• Journal of Platform Technology
• /
• v.11 no.2
• /
• pp.15-25
• /
• 2023

This study analyzes the limitations of the insider threat datasets used for insider threat detection research and compares and analyzes the solution-based insider threat data with public insider threat data using a security solution to overcome this. Through this, we design a data format suitable for insider threat detection and implement a system that can safely share insider threat information between different institutions and companies using blockchain technology. Currently, there is no dataset collected based on actual events in the insider threat dataset that is revealed to researchers. Public datasets are virtual synthetic data randomly created for research, and when used as a learning model, there are many limitations in the real environment. In this study, to improve these limitations, a private blockchain was designed to secure information sharing between institutions of different affiliations, and a method was derived to increase reliability and maintain information integrity and consistency through agreement and verification among participants. The proposed method is expected to collect data through an outflow threat collector and collect quality data sets that posed a threat, not synthetic data, through a blockchain-based sharing system, to solve the current outflow threat dataset problem and contribute to the insider threat detection model in the future.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.5
• /
• pp.1133-1151
• /
• 2019

Insider threats in the field of information security are so important that the research is continuing centering on the institutes attached to the Carnegie Mellon University. On the other hand, we do not have any separate research institutes. In particular, insider threat research on the defense IT environment directly connected with the survival of the country is not proceeding in depth. In addition, due to the specificity of the military, defense IT security has limited research as an academic discipline, and even the establishment of concepts has not been achieved properly. In addition, because of differences in the environment, the US standard can not be borrowed as it is. This paper analyzes the defense IT environment and defines an insider (threat) suitable for the Korea military environment. I'd like to suggest the type of insider threat and how to mitigate it.

• The Journal of the Korea institute of electronic communication sciences
• /
• v.3 no.4
• /
• pp.210-220
• /
• 2008

Insider threat is becoming a very serious issue in most organizations and management is responsible for security implementation. This study is to develop a personnel security management indicators in the areas of Personnel Assurance, Personnel Competence, and Security Environment and protection against insider threats. In this study, the information security management system and related papers are examined by reviewing the existing researches and cases. Proposed indicators are verified by pilot test, empirically analyzed to expose experts' perception and the validity, importance, and risk level of each indicators through a questionnaire. Result were encouraging, but additional study focused on personnel security management using factor analysis is needed in the future.

• Journal of Advanced Navigation Technology
• /
• v.27 no.1
• /
• pp.16-22
• /
• 2023

Terrorists have been attacking in the vulnerable points of aviation sector with the diverse methods of attacks. Recently, Vulnerability is increasing because the Modus Operandi of Terrorism is carried out by exploitation of people in the form of employee working in aviation sector whose role provides them with privileged access to secured locations, secured items or security sensitive information. Furthermore, cases of insider threat are rising across the world with the phenomenon of personal radicalization through internet and social network service. The government of ROK must respond to insider threat could exploit to acts of unlawful interference and the security regulations should be established to prevent from insider threat in advance refer to the acts of unlawful interference carried out in foreign countries and the recommendations by USA, UK and ICAO.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.13 no.3
• /
• pp.1722-1737
• /
• 2019

We developed an insider threat detection model to be used by organizations that repeat tasks at regular intervals. The model identifies the best combination of different feature selection algorithms, unsupervised learning algorithms, and standard scores. We derive a model specifically optimized for the organization by evaluating each combination in terms of accuracy, AUC (Area Under the Curve), and TPR (True Positive Rate). In order to validate this model, a four-year log was applied to the system handling sensitive information from public institutions. In the research target system, the user log was analyzed monthly based on the fact that the business process is processed at a cycle of one year, and the roles are determined for each person in charge. In order to classify the behavior of a user as abnormal, the standard scores of each organization were calculated and classified as abnormal when they exceeded certain thresholds. Using this method, we proposed an optimized model for the organization and verified it.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.2
• /
• pp.267-277
• /
• 2022

Due to the increasing proportion of cloud and remote working environments, various information security incidents are occurring. Insider threats have emerged as a major issue, with cases in which corporate insiders attempting to leak confidential data by accessing it remotely. In response, insider threat detection approaches based on machine learning have been developed. However, existing machine learning methods used to detect insider threats do not take biases and variances into account, which leads to limited performance. In this paper, boosting-type ensemble learning algorithms are applied to verify the performance of malicious insider detection, conduct a close analysis, and even consider the imbalance in datasets to determine the final result. Through experiments, we show that using ensemble learning achieves similar or higher accuracy to other existing malicious insider detection approaches while considering bias-variance tradeoff. The experimental results show that ensemble learning using bagging and boosting methods reached an accuracy of over 98%, which improves malicious insider detection performance by 5.62% compared to the average accuracy of single learning models used.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.5
• /
• pp.59-67
• /
• 2010

In the paper, we proposed an IM-ACM(Insider Misuse-Access Control Model) for preventing illegal information leakage by insider who exploits his legal rights in the ubiquitous computing environment. The IM-ACM can monitor whether insider uses data rightly using misuse monitor add to CA-TRBAC(Context Aware-Task Role Based Access Control) which permits access authorization according to user role, context role, task and entity's security attributes. It is difficult to prevent information leakage by insider because of access to legal rights, a wealth of knowledge about the system. The IM-ACM can prevent the information flow between objects which have the different security levels using context role and security attributes and prevent an insider misuse by misuse monitor which comparing an insider actual processing behavior to an insider possible work process pattern drawing on the current defined profile of insider's process.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.10
• /
• pp.5062-5079
• /
• 2017

Malicious insider threats have increased recently, and methods of the threats are diversifying every day. These insider threats are becoming a significant problem in corporations and governments today. From a technology standpoint, detecting potential insider threats is difficult in early stage because it is unpredictable. In order to prevent insider threats in early stage, it is necessary to collect all of insiders' data which flow in network systems, and then analyze whether the data are potential threat or not. However, analyzing all of data makes us spend too much time and cost. In addition, we need a large repository in order to collect and manage these data. To resolve this problem, we develop an indicator-based behavior ontology (IB2O) that allows us to understand and interpret insiders' data packets, and then to detect potential threats in early stage in network systems including social networks and company networks. To show feasibility of the behavior ontology, we developed a prototype platform called Insider Threat Detecting Extractor (ITDE) for detecting potential insider threats in early stage based on the behavior ontology. Finally, we showed how the behavior ontology would help detect potential inside threats in network system. We expect that the behavior ontology will be able to contribute to detecting malicious insider threats in early stage.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.16 no.6
• /
• pp.55-63
• /
• 2016

SOA(service oriented architecture) based ESB(enterprise service bus) model is widely adopted in many companies for the safe processing of enormous data and the integration of business system. The existing web service technologies for the construction of SOA, however, show unsatisfactory in practical applications though the standardization of web service security technologies is in progress due to their limitations in safe exchange of data. Internal end users using a large business system based on such environment are composed of the variety of organizations and roles. Companies might receive more serious damage from insider threat than that from external one when internal end users get unauthorized information beyond the limits of their authority for private profit and bad purposes. In this paper, we propose a security architecture capable of identifying and coping with the security threats of web service technologies arouse from internal end users.

• Korean Security Journal
• /
• no.53
• /
• pp.283-303
• /
• 2017

This study which was started to identify the factors that change the security level of military organizations, analyzed the data collected from articles written by the active officers in the Defense Daily Journal hoping to improve the military security level by the qualitative research method called Grounded Theory, and establish causal relationship how organizational members respond to insider security threats. As a result of the analysis, the causal condition is 'the security threat of the insider', the contextual condition is 'the specificity of the military organization', the central phenomenon is 'the conflict of values as a soldier', the arbitrary condition is 'the security consciousness', Strategy is 'the responds to security threats', and the result was 'security level change'. The core categories can be presented as 'the degree of conflict of values on insider security threats' and two hypotheses have been derived. First, the members of the military organization strongly felt the conflict of values about security threat as the tendency to emphasize security was strong, and they helped to develop the security level of organization by responding strongly. Second, the stronger the tendency to focus on colleagues, respond weakly to security threats. And it undermines the security level of the organization. Finally, in order to improve the security level of the organization, it is necessary to establish a solid security consciousness and to make institutional development to support it.