A framework for understanding and predicting insider attacks

In this paper an insider attack is considered to be deliberate misuse by those who are authorized to use computers and networks. Applying this definition in real-life settings to determine whether or not an attack was caused by an insider is often, however, anything but straightforward. We know very little about insider attacks, and misconceptions concerning insider attacks abound. The belief that "most attacks come from inside" is held by many information security professionals, for example, even though empirical statistics and firewaU togs indicate otherwise. This paper presents a framework based on previous studies and models of insider behavior as well as first-hand experience in dealing with insider attacks. This framework defines relevant types of insider attack-related behaviors and symptoms-"indicators" that include deliberate markers, meaningful errors, preparatory behaviors, correlated usage patterns, verbal behavior and personality traits. From these sets of indicators, clues can be pieced together to predict and detect an attack. The presence of numerous small clues necessitates the use of quantitative methods; multiple regression equations appear to be a particularly promising approach for quantifying prediction.