{"id":"https://openalex.org/W2767083275","doi":"https://doi.org/10.1145/3139923.3139928","title":"Insider Threat Event Detection in User-System Interactions","display_name":"Insider Threat Event Detection in User-System Interactions","publication_year":2017,"publication_date":"2017-10-30","ids":{"openalex":"https://openalex.org/W2767083275","doi":"https://doi.org/10.1145/3139923.3139928","mag":"2767083275"},"language":"en","primary_location":{"id":"doi:10.1145/3139923.3139928","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3139923.3139928","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2017 International Workshop on Managing Insider Security Threats","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5025254339","display_name":"Pablo Moriano","orcid":"https://orcid.org/0000-0002-1822-8885"},"institutions":[{"id":"https://openalex.org/I4210119109","display_name":"Indiana University Bloomington","ror":"https://ror.org/02k40bc56","country_code":"US","type":"education","lineage":["https://openalex.org/I4210119109","https://openalex.org/I592451"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Pablo Moriano","raw_affiliation_strings":["Indiana University, Bloomington, IN, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Indiana University, Bloomington, IN, USA","institution_ids":["https://openalex.org/I4210119109"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5047298775","display_name":"Jared Pendleton","orcid":null},"institutions":[{"id":"https://openalex.org/I135428043","display_name":"Cisco Systems (United States)","ror":"https://ror.org/03yt1ez60","country_code":"US","type":"company","lineage":["https://openalex.org/I135428043"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Jared Pendleton","raw_affiliation_strings":["Cisco Systems, Inc., Knoxville, TN, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Cisco Systems, Inc., Knoxville, TN, USA","institution_ids":["https://openalex.org/I135428043"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5047943142","display_name":"Steven Rich","orcid":null},"institutions":[{"id":"https://openalex.org/I135428043","display_name":"Cisco Systems (United States)","ror":"https://ror.org/03yt1ez60","country_code":"US","type":"company","lineage":["https://openalex.org/I135428043"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Steven Rich","raw_affiliation_strings":["Cisco Systems, Inc., Knoxville, TN, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Cisco Systems, Inc., Knoxville, TN, USA","institution_ids":["https://openalex.org/I135428043"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5057479145","display_name":"L. Jean Camp","orcid":"https://orcid.org/0000-0001-8731-7884"},"institutions":[{"id":"https://openalex.org/I4210119109","display_name":"Indiana University Bloomington","ror":"https://ror.org/02k40bc56","country_code":"US","type":"education","lineage":["https://openalex.org/I4210119109","https://openalex.org/I592451"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"L Jean Camp","raw_affiliation_strings":["Indiana University, Bloomington, IN, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Indiana University, Bloomington, IN, USA","institution_ids":["https://openalex.org/I4210119109"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":2.532,"has_fulltext":false,"cited_by_count":18,"citation_normalized_percentile":{"value":0.919701,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"12"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9986000061035156,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9986000061035156,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9973999857902527,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9962999820709229,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/insider-threat","display_name":"Insider threat","score":0.9217278361320496},{"id":"https://openalex.org/keywords/insider","display_name":"Insider","score":0.823013961315155},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6990363597869873},{"id":"https://openalex.org/keywords/identification","display_name":"Identification (biology)","score":0.521831214427948},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.45889756083488464},{"id":"https://openalex.org/keywords/metadata","display_name":"Metadata","score":0.4357040822505951},{"id":"https://openalex.org/keywords/closure","display_name":"Closure (psychology)","score":0.4140603244304657},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.40187716484069824},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.12364932894706726}],"concepts":[{"id":"https://openalex.org/C2776633304","wikidata":"https://www.wikidata.org/wiki/Q6038026","display_name":"Insider threat","level":3,"score":0.9217278361320496},{"id":"https://openalex.org/C2778971194","wikidata":"https://www.wikidata.org/wiki/Q1664551","display_name":"Insider","level":2,"score":0.823013961315155},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6990363597869873},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.521831214427948},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.45889756083488464},{"id":"https://openalex.org/C93518851","wikidata":"https://www.wikidata.org/wiki/Q180160","display_name":"Metadata","level":2,"score":0.4357040822505951},{"id":"https://openalex.org/C146834321","wikidata":"https://www.wikidata.org/wiki/Q2979672","display_name":"Closure (psychology)","level":2,"score":0.4140603244304657},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.40187716484069824},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.12364932894706726},{"id":"https://openalex.org/C162324750","wikidata":"https://www.wikidata.org/wiki/Q8134","display_name":"Economics","level":0,"score":0.0},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C59822182","wikidata":"https://www.wikidata.org/wiki/Q441","display_name":"Botany","level":1,"score":0.0},{"id":"https://openalex.org/C34447519","wikidata":"https://www.wikidata.org/wiki/Q179522","display_name":"Market economy","level":1,"score":0.0},{"id":"https://openalex.org/C199539241","wikidata":"https://www.wikidata.org/wiki/Q7748","display_name":"Law","level":1,"score":0.0},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3139923.3139928","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3139923.3139928","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2017 International Workshop on Managing Insider Security Threats","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[{"id":"https://openalex.org/F4320307791","display_name":"Cisco Systems","ror":"https://ror.org/03yt1ez60"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":27,"referenced_works":["https://openalex.org/W1240318034","https://openalex.org/W1753821802","https://openalex.org/W1893639437","https://openalex.org/W1904633530","https://openalex.org/W1906783320","https://openalex.org/W1965027877","https://openalex.org/W1969795119","https://openalex.org/W1982442837","https://openalex.org/W1986566755","https://openalex.org/W2032280284","https://openalex.org/W2035316056","https://openalex.org/W2053003065","https://openalex.org/W2054658115","https://openalex.org/W2086730149","https://openalex.org/W2089554624","https://openalex.org/W2093168265","https://openalex.org/W2117818136","https://openalex.org/W2122440612","https://openalex.org/W2132688085","https://openalex.org/W2155640700","https://openalex.org/W2156716308","https://openalex.org/W2163557584","https://openalex.org/W2164998314","https://openalex.org/W2538737552","https://openalex.org/W2542582667","https://openalex.org/W3098684887","https://openalex.org/W3126033509"],"related_works":["https://openalex.org/W2766781562","https://openalex.org/W4205304595","https://openalex.org/W2979782961","https://openalex.org/W308359497","https://openalex.org/W1499596878","https://openalex.org/W3136170567","https://openalex.org/W2947769183","https://openalex.org/W2018332730","https://openalex.org/W4387194049","https://openalex.org/W2286217954"],"abstract_inverted_index":{"Detection":[0],"of":[1,15,76,87,100,118,145,162,167,199,206,257,276,286,331,339,342,353],"insider":[2,47,65,93,131,186,200,277,290,297,332,355],"threats":[3,356],"relies":[4,19],"on":[5,20,312],"monitoring":[6],"individuals":[7],"and":[8,51,74,108,147,159,221,240,316],"their":[9,260],"interactions":[10,218,337],"with":[11],"organizational":[12],"resources.":[13],"Identification":[14],"anomalous":[16],"insiders":[17,53],"typically":[18],"supervised":[21],"learning":[22,125],"models":[23,59],"that":[24,39,63,89,91,193,216,248,254,296],"use":[25,75,122,236],"labeled":[26,30,37],"data.":[27],"However,":[28],"such":[29,103],"data":[31,38],"is":[32,42,67,83,250],"not":[33,55,68,273],"easily":[34],"obtainable.":[35],"The":[36,139,150,165,344],"does":[40],"exist":[41],"also":[43,60,347],"limited":[44],"by":[45,302],"current":[46],"threat":[48,66,94,132,201,278,333],"detection":[49,275,330,362],"methods":[50],"undetected":[52],"would":[54],"be":[56,300],"included.":[57],"These":[58],"inherently":[61],"assume":[62],"the":[64,77,92,160,197,204,207,294,303,340],"rapidly":[69],"evolving":[70],"between":[71,156,219],"model":[72,78],"generation":[73],"in":[79,175,224,335],"detection.":[80],"Yet":[81],"there":[82,249],"a":[84,142,153,172,214,255,351],"large":[85],"body":[86],"research":[88],"illustrates":[90],"changes":[95],"significantly":[96],"after":[97,177,263],"some":[98],"types":[99],"precipitating":[101,137,157,189,264],"events,":[102],"as":[104],"layoffs,":[105],"significant":[106,244,252],"restructuring,":[107],"plant":[109],"or":[110],"facility":[111],"closure.":[112],"To":[113],"capture":[114],"this":[115,194,237],"temporal":[116],"evolution":[117],"user-system":[119,336],"interactions,":[120],"we":[121],"an":[123,225],"unsupervised":[124],"framework":[126,308],"to":[127,184,213,357],"evaluate":[128],"whether":[129],"potential":[130,205,327],"events":[133,158,178,265,279],"are":[134],"triggered":[135],"following":[136],"events.":[138,190,245],"analysis":[140,170],"leverages":[141],"bipartite":[143],"graph":[144,323],"user":[146],"system":[148,229],"interactions.":[149,343],"approach":[151],"shows":[152],"clear":[154,173],"correlation":[155],"number":[161],"apparent":[163],"anomalies.":[164],"results":[166],"our":[168,211],"empirical":[169],"show":[171,247],"shift":[174],"behaviors":[176,202],"which":[179],"have":[180,266],"previously":[181],"been":[182,267],"shown":[183],"increase":[185],"activity,":[187],"specifically":[188],"We":[191,209,235,246],"argue":[192],"metadata":[195],"about":[196],"level":[198],"validates":[203],"approach.":[208],"apply":[210],"method":[212,346],"dataset":[215,239],"comprises":[217],"engineers":[220],"software":[222],"components":[223],"enterprise":[226],"version":[227],"control":[228],"spanning":[230],"more":[231],"than":[232],"22":[233],"years.":[234],"unlabeled":[238],"automatically":[241],"detect":[242],"statistically":[243,251],"evidence":[253],"subset":[256],"users":[258],"diversify":[259],"committing":[261],"behavior":[262,334],"announced.":[268],"Although":[269],"these":[270],"findings":[271],"do":[272,283],"constitute":[274],"per":[280],"se,":[281],"they":[282],"identify":[284],"patterns":[285],"potentially":[287],"malicious":[288],"high-risk":[289],"behavior.":[291],"They":[292],"reinforce":[293],"idea":[295],"operations":[298],"can":[299],"motivated":[301],"insiders'":[304],"environment.":[305],"Our":[306],"proposed":[307,345],"outperforms":[309],"algorithms":[310,317],"based":[311],"naive":[313],"random":[314],"approaches":[315],"using":[318],"volume":[319,341],"dependent":[320],"statistics.":[321],"This":[322],"mining":[324],"technique":[325],"has":[326],"for":[328],"early":[329],"independent":[338],"enables":[348],"organizations":[349],"without":[350],"corpus":[352],"identified":[354],"train":[358],"its":[359],"own":[360],"anomaly":[361],"system.":[363]},"counts_by_year":[{"year":2025,"cited_by_count":1},{"year":2024,"cited_by_count":4},{"year":2023,"cited_by_count":3},{"year":2022,"cited_by_count":2},{"year":2021,"cited_by_count":3},{"year":2020,"cited_by_count":2},{"year":2019,"cited_by_count":2},{"year":2018,"cited_by_count":1}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}
