A Context, Role and Semantic (CRS)-based Approach for Countering Malicious Insider Threats

1. A Context, Role and Semantic (CRS)-based Approach for Countering Malicious Insider Threats Information Assurance for the Intelligence Community

2. A Context, Role and Semantic (CRS)-based Approach for Countering Malicious Insider Threats • To develop an insider threat model for detecting malicious insider behavior based on the context of the user’s task, their role within the organization and the semantic content of communications and documents associated with the user. • To develop a prototype software implementation of the CRS-based insider threat model and demonstrate that this model can reliably detect risks associated with malicious insider behavior. • Novel method for monitoring and assessing risk of individuals' behavior patterns within an organization by combining context-based socio-technical and role-based information security theory with natural-language-processing (NLP) techniques. • Multi-perspective method for modeling intelligence community workflows combines role-based models of organizational networks and context-based models of social networks. • Fine-grained analysis of text-based cyber observables through NLP-based semantic extractions. MilestoneMonth Concept of Operations 2 Strawman Scenario 3 Model Schema 3 M/S Environment 4 Evaluation Criteria 5 Threat Scenario (draft) 6 Org. Network Model 8 Social Network Model 8 MilestoneMonth Semantic Analysis 8 Integrated CRS Model 10 Scenario Refinement 12 Prototype Development 15 Test & Evaluation 18 Demonstration 18 Final Report 18 Principal Investigator: Robert DelZoppo Syracuse Research Corporation delzoppo@syrres.com

3. Primary Tasks

4. Mission Intelligence Work Products Produced Required Intelligence resources and products AOI and TOI Organizational Relationships and communication patterns Technical Rationale Background Intelligence analysts operate within a mission-based context, focused mainly on specific topics of interest (TOIs) and geo-political areas of interest (AOIs). The role the analyst participates in dictates: Actor: “Mallory” fulfills role assigns tasks to Role: C1 Role: PA1 Mission: Analysis & Production Work Products: Type: Report-A Timeframe: 30 days Info Systems: X1 (R,W); X2 (R) Role: C2 Group: G1 AOI: Country X Topic: Narcotics has role Role: C3 produces Info for collaborates with Role: PA8 Role: PA7 Role: PA3 has role has role has role Group: G8 AOI: Worldwide Topic: Cocaine Production Group: G7 AOI: Country Y Topic: Narcotics Group: G3 AOI: Country X Topic: Economics

5. Context – the task or mission the insider operates in. Role – the insider’s assigned job functions within context. Semantics – the content of the information accessed by the insider. Technical Rationale Background Modeling the insider therefore requires the following be considered: Actor: “Mallory” fulfills role assigns tasks to Role: C1 Role: PA1 Mission: Analysis & Production Work Products: Type: Report-A Timeframe: 30 days Info Systems: X1 (R,W); X2 (R) Role: C2 Group: G1 AOI: Country X Topic: Narcotics has role Role: C3 produces Info for collaborates with Role: PA8 Role: PA7 Role: PA3 has role has role has role Group: G8 AOI: Worldwide Topic: Cocaine Production Group: G7 AOI: Country Y Topic: Narcotics Group: G3 AOI: Country X Topic: Economics

6. Technical Rationale Approach Combine socio-technical, information security and natural language processing, with in a relevant intelligence community scenario: • Context – apply and extend existing social/shadow network approaches to modeling and monitoring discretionary communication patterns. • Role – extend role-based access control approaches to support strong, scalable, and efficient access monitoring mechanisms. • Semantics – apply NLP knowledge extraction techniques to analyze document and communication semantics.

7. A B C D E A B C D E - 2 1 4 2 2 - 0 0 0 1 0 - 0 0 4 0 0 - 3 2 0 0 3 - 3 D C E 4 1 2 2 F 2 Insider Adjacency Matrix B A 2 2 2 2 I 2 2 2 G Q 2 H 2 2 R J 2 2 2 K 2 2 Insider Social Network L Theoretical Basis Context - Applying Social Network Analysis to Insider Threat Problem Background • Analyze communication between individuals, teams, groups and communities for social structures and relational aspects. • Resulting Social Networks represent magnitude, frequency, and polarity of communication patterns. • Social Networks identify and characterize informal or undocumented organizational structures. • Social Network Analysis can discover and contrast legitimate network structures and shadow network structures of the organization. Approach • Analyze insider communication data to identify and characterize Expected Insider Behavior. • Apply Social Network Analysis techniques to contrast Observed Insider Behavior against Expected.

8. Theoretical Basis Role - Applying RBAM to the Insider Threat Problem Background • Role-based Access Monitoring (RBAM)based on Role-based Access Control (RBAC) models. • Job responsibilities for a given role in an organization are stable. Individual user’s job functions are not. • In RBAC, permissions are associated with roles. Users are assigned appropriate roles. • RBAC provides efficient access control by modeling control at the role level. • Reduces complexity, cost, and potential errors in security system. Approach • RBAC to RBAM. • Communication data for social network and semantic analysis is captured at individual insider level but abstracted to role-level in Expected Behavior Model. • Individual insider’s Observed Activity Patterns (Social/Semantic) are compared against Expected Behavior of insider’s current role. Users Roles URA PRA Permissions User-Role Assignment Permission- Role Assignment Role-based Access Control Insiders Roles Expected Behavior Insiders Assigned Roles Expected Behavior Associated with Role Role-based Access Monitoring of Insider Threats

9. Theoretical Basis Semantics - Applying Semantic Analysis to the Insider Threat Problem “Junior employees of the Acme Corporation must not describe specifications of company products in outgoing e-mails.” Semantic Representation <Junior_employee (new_hire; level_1_to_6)|Person> of|PREP the|ART <Acme_ Corporation|Company> must|MOD not|MOD <describe (tell; explain; discuss)> <specification (size)> of|PREP <company_product|ProdName> in|PREP <outgoing_email (message; posting)>. Logical Representation If ISA (?X, junior_employee) and ISA (?Y, Acme_product) and ISA (?Z, email) and RCPT (?Z, ?P) and LOC (?P, outside_network) and CONT (?Z, ‘ASSOC (?Y, ?A) & MEAS (?A, ?B)’), then CHRC (?Z, nonreleasable). Background • Based on proven Natural Language Processing (NLP) technology that applies linguistic analysis to achieve human-like processing of natural language texts. • Approximates morphological, lexical, syntactic, semantic, discourse, and pragmatic levels of human language processing. • Applies algorithms which interpret the meaning conveyed implicitly and explicitly in parts of words, phrases, syntax, multiple meanings of single words, flow and intent of spans of text, and references to real world entities. • Combines domain-specific knowledge, linguistic analysis techniques and training data. Approach • Apply semantic analysis to text-based cyber observables including documents, communication texts, and database queries. • Extract useful semantic evidence including Topic of Interest (TOI) and geo-political area of interest (AOI). • Apply Semantic Analysis techniques to assess semantic distance between text-based cyber observables and Expected Insider Behavior in terms of TOI & AOI. Semantic Analysis Example Extractions TOI: Narcotics AOI: Country X, Y • Data Accessed/Produced • By Insider: • documents • communication texts • database queries Semantic Analysis . . . Semantic Analysis of Insider Threat Observables

10. Theoretical Basis Modeling Expected Behavior Approaches from Semantic Network Analysis, Role-based Access Monitoring, and Semantic Analysis will be combined to create a Role-based Social-Semantic Model of Expected Insider Behavior. • Analysis of roles and associated expected-behavior defined by organization policies, org charts, etc. • Social network analysis of discretionary insider behavior defined and modeled at the role level. • In addition to magnitude, frequency, and polarity, Social Network connections will be characterized by Semantics. • Analysis of negative behavior patterns such as real espionage case studies and manufactured insider threat scenarios. Organizational Network Analysis Social Network Analysis Expected Behavior Model Semantic Analysis Case Studies

11. Theoretical Basis Assessing Insider Threat Risk Approaches from Semantic Network Analysis, Role-based Access Monitoring, and Semantic Analysis will be combined to assess current risk of insider threats by comparing Expected Insider Behavior with Observed Behavior. • Methods of Enforcing Role-based Access Control will be extended to monitor, rather than prevent access policy violations. • Methods for comparing Social networks will be applied to determine difference between expected and actual communication patterns. • Methods of semantic boundary control and determining semantic distance between expected and actual communication semantics will be incorporated. Social Network Comparison Methods Role-based Access Monitoring Methods Semantic Boundary Methods Risk Assessor

12. Insider - authorized participant in the intelligence community. Source - origination point for evidence of risk behavior. Includes specific types of communication, documents, and human observations. Sensor - any element capable of observing and recording the activities of an insider. Observable - a discreet instance of insider activity gathered from a single source. Expected Behavior Model - encapsulation of expected patterns of acceptable and unacceptable insider activity. Risk Assessor - encapsulates CRS-based method for comparing observables against expected behavior model to detect suspicious patterns of activity. Risk Behavior Indicator - evidence of risk behavior discovered by risk assessor such as unauthorized information collection/transmittal, or personal counter intelligence. Insider Threat Model Primary Domains Insiders interact with sources. Sensors monitor sources and record interactions as observables. Observables are monitored by the Risk Assessor and compared against a Model of insider behavior to identify indicators of risk behavior. Insider Source Sensor Observable Behavior Expected Behavior Model Risk Assessor Risk Behavior Indicator

13. Low Granularity Minimal information used to describe behavior of insiders. Interaction between X and Y either exists or it does not. Used to describe which insiders interact with which sources. Medium Granularity Information about aggregate communication habits between each pair of insiders is represented. Used to characterize interactions between insiders and sources. Characterization could include frequency, typical interaction vehicle, typical semantics, etc. High Granularity Maximum available information about each interaction is represented. Used to represent actual behavior patterns. Interaction metadata could include time, semantics, interaction vehicle, etc. D C E A B F dfg dfg fgh trw sdf A B abd kjh ytr tmx lkj qwr fgh sdf xcv Q G D C H I dfg C E jkl dcv fgh rst abc xyz hrx P ghj ghj J D jhk B F R X Z qrs rty A O K 24 Sep 2003 22 Sep 2003 20 Sep 2003 21 Sep 2003 23 Sep 2003 pfg tds rty dfg fds Y N L Q G jvb H I M xyz abc zkj S X P abc qrs hrx pfg J ghj qrs fds R tds X Z T V hrx xyz O jhk K jhk U xyz rty rty dfg jvb rdz Y N L jvb hrx pfg M rdz S qrs X zkj abc xyz ghj dfg tds T V U CRS-based Approach for Countering Malicious Insider Threats Insider Threat Model Granularity Role-Based Social-Semantic Network Model encapsulates insider behavior at multiple levels of granularity:

14. Operational System Technology Transition Strategy Transition Plan Operational Support Requirement Specifications System Architecture SW Product Engineering Use Cases Operational Constraints Risk Mitigation Product Transition Product Development Concept of Operation Research Objectives Proof of Concept Concept Development Phase Transition / Milestone Reviews Research & Publications

15. Issues / Concerns / Questions