Information Behaving Badly


J. Ard, M. Bishop, C. Gates, and M. Sun, “Information Behaving Badly,” Proceedings of the 2013 New Security Paradigms Workshop pp. 107–118 (Sep. 2013).



Traditionally, insider threat detection has focused on observing human actors — or, more precisely, computer accounts and processes acting on behalf of those actors — to model their “normal” behavior, then determine if they have performed some anomalous action and, further, if that action is malicious. In this paper, we shift the paradigm from observing human behavior to observing information behavior by modeling how documents flow through an organization. We hypothesize that similar types of documents will exhibit similar workflows, and that a document deviating from its expected workflow indicates potential data leakage.

Bibliographic Information: [BibTeX] [EndNote] [RIS]
DOI: 10.1145/2535813.2535825