A Process Mining Framework for
Insider Attack Detection
Martin Macák
Faculty of Informatics, Masaryk University, Brno
April 6th, 2023
Outline
1. Insider domain
2. Process mining domain
3. Process mining framework for insider attack detection
Classification of insiders
• Insider
• A person with legitimate access to an organization’s resources.
• Affiliate
• Do not have any justified and legitimate reason to enter the organization.
Reasons for insider attacks
• Malicious
1. Self-motivated – get a job promotion, avenge the injustice against them, …
2. Planted – steal intellectual property
3. Recruited – perform a malicious act for their benefit
The motivation can be financial, political, or personal.
• Unintentional
1. Underminers – life is easier when I don’t respect security policies
2. Overambitious – when I want to be more effective, I have to bypass security
3. Socially engineered – I was tricked by someone
4. Data leakers – ooopsie, I just leaked something
No motivation or intent to cause harm.
Defense solutions
• Mitigation and prevention
• Decoy-based solutions
• Detection and assessment
Research gaps in detection and assessment
• The insider behavior is often encoded into a mathematical
model that might not be accessible or is very abstract / complex.
• The proper response to a detected case is challenging.
• It is hard to detect previously not seen insider attacks.
Process Mining
Challenges of Process Mining in insider attack detection
• Criteria identification
• Data preparation
• Process analysis
Process Mining Framework for Insider Attack Detection
Criteria identification
1. Choose a process perspective
• Personal perspective
• Production perspective
• Manipulation perspective
2. Check for similarity between entities
3. Check for similarity between traces
4. Check trace structure
• Check start and end
• Check event ordering
Data preparation
1. Deal with multiple data sources
• Data combination
• Data granularity
2. Deal with abstraction complexity
• Data filtering
• Deal with numerical types
• Data mapping
Process analysis
1. Handle data volume
2. Choose a process representation
• Evaluate the features
• Evaluate the readability
• Compactness, Intuitiveness, Interactive view, Storytelling, Rapid workflow
Conclusion