Initial Disclosure of Insiders Based on Expert Rules

Abstract

Recently, the number of insiders of computer networks in companies has increased. Some insiders can be detected when they perform outside activities, such as sending a file or opening blocked websites, to enter the company network. Another class of insiders is the company's employees, and it is difficult to identify them. And here lies the problem—the taxonomies of insiders and insider threats. The survey method is one of the most widely used approaches to constructing a taxonomy of insiders. This method is based on the analysis of materials from investigations of computer security incidents conducted by computer security specialists. Based on the incidents investigated, it is possible to categorize studies using technical and psychosocial data. User data on networks requires detailed preliminary analysis to study user behavior and identify insiders more accurately. In this research, we proposed a model to detect insiders when making any events on networks like the open blocked site, sending emails, and logging into the network at a suitable time. The proposed algorithm needs to analyze a user data set based on the No SQL language and then define expert rules to determine the degree of risk for insiders. Analysis of the proposed algorithm regarding time, accuracy, and correctness of the insider classification led to satisfactory results.