The present invention relates to methods for user profiling for detecting insider threats based on internet search patterns and forensics of search keywords.
In recent years, security has become an increasing concern in information systems. This issue has become more significant with the advent of the Internet and the ubiquitous use of network environments (e.g. LAN and WAN), both inter- and intra-organizational networks.
In a 2002 presentation entitled, “Machine Learning Techniques for Mitigating Insider Threat,” by Yihua Liao at The University of California at Davis (hereinafter referred to as Liao), the term “insider” was defined as anyone who is authorized access to an information system, and the term “insider threat” was defined as the ability to exceed or abuse authorized access to exploit, attack, or misuse information systems.
Insiders pose the greatest threat to national security as well as enterprise interests. According to a 2007 “e-crime” survey, 26% of e-crime events are committed by insiders, and 34% of the organizations surveyed estimate that insiders caused more damage to their organization than outsiders. Such e-crime goes beyond malicious acts on IT (information technology) systems to include: abuse of resources, violation of policies, and use of company facilities to commit crimes, which may have legal or public-relations implications.
According to CERT (Carnegie Mellon University's Computer Emergency Response Team), organizations:                (1) must take a holistic approach to detecting and preventing insider attacks by considering both the technical and the behavioral aspects; and        (2) should establish baselines of normal activities in order to detect anomalies        
User profiling is a technique for detecting insider misuse by distinguishing one user from another. User profiles include information that characterizes a user's behavior (e.g. commands executed and files accessed). Anomaly detection is used to identify deviations from normal patterns. Anomaly detection relies on the assumption that anomalous behaviors might imply that the system security is being compromised. Anomaly detection tends to generate many false alarms, but may be the only way to detect insider misuses. Liao describes the acquisition of a user profile based on web-browsing behavior for detecting insider threats by adapting to a user's behavioral changes (referred to as “concept drift”).
A white paper entitled, “Weak Models for Insider Threat Detection,” by Paul Thompson at Dartmouth College (hereinafter referred to as Thompson), discusses how to detect malicious insiders based on their interaction with a large document repository. Thompson primarily focuses on the mechanism, hidden Markov models in this case, used for detection, rather than the categorization of users based on their behavior.
It would be desirable to have methods for user profiling for detecting insider threats based on internet search patterns and forensics of search keywords. Such a methodology would provide a “learning phase” prior to an attack. Such methods would, inter alia, ameliorate some of the problems described above.