Detecting Potential Insider Threats Through Email Datamining
Master's thesis, Aug 2004-Mar 2006
AIR FORCE INST OF TECH WRIGHT-PATTERSON AFB OH
Pagination or Media Count:
Despite a technology bias that focuses on external electronic threats, insiders pose the greatest threat to commercial and government organizations. One means of preventing insider theft is by stopping potential insiders from actually crossing the line. In the overwhelming number of cases, people do not join an organization with the intention of stealing or causing harm. Instead, something or often several some things happen while the individual is in the organization that precedes his malevolent actions. One of the traits identified with insiders is their feeling of alienation from the organization. By data mining emails, an employees interests can be discerned. These interests are then used to construct social networks which are used to identify individuals with interests shared but undiscussed with other members of the organization. These individuals with clandestine interests have the potential to be insider threats. This paper describes the use of Probabilistic Latent Semantic Indexing PLSI extended to include users PLSI-U and Author Topic extended to include documents to determine topics of interest for employees from their email activity. It then applies PLSI-U and Author Topic to the Enron email corpus. The results show that by comparing the topics of emails that people send internally with the ones sent externally, a small number of employees 0.03-1.0 emerge as having clandestine interests and the potential to become insider threats. Most significantly, one of these individuals is Sherron Watkins, the famous whistleblower in the Enron case.
- Information Science