Optimizing data misuse detection

Asaf Shabtai, Maya Bercovitch, Lior Rokach, Yuval Elovici

ACM Transactions on Knowledge Discovery from Data (TKDD) 8 (3), 1-23, 2014

Data misuse may be performed by entities such as an organization’s employees and business partners who are granted access to sensitive information and misuse their privileges. We assume that users can be either trusted or untrusted. The access of untrusted parties to data objects (e.g., client and patient records) should be monitored in an attempt to detect misuse. However, monitoring data objects is resource intensive and time-consuming and may also cause disturbance or inconvenience to the involved employees. Therefore, the monitored data objects should be carefully selected. In this article, we present two optimization problems carefully designed for selecting specific data objects for monitoring, such that the detection rate is maximized and the monitoring effort is minimized. In the first optimization problem, the goal is to select data objects for monitoring that are accessed by at most c trusted agents while …