Toward Realistic and Artifact-Free Insider-Threat Data

Progress in insider-threat detection is currently limited by a lack of realistic, publicly available, real-world data. For reasons of privacy and confidentiality, no one wants to expose their sensitive data to the research community. Data can be sanitized to mitigate privacy and confidentiality conc...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Killourhy, K.S., Maxion, R.A.
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 96
container_issue
container_start_page 87
container_title
container_volume
creator Killourhy, K.S.
Maxion, R.A.
description Progress in insider-threat detection is currently limited by a lack of realistic, publicly available, real-world data. For reasons of privacy and confidentiality, no one wants to expose their sensitive data to the research community. Data can be sanitized to mitigate privacy and confidentiality concerns, but the mere act of sanitizing the data may introduce artifacts that compromise its utility for research purposes. If sanitization artifacts change the results of insider-threat experiments, then those results could lead to conclusions which are not true in the real world. The goal of this work is to investigate the consequences of sanitization artifacts on insider-threat detection experiments. We assemble a suite of tools and present a methodology for collecting and sanitizing data. We use these tools and methods in an experimental evaluation of an insider-threat detection system. We compare the results of the evaluation using raw data to the results using each of three types of sanitized data, and we measure the effect of each sanitization strategy. We establish that two of the three sanitization strategies actually alter the results of the experiment. Since these two sanitization strategies are commonly used in practice, we must be concerned about the consequences of sanitization artifacts on insider-threat research. On the other hand, we demonstrate that the third sanitization strategy addresses these concerns, indicating that realistic, artifact-free data sets can be created with appropriate tools and methods.
doi_str_mv 10.1109/ACSAC.2007.31
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_4412979</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>4412979</ieee_id><sourcerecordid>4412979</sourcerecordid><originalsourceid>FETCH-LOGICAL-i175t-f61c12f56f30a934f4c4b9b28277383cd990032e3500e0749821bc7baf4042ea3</originalsourceid><addsrcrecordid>eNotzLtKxEAUANDBB5hdLa1s8gMT751nbhmiqwsLgsZ6mSR3cGRdZTIg_r2FVqc7QlwjNIhAt13_0vWNAvCNxhNRKeudJAR9KlbgHVkNDuyZqBCclmSVvxCrZXkHQCKPlXDD53fIc_3M4ZCWkqY6HOe6yyXFMBW5ycz19rikmbMc3jKHUt-FEi7FeQyHha_-XYvXzf3QP8rd08O273YyobdFRocTqmhd1BBIm2gmM9KoWuW9bvU0EwFoxdoCMHhDrcJx8mOIBozioNfi5u9NzLz_yukj5J-9MajIk_4FVXFEnw</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Toward Realistic and Artifact-Free Insider-Threat Data</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Killourhy, K.S. ; Maxion, R.A.</creator><creatorcontrib>Killourhy, K.S. ; Maxion, R.A.</creatorcontrib><description>Progress in insider-threat detection is currently limited by a lack of realistic, publicly available, real-world data. For reasons of privacy and confidentiality, no one wants to expose their sensitive data to the research community. Data can be sanitized to mitigate privacy and confidentiality concerns, but the mere act of sanitizing the data may introduce artifacts that compromise its utility for research purposes. If sanitization artifacts change the results of insider-threat experiments, then those results could lead to conclusions which are not true in the real world. The goal of this work is to investigate the consequences of sanitization artifacts on insider-threat detection experiments. We assemble a suite of tools and present a methodology for collecting and sanitizing data. We use these tools and methods in an experimental evaluation of an insider-threat detection system. We compare the results of the evaluation using raw data to the results using each of three types of sanitized data, and we measure the effect of each sanitization strategy. We establish that two of the three sanitization strategies actually alter the results of the experiment. Since these two sanitization strategies are commonly used in practice, we must be concerned about the consequences of sanitization artifacts on insider-threat research. On the other hand, we demonstrate that the third sanitization strategy addresses these concerns, indicating that realistic, artifact-free data sets can be created with appropriate tools and methods.</description><identifier>ISSN: 1063-9527</identifier><identifier>ISBN: 0769530605</identifier><identifier>ISBN: 9780769530604</identifier><identifier>EISSN: 2576-9103</identifier><identifier>DOI: 10.1109/ACSAC.2007.31</identifier><language>eng</language><publisher>IEEE</publisher><subject>Application software ; Assembly ; Banking ; Computer science ; Computer security ; Computerized monitoring ; Data privacy ; Detectors ; Laboratories ; Postal services</subject><ispartof>Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 2007, p.87-96</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/4412979$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,776,780,785,786,2052,27902,54895</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/4412979$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Killourhy, K.S.</creatorcontrib><creatorcontrib>Maxion, R.A.</creatorcontrib><title>Toward Realistic and Artifact-Free Insider-Threat Data</title><title>Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)</title><addtitle>ACSAC</addtitle><description>Progress in insider-threat detection is currently limited by a lack of realistic, publicly available, real-world data. For reasons of privacy and confidentiality, no one wants to expose their sensitive data to the research community. Data can be sanitized to mitigate privacy and confidentiality concerns, but the mere act of sanitizing the data may introduce artifacts that compromise its utility for research purposes. If sanitization artifacts change the results of insider-threat experiments, then those results could lead to conclusions which are not true in the real world. The goal of this work is to investigate the consequences of sanitization artifacts on insider-threat detection experiments. We assemble a suite of tools and present a methodology for collecting and sanitizing data. We use these tools and methods in an experimental evaluation of an insider-threat detection system. We compare the results of the evaluation using raw data to the results using each of three types of sanitized data, and we measure the effect of each sanitization strategy. We establish that two of the three sanitization strategies actually alter the results of the experiment. Since these two sanitization strategies are commonly used in practice, we must be concerned about the consequences of sanitization artifacts on insider-threat research. On the other hand, we demonstrate that the third sanitization strategy addresses these concerns, indicating that realistic, artifact-free data sets can be created with appropriate tools and methods.</description><subject>Application software</subject><subject>Assembly</subject><subject>Banking</subject><subject>Computer science</subject><subject>Computer security</subject><subject>Computerized monitoring</subject><subject>Data privacy</subject><subject>Detectors</subject><subject>Laboratories</subject><subject>Postal services</subject><issn>1063-9527</issn><issn>2576-9103</issn><isbn>0769530605</isbn><isbn>9780769530604</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2007</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotzLtKxEAUANDBB5hdLa1s8gMT751nbhmiqwsLgsZ6mSR3cGRdZTIg_r2FVqc7QlwjNIhAt13_0vWNAvCNxhNRKeudJAR9KlbgHVkNDuyZqBCclmSVvxCrZXkHQCKPlXDD53fIc_3M4ZCWkqY6HOe6yyXFMBW5ycz19rikmbMc3jKHUt-FEi7FeQyHha_-XYvXzf3QP8rd08O273YyobdFRocTqmhd1BBIm2gmM9KoWuW9bvU0EwFoxdoCMHhDrcJx8mOIBozioNfi5u9NzLz_yukj5J-9MajIk_4FVXFEnw</recordid><startdate>200712</startdate><enddate>200712</enddate><creator>Killourhy, K.S.</creator><creator>Maxion, R.A.</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>200712</creationdate><title>Toward Realistic and Artifact-Free Insider-Threat Data</title><author>Killourhy, K.S. ; Maxion, R.A.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i175t-f61c12f56f30a934f4c4b9b28277383cd990032e3500e0749821bc7baf4042ea3</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2007</creationdate><topic>Application software</topic><topic>Assembly</topic><topic>Banking</topic><topic>Computer science</topic><topic>Computer security</topic><topic>Computerized monitoring</topic><topic>Data privacy</topic><topic>Detectors</topic><topic>Laboratories</topic><topic>Postal services</topic><toplevel>online_resources</toplevel><creatorcontrib>Killourhy, K.S.</creatorcontrib><creatorcontrib>Maxion, R.A.</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Killourhy, K.S.</au><au>Maxion, R.A.</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Toward Realistic and Artifact-Free Insider-Threat Data</atitle><btitle>Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)</btitle><stitle>ACSAC</stitle><date>2007-12</date><risdate>2007</risdate><spage>87</spage><epage>96</epage><pages>87-96</pages><issn>1063-9527</issn><eissn>2576-9103</eissn><isbn>0769530605</isbn><isbn>9780769530604</isbn><abstract>Progress in insider-threat detection is currently limited by a lack of realistic, publicly available, real-world data. For reasons of privacy and confidentiality, no one wants to expose their sensitive data to the research community. Data can be sanitized to mitigate privacy and confidentiality concerns, but the mere act of sanitizing the data may introduce artifacts that compromise its utility for research purposes. If sanitization artifacts change the results of insider-threat experiments, then those results could lead to conclusions which are not true in the real world. The goal of this work is to investigate the consequences of sanitization artifacts on insider-threat detection experiments. We assemble a suite of tools and present a methodology for collecting and sanitizing data. We use these tools and methods in an experimental evaluation of an insider-threat detection system. We compare the results of the evaluation using raw data to the results using each of three types of sanitized data, and we measure the effect of each sanitization strategy. We establish that two of the three sanitization strategies actually alter the results of the experiment. Since these two sanitization strategies are commonly used in practice, we must be concerned about the consequences of sanitization artifacts on insider-threat research. On the other hand, we demonstrate that the third sanitization strategy addresses these concerns, indicating that realistic, artifact-free data sets can be created with appropriate tools and methods.</abstract><pub>IEEE</pub><doi>10.1109/ACSAC.2007.31</doi><tpages>10</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1063-9527
ispartof Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 2007, p.87-96
issn 1063-9527
2576-9103
language eng
recordid cdi_ieee_primary_4412979
source IEEE Electronic Library (IEL) Conference Proceedings
subjects Application software
Assembly
Banking
Computer science
Computer security
Computerized monitoring
Data privacy
Detectors
Laboratories
Postal services
title Toward Realistic and Artifact-Free Insider-Threat Data
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-16T02%3A21%3A08IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Toward%20Realistic%20and%20Artifact-Free%20Insider-Threat%20Data&rft.btitle=Twenty-Third%20Annual%20Computer%20Security%20Applications%20Conference%20(ACSAC%202007)&rft.au=Killourhy,%20K.S.&rft.date=2007-12&rft.spage=87&rft.epage=96&rft.pages=87-96&rft.issn=1063-9527&rft.eissn=2576-9103&rft.isbn=0769530605&rft.isbn_list=9780769530604&rft_id=info:doi/10.1109/ACSAC.2007.31&rft_dat=%3Cieee_6IE%3E4412979%3C/ieee_6IE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=4412979&rfr_iscdi=true