search menu icon-carat-right cmu-wordmark

An Ontology for Insider Threat Indicators

November 2014 Conference Paper
Daniel L. Costa, Matthew L. Collins, Samuel J. Perl, Michael J. Albrethsen, George Silowash, Derrick Spooner

In this paper, the authors describe their ongoing development of an insider threat indicator ontology.

Publisher:

Software Engineering Institute

Abstract

In this conference paper, selected as the Michael Dean Best Paper Award at the of the STIDS (Semantic Technology for Intelligence, Defense, and Security) Conference, the authors describe their ongoing development of an insider threat indicator ontology. The ontology is intended to serve as a standardized expression method for potential indicators of malicious insider activity, as well as a formalization of much of the author's research on insider threat detection, prevention, and mitigation. This ontology bridges the gap between natural language descriptions of malicious insiders, malicious insider activity, and machine-generated data that analysts and investigators use to detect behavioral and technical observables of insider activity. The ontology provides a mechanism for sharing and testing indicators of insider threat across multiple participants without compromising organization-sensitive data, thereby enhancing the data fusion and information sharing capabilities of the insider threat detection domain.