Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Fine Grained Insider Risk Detection

Birkett Huber, Casper Neo, Keiran Sampson, Alex Kantchelian, Brett Ksobiech, Yanis Pavlidis

TL;DR

A method to detect departures from business-justified workflows among support agents by identifying agent actions that cannot be explained by the activity within their surrounding context, where normal activity patterns are established from historical data.

Abstract

We present a method to detect departures from business-justified workflows among support agents. Our goal is to assist auditors in identifying agent actions that cannot be explained by the activity within their surrounding context, where normal activity patterns are established from historical data. We apply our method to help audit millions of actions of over three thousand support agents. We collect logs from the tools used by support agents and construct a bipartite graph of Actions and Entities representing all the actions of the agents, as well as background information about entities. From this graph, we sample subgraphs rooted on security-significant actions taken by the agents. Each subgraph captures the relevant context of the root action in terms of other actions, entities and their relationships. We then prioritize the rooted-subgraphs for auditor review using feed-forward and graph neural networks, as well as nearest neighbors techniques. To alleviate the issue of scarce labeling data, we use contrastive learning and domain-specific data augmentations. Expert auditors label the top ranked subgraphs as ``worth auditing" or ``not worth auditing" based on the company's business policies. This system finds subgraphs that are worth auditing with high enough precision to be used in production.

Fine Grained Insider Risk Detection

TL;DR

A method to detect departures from business-justified workflows among support agents by identifying agent actions that cannot be explained by the activity within their surrounding context, where normal activity patterns are established from historical data.

Abstract

We present a method to detect departures from business-justified workflows among support agents. Our goal is to assist auditors in identifying agent actions that cannot be explained by the activity within their surrounding context, where normal activity patterns are established from historical data. We apply our method to help audit millions of actions of over three thousand support agents. We collect logs from the tools used by support agents and construct a bipartite graph of Actions and Entities representing all the actions of the agents, as well as background information about entities. From this graph, we sample subgraphs rooted on security-significant actions taken by the agents. Each subgraph captures the relevant context of the root action in terms of other actions, entities and their relationships. We then prioritize the rooted-subgraphs for auditor review using feed-forward and graph neural networks, as well as nearest neighbors techniques. To alleviate the issue of scarce labeling data, we use contrastive learning and domain-specific data augmentations. Expert auditors label the top ranked subgraphs as ``worth auditing" or ``not worth auditing" based on the company's business policies. This system finds subgraphs that are worth auditing with high enough precision to be used in production.

Paper Structure

This paper contains 13 sections, 2 equations, 1 figure.

Table of Contents

  1. Introduction
  2. Methodology
  3. Graph Construction
  4. Ranking Techniques
  5. Nearest Neighbor (NN)
  6. Synthetic Mutation Rank (SMR)
  7. Generating Embeddings
  8. Handcrafted Embeddings
  9. Graph Neural Network (GNN) Embeddings
  10. Evaluation
  11. Conclusion
  12. Appendix
  13. GNN Training

Figures (1)

  • Figure 1: This subgraph is rooted on a DataTool.Query typed action (red diamond), which indicates agent.1 queried user.1's data. The TicketManagement tool recorded ticket.1 pertains to user.1, that agent.1 viewed ticket.1 1.43 hours before taking the action, and that they transferred the ticket to themself 0.07 hours before making the query. We can also see that ticket.1 was previously viewed by another agent, agent.2, starting 18.75 hours before the root action, and assigned the ticket to themself 1.7 hours before the root action. Note that the relationships on each edge are omitted for clarity.