Skip to main content

Insider Threats: Identifying Anomalous Human Behaviour in Heterogeneous Systems Using Beneficial Intelligent Software (Ben-ware)

McGough, Andrew Stephen and Wall, David and Brennan, John and Theodoropoulos, Georgios and Ruck-Keene, Ed and Arief, Budi and Gamble, Carl and Fitzgerald, John and van Moorsel, Aad and Alwis, Sujeewa (2015) Insider Threats: Identifying Anomalous Human Behaviour in Heterogeneous Systems Using Beneficial Intelligent Software (Ben-ware). In: Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats. CCS Computer and Communications Security . ACM, New York, USA, pp. 1-12. ISBN 978-1-4503-3824-0. (doi:10.1145/2808783.2808785) (KAR id:54145)

PDF Author's Accepted Manuscript
Language: English
Download (791kB) Preview
[thumbnail of MIST15.pdf]
This file may not be suitable for users of assistive technology.
Request an accessible format
Official URL


In this paper, we present the concept of "Ben-ware" as a beneficial software system capable of identifying anomalous human behaviour within a 'closed' organisation's IT infrastructure. We note that this behaviour may be malicious (for example, an employee is seeking to act against the best interest of the organisation by stealing confidential information) or benign (for example, an employee is applying some workaround to complete their job). To help distinguish between users who are intentionally malicious and those who are benign, we use human behaviour modelling along with Artificial Intelligence. Ben-ware has been developed as a distributed system comprising of probes for data collection, intermediate nodes for data routing and higher nodes for data analysis. This allows for real-time analysis with low impact on the overall infrastructure, which may contain legacy and low-power resources. We present an analysis of the appropriateness of the Ben-ware system for deployment within a large closed organisation, comprising of both new and legacy hardware, to protect its essential information. This analysis is performed in terms of the memory footprint, disk footprint and processing requirements of the different parts of the system.

Item Type: Book section
DOI/Identification number: 10.1145/2808783.2808785
Uncontrolled keywords: Insider threats; detection; anomalous behaviour; human behaviour; artificial intelligence; assistive tool; ethics.
Subjects: Q Science > QA Mathematics (inc Computing science)
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Depositing User: Budi Arief
Date Deposited: 10 Feb 2016 18:12 UTC
Last Modified: 16 Feb 2021 13:33 UTC
Resource URI: (The current URI for this page, for reference purposes)
Arief, Budi:
  • Depositors only (login required):


Downloads per month over past year