A Framework for Data-Driven Physical Security and Insider Threat Detection
This addresses physical security and insider threat detection for organizations, but appears incremental as it builds on existing rule-based anomaly detection and provenance analysis methods.
The paper tackles physical security and insider threat detection by presenting PS0, an ontological framework that uses rule-based anomaly detection and provenance graphs to identify security policy deviations and reconstruct attack patterns. Validation through use cases demonstrates PS0 can improve organizational security posture.
This paper presents PS0, an ontological framework and a methodology for improving physical security and insider threat detection. PS0 can facilitate forensic data analysis and proactively mitigate insider threats by leveraging rule-based anomaly detection. In all too many cases, rule-based anomaly detection can detect employee deviations from organizational security policies. In addition, PS0 can be considered a security provenance solution because of its ability to fully reconstruct attack patterns. Provenance graphs can be further analyzed to identify deceptive actions and overcome analytical mistakes that can result in bad decision-making, such as false attribution. Moreover, the information can be used to enrich the available intelligence (about intrusion attempts) that can form use cases to detect and remediate limitations in the system, such as loosely-coupled provenance graphs that in many cases indicate weaknesses in the physical security architecture. Ultimately, validation of the framework through use cases demonstrates and proves that PS0 can improve an organization's security posture in terms of physical security and insider threat detection.