UTCS Corporate Connection/FoCS-Sandy Dykes Ph.D./Southwest Research Institute: Applying Network-based Statistical Anomaly Detection to the Insider Threat Problem ACES 2.402 Tuesday October 28 2008 4:30 p.m.

Contact Name: 
Jenna Whitney
Oct 28, 2008 4:30pm - 6:30pm

Type of Talk: UTCS Corporate Connection FoCS

br>Speaker/Affiliation: Sandy Dykes Ph.D./Southwest Research Institute

Date/Time: Tuesday October 28 2008 4:30 p.m.

Location: ACE

S 2.402


Talk Title: Applying Network-based S

tatistical Anomaly
Detection to the Insider Threat Problem


The insider threat differs from most network security

lems in that user activities and network data may
appear legitimate. F

or example an authorized insider
with access to network resources can

collect potentially
sensitive data without triggering a rule-based intr

detection system. Database queries HTTP downloads
and file
retrievals performed by insiders typically comply
with protocol standa

rds and carry valid data payloads.
However a malicious insider may ex

hibit abnormal activity
patterns in comparison to a population of norma

l users. An
example of such abnormal pattern may be “sends more

than N database queries per day ” or “accesses more

n M rarely used resources.” The difficulty is that normal
for N and M depend upon various factors such as
assigned duties day

of the week and external events. Fixed
thresholds are too inflexible
resulting in high false alarm rates.
One alternative is to use statis

tical anomaly detection (AD)
methods which learn the thresholds by buil

ding models of
normality from observed data then detect deviation from

those models. This talk describes on-going research to
evaluate t

he potential of network-based statistical anomaly
detection for insider
threats. To be meaningful the evaluation
must provide a quantifiable
characterization of normal user
behavior and insider threat behavior.
The AD engine assumes
a Gaussian user population but our evaluation a

ddresses its
effectiveness for both Gaussian and non-Gaussian populatio

We have developed behavior models for normal users and for

iders that generate network activities according to various

n functions including Gaussian Pareto and lognormal.
The evaluation

will also measure error rates for various levels of
insider activities.
This is a work-in-progress talk and we invite
speculation and input f

rom the audience.

Speaker Bio:
Dr. Dykes has a Ph.D. in Computer

Science from the University
of Texas at San Antonio. Dr. Dykes area of
expertise is network
security and communication protocols with an emp

hasis in
large-scale networks Internet infrastructure and high-perfor

designs. Prior to joining Southwest Research Institute Dr. Dykes

was on the faculty of the University of Texas at San Antonio where
she taught courses in computer networks and programming
languages. She
is the author of numerous publications in leading
IEEE conferences and
journals has served on NSF review panels
for the Advanced Computation

al Research Program and the
Information Technology Research Program an

d frequently reviews
articles for journals and technical conferences on
and computer networks. In addition to her experience i

n networks
and communications Dr. Dykes has worked in the areas of par

computing and image processing. She developed parallel digital signal processing algorithms at Los Alamos National Laboratory
and p

arallel optimization algorithms and tools for the visualization
and perf

ormance evaluation of parallel programs. Dr. Dykes'' early
training wa

s in physical and theoretical chemistry. As an undergraduate
at the Uni

versity of Texas at Austin Dr. Dykes worked on single crystal
x-ray cr

ystallography. Her master’s thesis in chemistry developed
a quant

um mechanical model of high energy Rydberg states in dipolar