Article Preview
Top1. Introduction
The insider threat is a long-term problem that faced by most organizations. It usually results in significant damage and could range from financial theft and intellectual property theft to the destruction of property and business process. Compared with attacks from external network incurred by hardware or software vulnerabilities, the insider threats are more harmful and more difficult to detect. The main causes of insider threats are as follows: First, part of employees may lack security awareness and violate the safety regulations by accident. Second, part of employees intentionally bypasses the security measures for their own convenience and efficiency in the works. Last but not least, some employees choose to leak the organization’s confidential information or sabotage the systems because of their resentment or other’s inducement. In general, insider threat a comprehensive problem, which consists of human factors and systemic factors. How to detect and prevent the insider threat has become a huge challenge for all organizations.
For organizations, various types of business activities are the main activities carried out during their daily operations, one of the main tasks is to ensure the successful completion of each business process. In order to improve the efficiency, more and more organizations begin to use various business systems to accomplish business activities. However, most business systems usually only consider how to ensure the achievement of normal business functions during the design phase and ignore the safety demands of business activities. This could make the business system vulnerable to insider threats and get caught in different kinds of anomalies, or even lead to the destruction and disclosure of critical business data in severe cases. Therefore, in this paper, we see this problem from the perspective of business activity and try to detect insider threat by a comprehensive analysis of operators’ abnormal behavior and anomalies emerged during business process execution.
Business processes are a series of activities completed by a group of people in organizations in order to achieve specific goals. The order between activities is strictly defined, so as to the content, modalities and responsibilities of each activity. In addition to the staff, the execution of a business process usually depends on specific business system and software program, which is a complex activity that involves human, machine, software and other multiple factors. Clearly, it can provide more comprehensive information support to insider threat detection by inspecting the daily work of organizations from the perspective of business process and establishing a normal business process model.
Since the actual business activity involves many factors, its process model must also be multidimensional, not only to reflect the sequence between business events, but also to reflect the behavior information of operators, the features of business cases and the time and frequency information of business events. There is no doubt that traditional pre-designed manual modeling methods are unable to meet this requirement. Manual modeling usually relies on limited expert knowledge and only provides an idealized view of part of factors in business activities, and cannot take complex realistic conditions into consideration, so it is often out of touch with reality and mostly useless. To solve this problem, most organizations turn to the log-based process mining method, which has many advantages. System log is easily available and has mostly no impact on the running system. Detailed information about the execution of a business system is recorded in the log and facilitates managers to understand what happened during the process. Finally, mining business process through the system log is more objective and efficient.