Project title: Game-theoretic approaches towards insider threat detection and mitigation
Director of Studies: Dr Maria Papadaki
Second Supervisor: Dr Matthew Craven
The importance of insider threats is routinely highlighted in cyber security surveys. Intel Security’s 2015 report identified insiders as responsible for 43 per cent of data leakage incidents, whereas Ponemon Institute’s 2016 report identified the risk from disgruntled or negligent employees during company acquisitions to be the most significant cyber crime risk during business innovation. The media attention on highly publicised incidents, such as Manning, Snowden, Target, and Nortel also served to highlight the issue. However, the readiness to detect and mitigate them often seems overlooked. The discovery timeline for insider and privilege misuse is more likely to take months and years, rather than weeks or days.
Insider threat detection has concentrated on both technical and hybrid solutions. Detecting insider threats is not a purely technical solution. The human factor plays an important role, with recent research recognising this importance. Subfactors are personality traits, psychological and psychosocial data, as well as motivations and possible catalysts of insider events. However, insider threat detection remains a complex problem, with users continuing to exhibit conflicting agendas and interests.
The proposed research aims to explore the applicability and efficiency of Evolutionary Algorithms and other metaheuristics in detection and mitigation of insiders. Game theory models decision-making and competing interactions between individuals, with conflicting interests, incentives and strategies. Individuals behave according to given rules or tendencies inferred from data, game theory enabling prediction of likely attacks and best strategies to defend them. Rather than an analytical approach, the research proposes a probabilistic method based on Evolutionary Algorithms which aims to produce highly accurate defence strategies and detect threats from the given data. The research will lead to the evaluation of a prototype system, using the CERT Insider Threat dataset, in order to deliver a practical measure of the resulting effectiveness.