Applying Unsupervised Context-Based Analysis for Detecting Unauthorized Data Disclosure3

Ma'ayan Gafny, Asaf Shabtai, Lior Rokach, Yuval Elovici

A One-Class Clustering Tree for One-to-Many Data Linkage, 96, 2011

In this paper we propose a new unsupervised approach for identifying unauthorized disclosure of sensitive data by insiders. We assume that users interact with a system using an application and submit requests in order to access data that is stored in a database. In the proposed method, suspicious access to sensitive data is detected by analyzing the result-sets sent to the user following a user’s request. Result-sets are analyzed within the instantaneous context in which the request was submitted. From the analysis of the result-set and the context, we derive a level of anomality. The proposed method profiles normal behavior using a one-class decision tree detection model. The detection model encapsulates a set of rules that represent the legitimate user behavior (ie, the characteristics of the result-sets that the user normally retrieves) for each possible context. During the detection phase, upon the arrival of a new …