Skip to Main content Skip to Navigation
Conference papers

Insider Threat Detection Using Time-Series-Based Raw Disk Forensic Analysis

Abstract : This research tests the theory that volitional, malicious computer use based on insider threat activity can be detected via a time-series-based analysis of data and file type forensic artifacts that reside on a raw disk. In other words, statistical profiling of allocated and unallocated space pertaining to the types of files accessed and the data browsed, acquired and processed incident to espionage, intellectual property theft, fraud or organizational computer abuse can help detect insider threats. The t-test approach is used to compare the means of two time windows using the split and sliding window methods along with first-order autoregressive modeling. Empirical testing against the nineteen-day snapshots of the M57-Patents case provides support for all three methods, but the results suggest that the first-order autoregressive modeling method is the most robust. Additionally, the autoregressive modeling approach is likely to generate more intuitive results for an analyst. Ground truth analysis confirms nearly all of the outliers that were detected. While the majority of the outliers were due to benign and easily explainable situations and system contexts and the minority were due to malicious activity, the approach does not yield an inordinate amount of search hits to examine and validate. This research thus provides a new computational approach for locating digital forensic evidence.
Complete list of metadatas

Cited literature [21 references]  Display  Hide  Download

https://hal.inria.fr/hal-01716401
Contributor : Hal Ifip <>
Submitted on : Friday, February 23, 2018 - 3:50:27 PM
Last modification on : Friday, February 23, 2018 - 3:51:59 PM
Document(s) archivé(s) le : Friday, May 25, 2018 - 1:10:42 AM

File

456364_1_En_9_Chapter.pdf
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Nicole Beebe, Lishu Liu, Zi Ye. Insider Threat Detection Using Time-Series-Based Raw Disk Forensic Analysis. 13th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2017, Orlando, FL, United States. pp.149-167, ⟨10.1007/978-3-319-67208-3_9⟩. ⟨hal-01716401⟩

Share

Metrics

Record views

109

Files downloads

38