search menu icon-carat-right cmu-wordmark

Deep Focus: Increasing User “Depth of Field” to Improve Threat Detection

October 2014 Poster
William R. Claycomb, Roy Maxion (Carnegie Mellon CyLab)

In this poster, a CERT Threat Detection Project is illustrated, including the problem, goals, approach, and data collection methods.

Abstract

The need to detect malicious behavior and unauthorized information disclosure on sensitive systems is of paramount importance to the U.S. Government. As a recognized leader in insider threat research, CERT is leading the way in finding answers to improve detection capabilities and prevent future leaks. We believe the next step in the insider threat research roadmap is developing a fundamental understanding of individual users.

We propose development of new analysis techniques that focus on data representing ordinary user behaviors that users are unlikely to realize are being monitored. By understanding the unique way each user interacts with IT systems, we can detect account misuse (masquerading) as well as significant deviations from normal behavior that when combined with signature or anomaly based threat detection data strongly indicate malicious behavior versus a benign anomaly.