Insider abuse comprehension through capability acquisition graphs

Insider attacks constitute one of the most potent, yet difficult to detect threats to information security in the cyber-domain. Malicious actions perpetrated by privileged insiders usually circumvent intrusion detection systems (IDS) and other mechanisms designed to detect and prevent unauthorized activity. In this paper, we present an architectural framework and technique to aid in situation awareness of insider threats in a networked computing environment such as a corporate network. Individual actions by users are analyzed using a theoretical model called a Capability Acquisition Graph (CAG) to evaluate their cumulative effect and detect possible violations. Our approach is based on periodic evaluation of the privileges that users accumulate with respect to critical information assets during their workflow. A static analysis tool called Information-Centric Modeler and Auditor Program (ICMAP) is used to periodically construct CAGs which are then analyzed to uncover possible attacks. The process is demonstrated by considering an information process cycle from the real-world.