skip to main content
10.1145/3139923.3139930acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

A Multi-Modal Neuro-Physiological Study of Malicious Insider Threats

Published: 30 October 2017 Publication History

Abstract

It has long been recognized that solutions to insider threat are mainly user-centric and several psychological and psychosocial models have been proposed. However, user behavior underlying these malicious acts is still not fully understood, motivating further investigation at the neuro-physiological level. In this work, we conduct a multi-modal study of how users-brain processes malicious and benign activities. In particular, we focus on using Electroencephalogram (EEG) signals that arise from the user's brain activities and eye tracking which can capture spontaneous responses that are unfiltered by the conscious mind. We conduct human study experiments to capture the Electroencephalogram (EEG) signals for a group of 25 participants while performing several computer-based activities in different scenarios. We analyze the EEG signals and the eye tracking data and extract features and evaluate our approach using several classifiers. The results show that our approach achieved an average accuracy of 99.77% in detecting the malicious insider using the EEG data of 256 channels (sensors) and average detection accuracy up to 95.64% using only five channels (sensors). The results show an average detection accuracy up to 83% using the eye movements and pupil behaviors data. In general, our results indicates that human Electroencephalogram (EEG) signals and eye tracking data can reveal valuable knowledge about user's malicious intent and can be used as an effective indicator in designing real-time insider threats monitoring and detection frameworks.

References

[1]
AlgoSec 2014. AlgoSec Survey: State of Network Security 2014. (2014). shownoteRetrieved August 22, 2017 from http://www.algosec.com.
[2]
Abdulaziz Almehmadi and Khalil El-Khatib 2014. On the possibility of insider threat detection using physiological signal monitoring Proceedings of the 7th International Conference on Security of Information and Networks. ACM, 223.
[3]
Naomi S Altman. 1992. An introduction to kernel and nearest-neighbor nonparametric regression. The American Statistician Vol. 46, 3 (1992), 175--185.
[4]
Claude J Bajada, Hamied A Haroon, Hojjatollah Azadbakht, Geoff JM Parker, Matthew A Lambon Ralph, and Lauren L Cloutman 2016. The tract terminations in the temporal lobe: Their location and associated functions. Cortex (2016).
[5]
Robert Baloh, Andrew Sills, Warren Kumley, and Vicente Honrubia 1975. Quantitative measurement of saccade amplitude, duration, and velocity. Neurology, Vol. 25, 11 (1975), 1065--1065.
[6]
Benjamin Blankertz, Michael Tangermann, Carmen Vidaurre, Siamac Fazli, Claudia Sannelli, Stefan Haufe, Cecilia Maeder, Lenny Ramsey, Irene Sturm, Gabriel Curio, et almbox. 2010. The Berlin brain-computer interface: non-medical uses of BCI technology. Frontiers in neuroscience Vol. 4 (2010).
[7]
Warrent T Blume. 1999. Atlas of pediatric electroencephalography. (1999).
[8]
Leo Breiman. 1996. Bagging predictors. Machine learning, Vol. 24, 2 (1996), 123--140.
[9]
Leo Breiman. 2001. Random forests. Machine learning, Vol. 45, 1 (2001), 5--32.
[10]
Corinna Cortes and Vladimir Vapnik 1995. Support-vector networks. Machine learning, Vol. 20, 3 (1995), 273--297.
[11]
Alexander De Luca, Martin Denzel, and Heinrich Hussmann. 2009. Look into my eyes!: Can you guess my password?. In Proceedings of the 5th Symposium on Usable Privacy and Security. ACM, 7.
[12]
Simon Eberz, Kasper Bonne Rasmussen, Vincent Lenders, and Ivan Martinovic 2015. Preventing Lunchtime Attacks: Fighting Insider Threats With Eye Movement Biometrics. Proceedings 2015 Network and Distributed System Security Symposium (NDSS).
[13]
Leonardo Fogassi, Pier Francesco Ferrari, Benno Gesierich, Stefano Rozzi, Fabian Chersi, and Giacomo Rizzolatti 2005. Parietal lobe: from action organization to intention understanding. Science, Vol. 308, 5722 (2005), 662--667.
[14]
Jose Gómez-Poveda and Elena Gaudioso 2016. Evaluation of temporal stability of eye tracking algorithms using webcams. Expert Systems with Applications Vol. 64 (2016), 69--83.
[15]
Frank L Greitzer and Deborah A Frincke 2010. Combining traditional cyber security audit data with psychosocial data: towards predictive modeling for insider threat mitigation. Insider Threats in Cyber Security. Springer, 85--113.
[16]
Frank L Greitzer, Lars J Kangas, Christine F Noonan, Angela C Dalton, and Ryan E Hohimer. 2012. Identifying at-risk employees: Modeling psychosocial precursors of potential insider threats. System Science (HICSS), 2012 45th Hawaii International Conference on (2012), 2392--2401.
[17]
Yassir Hashem, Hassan Takabi, Mohammad GhasemiGol, and Ram Dantu 2015. Towards Insider Threat Detection Using Psychophysiological Signals Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats. ACM, 71--74.
[18]
Yassir Hashem, Hassan Takabi, Mohammad GhasemiGol, and Ram Dantu 2016. Inside the Mind of the Insider: Towards Insider Threat Detection Using Psychophysiological Signals. Journal of Internet Services and Information Security (JISIS), Vol. 6, 1 (2016), 20--36.
[19]
Jeffrey Hunker and Christian W Probst 2011. Insiders and Insider Threats-An Overview of Definitions and Mitigation Techniques. JoWUA, Vol. 2, 1 (2011), 4--27.
[20]
Emotiv Inc. 2017natexlaba. Emotive System. (2017). shownoteRetrieved August 22, 2017 from http://www.emotiv.com.
[21]
Electrical Geodesics Inc. 2017natexlabb. Clinical Geodesic EEG System 400. (2017). shownoteRetrieved August 22, 2017 from http://www.egi.com.
[22]
NeuroSky Inc. 2017natexlabc. NeuroSky System. (2017). shownoteRetrieved August 22, 2017 from http://www.neurosky.com.
[23]
Anil Jain and Douglas Zongker 1997. Feature selection: Evaluation, application, and small sample performance. IEEE transactions on pattern analysis and machine intelligence, Vol. 19, 2 (1997), 153--158.
[24]
Parisa Kaghazgaran and Hassan Takabi 2015. Toward an Insider Threat Detection Framework Using Honey Permissions. Journal of Internet Services and Information Security (JISIS), Vol. 5, 3 (2015), 19--36.
[25]
Oleg V Komogortsev and Ioannis Rigas 2015. BioEye 2015: Competition on biometrics via eye movements Biometrics Theory, Applications and Systems (BTAS), 2015 IEEE 7th International Conference on. IEEE, 1--8.
[26]
Zhancheng Li, Minfen Shen, and Patch Beadle. 2004. Classification of EEG signals under different brain functional states using RBF neural network International Symposium on Neural Networks. Springer, 356--361.
[27]
Gregory A Light, Lisa E Williams, Falk Minow, Joyce Sprock, Anthony Rissling, Richard Sharp, Neal R Swerdlow, and David L Braff. 2010. Electroencephalography (EEG) and event-related potentials (ERPs) with human participants. Current Protocols in Neuroscience (2010), 6--25.
[28]
Ponemon Institute LLC. 2016. Cost of Cyber Crime 2016: Reducing the Risk of Business Innovation. (2016). shownoteRetrieved August 22, 2017 from https://saas.hpe.com/en-us/marketing/cyber-crime-risk-to-business-innovation.
[29]
Osama Mazhar, Taimoor Ali Shah, Muhammad Ahmed Khan, and Sameed Tehami 2015. A real-time webcam based Eye Ball Tracking System using MATLAB Design and Technology in Electronic Packaging (SIITME), 2015 IEEE 21st International Symposium for. IEEE, 139--142.
[30]
Brett D Mensh, Justin Werfel, and H Sebastian Seung. 2004. BCI competition 2003-data set Ia: combining gamma-band power with slow cortical potentials to improve single-trial classification of electroencephalographic signals. IEEE Transactions on Biomedical Engineering, Vol. 51, 6 (2004), 1052--1056.
[31]
National Institutes of Health National Library of Medicine 2012. electroencephalogram (EEG). (2012). shownoteRetrieved August 22, 2017 from http://www.nlm.nih.gov/medlineplus/ency/article/003931.htm.
[32]
Ajaya Neupane, Md Lutfor Rahman, Nitesh Saxena, and Leanne Hirshfield 2015. A Multi-Modal Neuro-Physiological Study of Phishing Detection and Malware Warnings Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 479--491.
[33]
Younghee Park and Salvatore J Stolfo 2012. Software decoys for insider threat. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security. ACM, 93--94.
[34]
Michael I Posner and Steven E Petersen 1990. The attention system of the human brain. Annual review of neuroscience Vol. 13, 1 (1990), 25--42.
[35]
Tobii pro group. 2017. Tobii Pro X2--60 eye tracker. (2017). shownoteRetrieved August 22, 2017 from http://www.tobiipro.com/product-listing/tobii-pro-x2--60/.
[36]
Per E Roland, Pere E Roland, and Per E Roland. 1993. Brain activation. Wiley-Liss New York.
[37]
M Ben Salem and Salvatore J Stolfo 2009. Masquerade attack detection using a search-behavior modeling approach. Columbia University, Computer Science Department, Technical Report CUCS-027-09 (2009).
[38]
Steven L Salzberg. 1994. C4. 5: Programs for machine learning by j. ross quinlan. morgan kaufmann publishers, inc., 1993. Machine Learning, Vol. 16, 3 (1994), 235--240.
[39]
Veritas Scientific. 2013. handshakes test and technologies. (2013). shownoteRetrieved August 22, 2017 from http://veritas.blueleveragemedia.com/products/handshake/.
[40]
Sara C Sereno and Keith Rayner 2003. Measuring word recognition in reading: eye movements and event-related potentials. Trends in cognitive sciences Vol. 7, 11 (2003), 489--493.
[41]
George Silowash, Dawn Cappelli, Andrew Moore, Randall Trzeciak, Timothy J Shimeall, and Lori Flynn 2012. Common sense guide to mitigating insider threats 4th edition. bibinfotypeTechnical Report. bibinfoinstitutionDTIC Document.
[42]
SolarWinds. 2015. SolarWinds Survey Investigates Insider Threats to Federal Cybersecurity. (2015). shownoteRetrieved August 22, 2017 from http://www.solarwinds.com/company/newsroom/press_releases/threats_to_federal_cybersecurity.aspx.
[43]
Donald T Stuss and Robert T Knight 2002. Principles of frontal lobe function. Oxford University Press.
[44]
Kun Ha Suh, Yun-Jung Kim, Yoonkyoung Kim, Daejune Ko, and Eui Chul Lee 2015. Monocular Eye Tracking System Using Webcam and Zoom Lens. Advanced Multimedia and Ubiquitous Engineering. Springer, 135--141.
[45]
Marianthi Theoharidou, Spyros Kokolakis, Maria Karyda, and Evangelos Kiountouzis 2005. The insider threat to information systems and the effectiveness of ISO17799. Computers & Security Vol. 24, 6 (2005), 472--484.
[46]
Paul Thompson. 2004. Weak models for insider threat detection. International Society for Optics and Photonics,Defense and Security (2004), 40--48.
[47]
Xiao-Wei Wang, Dan Nie, and Bao-Liang Lu 2014. Emotional state classification from EEG data using machine learning approach. Neurocomputing Vol. 129 (2014), 94--106.
[48]
Bing Xue, Mengjie Zhang, Will N Browne, and Xin Yao. 2016. A survey on evolutionary computation approaches to feature selection. IEEE Transactions on Evolutionary Computation, Vol. 20, 4 (2016), 606--626.
[49]
Thorsten O Zander and Christian Kothe 2011. Towards passive brain-computer interfaces: applying brain-computer interface technology to human--machine systems in general. Journal of neural engineering Vol. 8, 2 (2011), 025005. endthebibliography

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
MIST '17: Proceedings of the 2017 International Workshop on Managing Insider Security Threats
October 2017
108 pages
ISBN:9781450351775
DOI:10.1145/3139923
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. electroencephalogram (eeg)
  2. eye tracking
  3. insider threat
  4. neuroscience

Qualifiers

  • Research-article

Conference

CCS '17
Sponsor:

Acceptance Rates

MIST '17 Paper Acceptance Rate 7 of 18 submissions, 39%;
Overall Acceptance Rate 21 of 54 submissions, 39%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)16
  • Downloads (Last 6 weeks)1
Reflects downloads up to 13 Jan 2025

Other Metrics

Citations

Cited By

View all

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media