ELICIT: A system for detecting insiders who violate need-to-know

Marcus A. Maloof and Gregory D. Stephens

Malicious insiders do great harm and avoid detection by using their legitimate privileges to steal information that is often outside the scope of their duties. Based on information from public cases, consultation with domain experts, and analysis of a massive collection of information-use events and contextual information, we developed an approach for detecting insiders who operate outside the scope of their duties and thus violate need-to-know. Based on the approach, we built and evaluated ELICIT, a system designed to help analysts investigate insider threats. Empirical results suggest that, for a specified decision threshold of .5, ELICIT achieves a detection rate of .84 and a false-positive rate of .015, flagging per day only 23 users of 1,548 for further scrutiny. It achieved an area under an ROC curve of .92.

Copyright © Springer-Verlag Berlin Heidelberg 2007

Preprint available in PDF.

Paper available from Springerlink

  author = "Maloof, M. A. and Stephens, G. D.",
  title = "{ELICIT}: A System for Detecting Insiders Who Violate Need-to-know",
  booktitle = "Recent Advances in Intrusion Detection",
  series = "Lecture Notes in Computer Science",
  volume = 4637,
  pages = "146--166",
  year = 2007,
  publisher = "Springer",
  address = "Berlin",
  note = "{Tenth International Conference, RAID 2007, Gold Coast,
    Australia, September 5--7, 2007. Proceedings}",
  annote = {

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law.