UNSUPERVISED LEARNING OF NETWORK TRAFFIC BEHAVIORS FOR INSIDER THREAT DETECTION
Loading...
Authors
Rajchel, Brett L.
Subjects
machine learning
network traffic analysis
cybersecurity
insider threat
anomaly detection
network traffic analysis
cybersecurity
insider threat
anomaly detection
Advisors
Monaco, John
Date of Issue
2020-09
Date
Sep-20
Publisher
Monterey, CA; Naval Postgraduate School
Language
Abstract
Insider threats are a costly and dangerous problem for government and non-government organizations alike. Considering an insider's inherently privileged level of access on a network, the main principle of network defense'keep potential threats and outsiders out'does not apply to insider threats. Current defenses are largely based on the detection of insider threat indicators and rely on up-to-date datasets. However, insider threat activity is innumerable and as diverse as human behavior itself. We hypothesize that characterizing and examining host and organization behavior demonstrated on a network presents an opportunity to circumvent this problem. Leveraging machine learning to detect behavioral anomalies that indicate the presence of an insider threat would enable network administrators to quickly locate and mitigate such threats before they cause serious damage. We demonstrate this methodology by developing a system that extracts host and organization behavior in three different ways from network traffic and uses population-relative metrics to determine host conformity with organizational norms. After testing the system on an operational network with over 8,000 hosts, we show through a series of case studies that our system is effective in detecting behavioral anomalies and that our behavior extraction methods are complementary.
Type
Thesis
Description
Series/Report No
Department
Computer Science (CS)
Organization
Identifiers
NPS Report Number
Sponsors
Funding
Format
Citation
Distribution Statement
Approved for public release. distribution is unlimited
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States