1. Field of the Invention
The present invention relates generally to computer networks, and more particularly to insider threat detection in computer networks.
2. Background Art
Trusted insiders committing espionage have caused tremendous damage to not only corporations but also U.S. national security.
Today, the problem of insider threat detection is challenging with large amounts of information to protect, the difficulty of tailoring computer access control policies to a user's “need to know”, and the competing need to share information effectively. Yet, what makes insider threat detection especially difficult is that malicious insiders (MIs) are frequently legitimate users operating within their privileges.
Current cyber-detection methods are inadequate. For example, methods based on system log auditing and intrusion detection focus on rule breaking, are difficult to interpret, and frequently lack user attribution. As such, they are incapable of detecting MIs operating within their privileges or of correctly attributing observed activity to its associated user. On the other hand, methods based on focused user observation tools are only effective once the subject of the threat has been identified. Furthermore, both types of methods lack the “smart” analysis capabilities required to analyze and prioritize the large volumes of generated data, which could be the norm in a large organization network.
What are needed therefore are method, systems, and computer program products to detect when trusted insiders misuse information in a manner consistent with espionage. Further, methods, systems, and computer program products are needed that are capable of exploiting subtle differences between legitimate and MI behavior by leveraging contextual information about users and the information with which they interact.