Towards Process Mining Utilization in Insider Threat Detection
from Audit Logs

D 2020

Towards Process Mining Utilization in Insider Threat Detection from Audit Logs

MACÁK, Martin, Ivan VANÁT, Michal MERJAVÝ, Tomáš JEVOČIN, Barbora BÜHNOVÁ et. al.

Basic information

Original name

Towards Process Mining Utilization in Insider Threat Detection from Audit Logs

Authors

MACÁK, Martin (703 Slovakia, belonging to the institution), Ivan VANÁT (703 Slovakia, belonging to the institution), Michal MERJAVÝ (703 Slovakia, belonging to the institution), Tomáš JEVOČIN (703 Slovakia, belonging to the institution) and Barbora BÜHNOVÁ (203 Czech Republic, belonging to the institution)

Edition

New York, 2020 Seventh International Conference on Social Networks Analysis, Management and Security (SNAMS), p. 250-255, 6 pp. 2020

Publisher

IEEE

Other information

Language

English

Type of outcome

Stať ve sborníku

Field of Study

10201 Computer sciences, information science, bioinformatics

Country of publisher

United States of America

Confidentiality degree

není předmětem státního či obchodního tajemství

Publication form

electronic version available online

References:

URL

RIV identification code

RIV/00216224:14610/20:00117080

Organization unit

Institute of Computer Science

ISBN

978-0-7381-1180-3

DOI

http://dx.doi.org/10.1109/SNAMS52053.2020.9336573

UT WoS

000815064600037

Keywords in English

process mining; insider threat; audit log

Abstract

V originále

Nowadays, insider threats are one of the most significant cybersecurity threats. They are much more difficult to detect than external threats since insiders are authorized employees with legitimate access to the organization's resources. Malicious insider knows the organization and can act inconspicuously. Furthermore, threats do not even have to be intentional. Therefore, there can be a complicated background of malicious insider behavior, making it challenging to react adequately to these threats. In this paper, we propose to utilize process mining for insider threat detection using the organization's audit logs. We present the three different types of process mining utilization for insider threat detection from audit logs and discuss their usefulness, namely visual analysis, conformance checking, and declarative conformance checking. Lastly, we give recommendations for future work in this area based on our experience.

Links

EF16_013/0001802, research and development project

Name: CERIT Scientific Cloud

MUNI/A/1411/2019, interní kód MU

Name: Aplikovaný výzkum: softwarové architektury kritických infrastruktur, bezpečnost počítačových systémů, zpracování přirozeného jazyka a jazykové inženýrství, vizualizaci velkých dat a rozšířená realita.

Investor: Masaryk University, Category A

Citovat

MACÁK, Martin, Ivan VANÁT, Michal MERJAVÝ, Tomáš JEVOČIN and Barbora BÜHNOVÁ. Towards Process Mining Utilization in Insider Threat Detection from Audit Logs. Online. In 2020 Seventh International Conference on Social Networks Analysis, Management and Security (SNAMS). New York: IEEE, 2020, p. 250-255. ISBN 978-0-7381-1180-3. Available from: https://dx.doi.org/10.1109/SNAMS52053.2020.9336573.

@inproceedings{1699257,
   author = {Macák, Martin and Vanát, Ivan and Merjavý, Michal and Jevočin, Tomáš and Bühnová, Barbora},
   address = {New York},
   booktitle = {2020 Seventh International Conference on Social Networks Analysis, Management and Security (SNAMS)},
   doi = {http://dx.doi.org/10.1109/SNAMS52053.2020.9336573},
   keywords = {process mining; insider threat; audit log},
   howpublished = {elektronická verze "online"},
   language = {eng},
   location = {New York},
   isbn = {978-0-7381-1180-3},
   pages = {250-255},
   publisher = {IEEE},
   title = {Towards Process Mining Utilization in Insider Threat Detection from Audit Logs},
   url = {https://ieeexplore.ieee.org/document/9336573},
   year = {2020}
}

TY  - JOUR
ID  - 1699257
AU  - Macák, Martin - Vanát, Ivan - Merjavý, Michal - Jevočin, Tomáš - Bühnová, Barbora
PY  - 2020
TI  - Towards Process Mining Utilization in Insider Threat Detection from Audit Logs
PB  - IEEE
CY  - New York
SN  - 9780738111803
KW  - process mining
KW  - insider threat
KW  - audit log
UR  - https://ieeexplore.ieee.org/document/9336573
N2  - Nowadays, insider threats are one of the most significant cybersecurity threats. They are much more difficult to detect than external threats since insiders are authorized employees with legitimate access to the organization's resources. Malicious insider knows the organization and can act inconspicuously. Furthermore, threats do not even have to be intentional. Therefore, there can be a complicated background of malicious insider behavior, making it challenging to react adequately to these threats. In this paper, we propose to utilize process mining for insider threat detection using the organization's audit logs. We present the three different types of process mining utilization for insider threat detection from audit logs and discuss their usefulness, namely visual analysis, conformance checking, and declarative conformance checking. Lastly, we give recommendations for future work in this area based on our experience.
ER  -

MACÁK, Martin, Ivan VANÁT, Michal MERJAVÝ, Tomáš JEVOČIN and Barbora BÜHNOVÁ. Towards Process Mining Utilization in Insider Threat Detection from Audit Logs. Online. In \textit{2020 Seventh International Conference on Social Networks Analysis, Management and Security (SNAMS)}. New York: IEEE, 2020, p.~250-255. ISBN~978-0-7381-1180-3. Available from: https://dx.doi.org/10.1109/SNAMS52053.2020.9336573.

Detailed Information on Publication Record