Abstract
The CMU Capstone Project, in partnership with BNY Mellon, addressed the limitations of BNY
Mellon's existing insider threat detection system, which lacks transparency, customization, and
adaptability. To solve these issues, the CMU team developed TRITON (Technology for
Revealing Insider Threats on Organizational Networks), a proof-of-concept solution designed to integrate with modern data management technologies, aiding security analysts in detecting potential insider threats.
TRITON was developed using the Software Engineering Institute's (SEI) Insider dataset version 6.2 but has not yet been stress-tested or trained with real-time data. It is intended to support security analysts in identifying insider threat behaviors, but not as a stand-alone solution. The project followed four key milestones to enhance BNY Mellon's security capabilities.
1. Identifying and Building Use Cases: The team constructed use cases based on the SEI
dataset, focusing on three common insider threat categories: theft, fraud, and sabotage.
These scenarios were tailored to BNY Mellon's environment, detailing threat actions,
potential impacts, and probabilities of occurrence. This groundwork provided the basis
for TRITON's threat detection logic.
2. Designing Data Pipelines: A data pipeline was created to facilitate the movement of
integrated data into a data lake technology. Utilizing Cribl to extract data from its sources
and Kafka to send it to Snowflake, the pipeline collects and transports data for analysis,
ensuring a consistent flow for insider threat detection.
3. Implementing Analytics Algorithms: The team implemented an Isolation Forest model,
achieving 92.5% accuracy in identifying insider threats in the SEI dataset. The AI-based
threat detection process involves data preprocessing and the application of the AI model. Additionally, a rule-based detection approach was developed to supplement AI-based insights.
4. Generating Alerts and Alert Dashboard: A dashboard was designed to manage alerts
generated by the AI algorithms. The dashboard offers real-time, actionable insights,
allowing security analysts to respond quickly to potential threats.
These milestones have resulted in a tool, TRITON, that provides high transparency,
customization, and adaptability for insider threat detection. TRITON allows BNY Mellon to
customize detection algorithms and incorporate additional features as needed. While TRITON is
a proof-of-concept, the project demonstrated the feasibility of developing an in-house insider
threat detection system. Subsequently, it is recommended that BNY Mellon further analyze
TRITON and conduct a cost-benefit analysis to assess whether replacing their current vendor
solution with TRITON is beneficial.
Mellon's existing insider threat detection system, which lacks transparency, customization, and
adaptability. To solve these issues, the CMU team developed TRITON (Technology for
Revealing Insider Threats on Organizational Networks), a proof-of-concept solution designed to integrate with modern data management technologies, aiding security analysts in detecting potential insider threats.
TRITON was developed using the Software Engineering Institute's (SEI) Insider dataset version 6.2 but has not yet been stress-tested or trained with real-time data. It is intended to support security analysts in identifying insider threat behaviors, but not as a stand-alone solution. The project followed four key milestones to enhance BNY Mellon's security capabilities.
1. Identifying and Building Use Cases: The team constructed use cases based on the SEI
dataset, focusing on three common insider threat categories: theft, fraud, and sabotage.
These scenarios were tailored to BNY Mellon's environment, detailing threat actions,
potential impacts, and probabilities of occurrence. This groundwork provided the basis
for TRITON's threat detection logic.
2. Designing Data Pipelines: A data pipeline was created to facilitate the movement of
integrated data into a data lake technology. Utilizing Cribl to extract data from its sources
and Kafka to send it to Snowflake, the pipeline collects and transports data for analysis,
ensuring a consistent flow for insider threat detection.
3. Implementing Analytics Algorithms: The team implemented an Isolation Forest model,
achieving 92.5% accuracy in identifying insider threats in the SEI dataset. The AI-based
threat detection process involves data preprocessing and the application of the AI model. Additionally, a rule-based detection approach was developed to supplement AI-based insights.
4. Generating Alerts and Alert Dashboard: A dashboard was designed to manage alerts
generated by the AI algorithms. The dashboard offers real-time, actionable insights,
allowing security analysts to respond quickly to potential threats.
These milestones have resulted in a tool, TRITON, that provides high transparency,
customization, and adaptability for insider threat detection. TRITON allows BNY Mellon to
customize detection algorithms and incorporate additional features as needed. While TRITON is
a proof-of-concept, the project demonstrated the feasibility of developing an in-house insider
threat detection system. Subsequently, it is recommended that BNY Mellon further analyze
TRITON and conduct a cost-benefit analysis to assess whether replacing their current vendor
solution with TRITON is beneficial.
Original language | English |
---|---|
Qualification | Master of Science |
Awarding Institution |
|
Supervisors/Advisors |
|
Award date | 12 May 2024 |
Publication status | Published - 2024 |
Research Field
- Cyber Security