Detecting data misuse by applying context-based data linkage

Ma'ayan Gafny, Asaf Shabtai, Lior Rokach, Yuval Elovici

Proceedings of the 2010 ACM workshop on Insider threats, 3-12, 2010

Detecting data leakage/misuse poses a great challenge for organizations. Whether caused by malicious intent or an inadvertent mistake, data leakage/misuse can diminish a company’s brand, reduce shareholder value, and damage the company’s goodwill and reputation. This challenge is intensified when trying to detect and/or prevent data leakage/misuse performed by an insider with legitimate permissions to access the organization’s systems and its critical data. In this paper we propose a new approach for identifying suspicious insiders who can access data stored in a database via an application. In the proposed method suspicious access to sensitive data is detected by analyzing the result-sets sent to the user following a request that the user submitted. Result-sets are analyzed within the instantaneous context in which the request was submitted. From the analysis of the result-set and the context we derive a …