Modeling and detecting anomalous topic access

Siddharth Gupta, Casey Hanson, Carl A. Gunter, Mario Frank, David Liebovitz, Bradley Malin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

11 Scopus citations

Abstract

There has been considerable success in developing strategies to detect insider threats in information systems based on what one might call the random object access model or ROA. This approach models illegitimate users as ones who randomly access records. The goal is to use statistics, machine learning, knowledge of workflows and other techniques to support an anomaly detection framework that finds such users. In this paper we introduce and study a random topic access model or RTA aimed at users whose access may be illegitimate but is not fully random because it is focused on common semantic themes. We argue that this model is appropriate for a meaningful range of attacks and develop a system based on topic summarization that is able to formalize the model and provide anomalous user detection effectively for it. To this end, we use healthcare as an example and propose a framework for evaluating the ability to recognize various types of random users called random topic access detection or RTAD. Specifically, we utilize a combination of Latent Dirichlet Allocation (LDA), for feature extraction, a k-nearest neighbor (k-NN) algorithm for outlier detection and evaluate the ability to identify different adversarial types. We validate the technique in the context of hospital audit logs where we show varying degrees of success based on user roles and the anticipated characteristics of attackers. In particular, it was found that RTAD exhibits strong performance for roles are described by a few topics, but weaker performance when users are more topic-agnostic.

Original languageEnglish (US)
Title of host publicationIEEE ISI 2013 - 2013 IEEE International Conference on Intelligence and Security Informatics
Subtitle of host publicationBig Data, Emergent Threats, and Decision-Making in Security Informatics
Pages100-105
Number of pages6
DOIs
StatePublished - 2013
Event11th IEEE International Conference on Intelligence and Security Informatics, IEEE ISI 2013 - Seattle, WA, United States
Duration: Jun 4 2013Jun 7 2013

Publication series

NameIEEE ISI 2013 - 2013 IEEE International Conference on Intelligence and Security Informatics: Big Data, Emergent Threats, and Decision-Making in Security Informatics

Other

Other11th IEEE International Conference on Intelligence and Security Informatics, IEEE ISI 2013
CountryUnited States
CitySeattle, WA
Period6/4/136/7/13

Keywords

  • Access Logs
  • Anomaly Detection
  • Data Mining
  • Electronic Health Records
  • Healthcare Security
  • Insider threats

ASJC Scopus subject areas

  • Artificial Intelligence
  • Information Systems

Fingerprint Dive into the research topics of 'Modeling and detecting anomalous topic access'. Together they form a unique fingerprint.

Cite this