ethical issues remains a significant obstacle for validating and designing effective and scalable systems. In this paper, we present the results and our experiences from applying our detection system into a multinational organisation, the approach followed to abide with the ethical and privacy considerations and the lessons learnt on how the validation process refined the system in terms of effectiveness and scalability.

Determining the Veracity of Rumours on Twitter

While social networks can provide an ideal platform for up-to-date information from individuals across the world, it has also proved to be a place where rumours fester and accidental or deliberate misinformation often emerges. In this article, we aim to support the task of making sense from social media data, and specifically, seek to build an autonomous message-classifier that filters relevant and trustworthy information from Twitter. For our work, we collected about 100 million public tweets, including users’ past tweets, from which we identified 72 rumours (41 true, 31 false). We considered over 80 trustworthiness measures including the authors’ profile and past behaviour, the social network connections (graphs), and the content of tweets themselves. We ran modern machine-learning classifiers over those measures to produce trustworthiness scores at various time windows from the outbreak of the rumour. Such time-windows were key as they allowed useful insight into the progression of the rumours. From our findings, we identified that our model was significantly more accurate than similar studies in the literature. We also identified critical attributes of the data that give rise to the trustworthiness scores assigned. Finally we developed a software demonstration that provides a visual user interface to allow the user to examine the analysis.

Smart Insiders: Exploring the Threat from Insiders Using the Internet-of-Things

The Internet-of-Things (IoT) is set to be one of the most disruptive technology paradigms since the advent of the Internet itself. Market research company Gartner estimates that around 4.9 billion connected things will be in use in 2015, and around 25 billion by 2020. While there are substantial opportunities accompanying IoT, spanning from Healthcare to Energy, there are an equal number of concerns regarding the security and privacy of this plethora of ubiquitous devices. In this position paper we approach security and privacy in IoT from a different perspective to existing research, by considering the impact that IoT may have on the growing problem of insider threat within enterprises. Our specific aim is to explore the extent to which IoT may exacerbate the insider-threat challenge for organisations and overview the range of new and adapted attack vectors. Here, we focus especially on (personal) devices which insiders bring and use within their employers enterprise. As a start to addressing these issues, we outline a broad research agenda to encourage further research in this area.

CyberVis: Visualizing the potential impact of cyber attacks on the wider enterprise

A variety of data-mining tools and filtering techniques exist to detect and analyze cyber-attacks by monitoring network traffic. In recent years many of these tools use visualization designed to make traffic patterns and impact of an attack tangible to a security analyst. The visualizations attempt to facilitate understanding elements of an attack, including the location of malicious activity on a network and the consequences for the wider system. The human observer is able to detect patterns from useful visualizations, and so discover new knowledge about existing data sets. Because of human reasoning, such approaches still have an advantage over automated detection, data-mining and analysis. The core challenge still lies in using the appropriate visualization at the right time. It is this lack of situational awareness that our CyberVis framework is designed to address. In this paper we present a novel approach to the visualization of enterprise network attacks and their subsequent potential consequences. We achieve this by combining traditional network diagram icons with Business Process Modeling and Notation (BPMN), a risk-propagation logic that connects the network and business-process and task layer, and a flexible alert input schema able to support intrusion alerts from any third-party sensor. Rather than overwhelming a user with excessive amounts of information, CyberVis abstracts the visuals to show only noteworthy information about attack data and indicates potential impact both across the network and on enterprise tasks. CyberVis is designed with the Human Visual System (HVS) in mind, so severe attacks (or many smaller attacks that make up a large risk) appear more salient than other components in the scene. A Deep-Dive window allows for investigation of data, similar to a database interface. Finally, a Forensic Mode allows movie-style playback of past alerts under user-defined conditions for closer examination.

Applying Formal Methods to Detect and Resolve Ambiguities in Privacy Requirements

In this paper, we demonstrate how formal methods can be used to unambiguously express privacy requirements. We focus on requirements for consent and revocation controls in a real world case study that has emerged within the EnCoRe project. We analyse the ambiguities and issues that arise when requirements expressed in natural language are transformed into a formal notation, and propose solutions to address these issues. These ambiguities were brought to our attention only through the use of a formal notation, which we have designed specifically for this purpose.