Insider threats to cybersecurity can occur when an actor with authorized access to an organization’s network conducts malicious activities that may release the organization’s critical information that further results in severe consequences such as financial loss, system crashes, and national security challenges.
“These threats are on the rise and according to a recent cyber security survey, 27 percent of cybercrime incidents involved insiders,” said Dawei Zhou, an assistant professor in the Department of Computer Science; director of the VirginiaTech Learning on Graphs (VLOG) Lab and core faculty at the Sanghani Center for Artificial Intelligence and Data Analytics.
One of Zhou’s projects, “Combating Insider Threat: Identification, Monitoring, and Data Augmentation,” targets the challenging problem of how to combat insider threats. He recently received a 2023-2024 Cisco Faculty Research Award that will help support this research.
Zhou said his project uses multiple dynamic and heterogeneous data sources that include internal system logs, employee networks, and email exchange networks.
“Distinctly from other types of terror attacks, insider threats exhibit several unique challenges like rarity, non-separability, label scarcity, dynamicity, and heterogeneity, making it extremely difficult to catch them in time for a successful counter-attack,” said Zhou.
He explains: Rarity means that the absolute number of such insiders is extremely small, especially compared with the total number of employees in a large organization or company; non-separability means that the insiders are very good at camouflaging themselves to make them indistinguishable from normal ones and thus able bypass the detection system; label scarcity means that the annotation process of insiders is labor-extensive and time-consuming; dynamicity refers to the time-evolving nature of the raw input data sources as well as the behaviors of insiders; and heterogeneity refers to the heterogeneous data coming from various sources and in various formats.
“Although different insiders are often conscious and good at camouflaging themselves, they might share some common traits if examined under the proper lens” he said.
With this in mind, the project will try to combat insider threat via an interactive learning mechanism, building new theories and algorithms for the following learning tasks:
- Insider Identification: characterize the descriptive and essential properties of insiders and detect groups of insiders – such as traitors, masqueraders, and unintentional perpetrators — with common traits.
- Insider Monitoring: track the evolution of insider behaviors over time and provide a visual system for analysis, annotation, and diagnosis.
- Data Augmentation; sanitize input data by completing missing data and cleaning noisy data and generate synthetic insiders to alleviate the label scarcity issue.
Computer science Ph.D. students Shuaicheng Zhang and Haohui Wang, who are advised by Zhou, will be working with him on the project. A third student, Weije Guan, will be joining the team in the Fall semester.
“We hope that the innovative approach we are taking will result in a better understanding of how to counterattack these threats and ultimately decrease the number of cybercrimes,” Zhou said.