Data-Driven Analytics for Insider Threat Detection
This thesis will investigate the possibilities of detecting and averting Insider Threats automatically in real-time. An insider threat is a malicious threat that comes from trusted actors of the organization with privileged knowledge. These actors could exploit their position and steal valuable corporate property. According to the Verizon data breach report from 2017, 25% of all breaches are coming from insider actors. Despite that it is a major problem, corporations do often not invest in the detection of Insider Threats, as most of them do not know of the potential financial losses. According to an Insider Threat survey from SANS Institute, 45% of respondents did not know the potential for financial losses associated with an insider incident, while another 33% were unable to place a value on the losses.
Other researchers have used proven methods for detecting external threats and applied them for detection of Insider Threats with varying success or have created systems that are too difficult to maintain. I want to use Machine Learning to analyze log files from Windows log systems, such as SysMon. The results of the analysis should determine whether a user is something unusual based on previous data or something that could be dangerous. This would solve a problem that the system will automatically detect anomalies and suspicious behavior in real time, instead of a human to manually go through endless logs or updating blacklists that are easily bypassed by zero-day exploits.