Insider Threat Detection Using Time-Series-Based Raw Disk Forensic Analysis - Archive ouverte HAL Access content directly
Conference Papers Year : 2017

Insider Threat Detection Using Time-Series-Based Raw Disk Forensic Analysis

(1) , (1) , (1)
1

Abstract

This research tests the theory that volitional, malicious computer use based on insider threat activity can be detected via a time-series-based analysis of data and file type forensic artifacts that reside on a raw disk. In other words, statistical profiling of allocated and unallocated space pertaining to the types of files accessed and the data browsed, acquired and processed incident to espionage, intellectual property theft, fraud or organizational computer abuse can help detect insider threats. The t-test approach is used to compare the means of two time windows using the split and sliding window methods along with first-order autoregressive modeling. Empirical testing against the nineteen-day snapshots of the M57-Patents case provides support for all three methods, but the results suggest that the first-order autoregressive modeling method is the most robust. Additionally, the autoregressive modeling approach is likely to generate more intuitive results for an analyst. Ground truth analysis confirms nearly all of the outliers that were detected. While the majority of the outliers were due to benign and easily explainable situations and system contexts and the minority were due to malicious activity, the approach does not yield an inordinate amount of search hits to examine and validate. This research thus provides a new computational approach for locating digital forensic evidence.
Fichier principal
Vignette du fichier
456364_1_En_9_Chapter.pdf (388.96 Ko) Télécharger le fichier
Origin : Files produced by the author(s)
Loading...

Dates and versions

hal-01716401 , version 1 (23-02-2018)

Licence

Attribution - CC BY 4.0

Identifiers

Cite

Nicole Beebe, Lishu Liu, Zi Ye. Insider Threat Detection Using Time-Series-Based Raw Disk Forensic Analysis. 13th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2017, Orlando, FL, United States. pp.149-167, ⟨10.1007/978-3-319-67208-3_9⟩. ⟨hal-01716401⟩
67 View
143 Download

Altmetric

Share

Gmail Facebook Twitter LinkedIn More