www.syrres.com

1

A Context, Role and Semantic (CRS)-based Approach for Countering Malicious Insider Threats

Information Assurance for the Intelligence Community

Goals

Novel Ideas Milestones

A Context, Role and Semantic (CRS)-based Approach for Countering Malicious Insider Threats

Novel method for monitoring and assessing risk of individuals' behavior patterns within an organization by combining context-based socio-technical and role-based information security theory with natural-language-processing (NLP) techniques.

- Multi-perspective method for modeling intelligence community workflows combines role-based models of organizational networks and context-based models of social networks.

- Fine-grained analysis of text-based cyber observables through NLP-based semantic extractions.

To develop an insider threat model for detecting malicious insider behavior based on the context of the user’s task, their role within the organization and the semantic content of communications and documents associated with the user.

To develop a prototype software implementation of the CRS-based insider threat model and demonstrate that this model can reliably detect risks associated with malicious insider behavior.

Milestone Month

Concept of Operations 2

Strawman Scenario 3

Model Schema 3

M/S Environment 4

Evaluation Criteria 5

Threat Scenario (draft) 6

Org. Network Model 8

Social Network Model 8

Milestone Month

Semantic Analysis 8

Integrated CRS Model 10

Scenario Refinement 12

Prototype Development 15

Test & Evaluation 18

Demonstration 18

Final Report 18

Principal Investigator: Robert DelZoppo Syracuse Research Corporation

delzoppo@syrres.com

www.syrres.com

3

Primary Tasks

Task Focus

Scenario Development

Using Intelligence Community context, research and develops scenario for insider behavior, both malicious and non-malicious; Establish instances for the demonstration scenario

Model Development

Research and develop the organizational, social network, and semantic models; produce an integrated CRS model

Environment / Prototyping

Establish modeling & simulation environment; Develop the document training corpus; Develop prototype software implementation of the integrated CRS Insider Threat Model

Test & Evaluation Execute, test, and evaluate the model against the scenario. Document and present the results in the final demonstration.

Technical Rationale

Role: PA1Mission: Analysis & ProductionWork Products: Type: Report-A Timeframe: 30 daysInfo Systems: X1 (R,W); X2 (R)

Group: G1AOI: Country XTopic: Narcotics

Group: G3AOI: Country XTopic: Economics

Group: G7AOI: Country YTopic: Narcotics

Group: G8AOI: WorldwideTopic: Cocaine Production

Role: PA3Role: PA7Role: PA8

fulfillsrole

collaborateswith

hasrole

hasrole

hasrole

hasrole

assignstasks to

produces Info for

Actor: “Mallory”

Role: C1

Role: C2

Role: C3

Mission

Intelligence Work Products Produced

Required Intelligence resources and products

AOI and TOI

Organizational Relationships and communication patterns

Background

Intelligence analysts operate within a mission-based context, focused mainly on specific topics of interest (TOIs) and geo-political areas of interest (AOIs).

The role the analyst participates in dictates:

Technical Rationale

Role: PA1Mission: Analysis & ProductionWork Products: Type: Report-A Timeframe: 30 daysInfo Systems: X1 (R,W); X2 (R)

Group: G1AOI: Country XTopic: Narcotics

Group: G3AOI: Country XTopic: Economics

Group: G7AOI: Country YTopic: Narcotics

Group: G8AOI: WorldwideTopic: Cocaine Production

Role: PA3Role: PA7Role: PA8

fulfillsrole

collaborateswith

hasrole

hasrole

hasrole

hasrole

assignstasks to

produces Info for

Actor: “Mallory”

Role: C1

Role: C2

Role: C3

Context – the task or mission the insider operates in.

Role – the insider’s assigned job functions within context.

Semantics – the content of the information accessed by the insider.

Background

Modeling the insider therefore requires the following be considered:

Technical Rationale

Approach

Combine socio-technical, information security and natural language processing, with in a relevant intelligence community scenario:

Context – apply and extend existing social/shadow network approaches to modeling and monitoring discretionary communication patterns.

Role – extend role-based access control approaches to support strong, scalable, and efficient access monitoring mechanisms.

Semantics – apply NLP knowledge extraction techniques to analyze document and communication semantics.

Theoretical Basis

Context - Applying Social Network Analysis to Insider Threat Problem

Background

Analyze communication between individuals, teams, groups and communities for social structures and relational aspects.

Resulting Social Networks represent magnitude, frequency, and polarity of communication patterns.

Social Networks identify and characterize informal or undocumented organizational structures.

Social Network Analysis can discover and contrast legitimate network structures and shadow network structures of the organization.

Approach

Analyze insider communication data to identify and characterize Expected Insider Behavior.

Apply Social Network Analysis techniques to contrast Observed Insider Behavior against Expected.

A B C D E

A

B

C

D

E

- 2 1 4 2

2 - 0 0 0

1 0 - 0 0

4 0 0 - 3

2 0 0 3 -

InsiderAdjacency Matrix

K

R

L

H

G

J

I

B

E

A

C

D

F

Q

2

22

14

2

2

2

22

2

2

22

2

2

2 2

2 2

3

InsiderSocial Network

ExpectedBehavior

Role - Applying RBAM to the Insider Threat Problem

Background

Role-based Access Monitoring (RBAM) based on Role-based Access Control (RBAC) models.

Job responsibilities for a given role in an organization are stable. Individual user’s job functions are not.

In RBAC, permissions are associated with roles. Users are assigned appropriate roles.

RBAC provides efficient access control by modeling control at the role level.

Reduces complexity, cost, and potential errors in security system.

Approach

RBAC to RBAM.

Communication data for social network and semantic analysis is captured at individual insider level but abstracted to role-level in Expected Behavior Model.

Individual insider’s Observed Activity Patterns (Social/Semantic) are compared against Expected Behavior of insider’s current role.

RolesInsidersInsiders

AssignedRoles

ExpectedBehavior

Associated withRole

RolesUsers

User-RoleAssignment

Permission-Role Assignment

PermissionsURA PRA

Role-based Access Control

Role-based Access Monitoring of Insider Threats

Theoretical Basis

Data Accessed/Produced By Insider:• documents• communication texts• database queries

Theoretical Basis

Semantics - Applying Semantic Analysis to the Insider Threat Problem

Background

Based on proven Natural Language Processing (NLP) technology that applies linguistic analysis to achieve human-like processing of natural language texts.

Approximates morphological, lexical, syntactic, semantic, discourse, and pragmatic levels of human language processing.

Applies algorithms which interpret the meaning conveyed implicitly and explicitly in parts of words, phrases, syntax, multiple meanings of single words, flow and intent of spans of text, and references to real world entities.

Combines domain-specific knowledge, linguistic analysis techniques and training data.

Approach

Apply semantic analysis to text-based cyber observables including documents, communication texts, and database queries.

Extract useful semantic evidence including Topic of Interest (TOI) and geo-political area of interest (AOI).

Apply Semantic Analysis techniques to assess semantic distance between text-based cyber observables and Expected Insider Behavior in terms of TOI & AOI.

SemanticAnalysis

ExtractionsTOI: NarcoticsAOI: Country X, Y...

“Junior employees of the Acme Corporation must not describe specifications of company products in outgoing e-mails.”

Semantic Representation<Junior_employee (new_hire; level_1_to_6)|Person> of|PREP the|ART <Acme_ Corporation|Company> must|MOD not|MOD <describe (tell; explain; discuss)> <specification (size)> of|PREP <company_product|ProdName> in|PREP <outgoing_email (message; posting)>.

Logical RepresentationIf ISA (?X, junior_employee) and ISA (?Y, Acme_product) and ISA (?Z, email) and RCPT (?Z, ?P) and LOC (?P, outside_network) and CONT (?Z, ‘ASSOC (?Y, ?A) & MEAS (?A, ?B)’), then CHRC (?Z, nonreleasable).

Semantic Analysis Example

Semantic Analysis of Insider Threat Observables

Theoretical Basis

Modeling Expected Behavior

Approaches from Semantic Network Analysis, Role-based Access Monitoring, and Semantic Analysis will be combined to create a Role-based Social-Semantic Model of Expected Insider Behavior.

Analysis of roles and associated expected-behavior defined by organization policies, org charts, etc.

Social network analysis of discretionary insider behavior defined and modeled at the role level.

In addition to magnitude, frequency, and polarity, Social Network connections will be characterized by Semantics.

Analysis of negative behavior patterns such as real espionage case studies and manufactured insider threat scenarios.

OrganizationalNetworkAnalysis

Case Studies

ExpectedBehavior

Model

SemanticAnalysis

Social NetworkAnalysis

Theoretical Basis

Assessing Insider Threat Risk

Approaches from Semantic Network Analysis, Role-based Access Monitoring, and Semantic Analysis will be combined to assess current risk of insider threats by comparing Expected Insider Behavior with Observed Behavior.

Methods of Enforcing Role-based Access Control will be extended to monitor, rather than prevent access policy violations.

Methods for comparing Social networks will be applied to determine difference between expected and actual communication patterns.

Methods of semantic boundary control and determining semantic distance between expected and actual communication semantics will be incorporated.

SemanticBoundaryMethods

RiskAssessor

Role-basedAccess Monitoring

Methods

Social NetworkComparison

Methods

Insider Threat Model

Source

Sensor

ObservableBehavior

RiskAssessor

RiskBehaviorIndicator

ExpectedBehavior

Model

Insider

Insider - authorized participant in the intelligence community.

Source - origination point for evidence of risk behavior. Includes specific types of communication, documents, and human observations.

Sensor - any element capable of observing and recording the activities of an insider.

Observable - a discreet instance of insider activity gathered from a single source.

Expected Behavior Model - encapsulation of expected patterns of acceptable and unacceptable insider activity.

Risk Assessor - encapsulates CRS-based method for comparing observables against expected behavior model to detect suspicious patterns of activity.

Risk Behavior Indicator - evidence of risk behavior discovered by risk assessor such as unauthorized information collection/transmittal, or personal counter intelligence.

Primary Domains

Insiders interact with sources. Sensors monitor sources and record interactions as observables. Observables are monitored by the Risk Assessor and compared against a Model of insider behavior to identify indicators of risk behavior.

CRS-based Approach for Countering Malicious Insider Threats

Low Granularity Minimal information used to describe behavior of insiders. Interaction between X and Y either exists or it does not.

- Used to describe which insiders interact with which sources.

Medium Granularity Information about aggregate communication habits between each pair of insiders is represented.

- Used to characterize interactions between insiders and sources.

- Characterization could include frequency, typical interaction vehicle, typical semantics, etc.

High Granularity Maximum available information about each interaction is represented.

- Used to represent actual behavior patterns.

- Interaction metadata could include time, semantics, interaction vehicle, etc.

K

N

R

L

M

O

HG

J

I

Y

X Z

B

E

A

C

D

F

P

Q

X

T V

U

S

K

N L

O

HG

J

I

Y

X

B

EC

D

F

P

Q

X

T V

U

S

abc qrs

xyz

ghj

jhk jhk

jhk

ghj

ghjghj

abc

abc

qrs

qrs

qrs

xyz

xyz

xyz

rty

rty

rty

rty

hrx

hrx

hrx

hrx

jvb

jvb

jvb

tds

tds

tds

zkj

zkj

pfg

pfg

pfg

dfg

dfg

dfgfds

fds

rdz

rdz

xyz

R

M

Z

A

A

B

C

D

20 S

ep 2

003

21 S

ep 2

003

22 S

ep 2

003

23 S

ep 2

003

24 S

ep 2

003

dfgdfg

abc

abd

fgh

fgh

fgh

sdf

sdf

rstjkldfg

trw

qwrkjh

lkj

dcv

ytr

xcv

tmx

Insider Threat Model Granularity Role-Based Social-Semantic Network Model encapsulates insider behavior at multiple levels of granularity:

www.syrres.com

14

Technology Transition Strategy

Concept Development

Proof ofConcept

Product Development

Product Transition

Operational System

Phase Transition / Milestone Reviews

Concept of Operation

Research Objectives

Use Cases

Operational Constraints

Risk Mitigation

Requirement Specifications

System Architecture

SW Product Engineering

Transition Plan

Operational Support

Research & Publications

www.syrres.com

15

Issues / Concerns / Questions