Saved in:
Bibliographic Details
Main Authors: Huber, Birkett, Neo, Casper, Sampson, Keiran, Kantchelian, Alex, Ksobiech, Brett, Pavlidis, Yanis
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2411.02645
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915005706797056
author Huber, Birkett
Neo, Casper
Sampson, Keiran
Kantchelian, Alex
Ksobiech, Brett
Pavlidis, Yanis
author_facet Huber, Birkett
Neo, Casper
Sampson, Keiran
Kantchelian, Alex
Ksobiech, Brett
Pavlidis, Yanis
contents We present a method to detect departures from business-justified workflows among support agents. Our goal is to assist auditors in identifying agent actions that cannot be explained by the activity within their surrounding context, where normal activity patterns are established from historical data. We apply our method to help audit millions of actions of over three thousand support agents. We collect logs from the tools used by support agents and construct a bipartite graph of Actions and Entities representing all the actions of the agents, as well as background information about entities. From this graph, we sample subgraphs rooted on security-significant actions taken by the agents. Each subgraph captures the relevant context of the root action in terms of other actions, entities and their relationships. We then prioritize the rooted-subgraphs for auditor review using feed-forward and graph neural networks, as well as nearest neighbors techniques. To alleviate the issue of scarce labeling data, we use contrastive learning and domain-specific data augmentations. Expert auditors label the top ranked subgraphs as ``worth auditing" or ``not worth auditing" based on the company's business policies. This system finds subgraphs that are worth auditing with high enough precision to be used in production.
format Preprint
id arxiv_https___arxiv_org_abs_2411_02645
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Fine Grained Insider Risk Detection
Huber, Birkett
Neo, Casper
Sampson, Keiran
Kantchelian, Alex
Ksobiech, Brett
Pavlidis, Yanis
Cryptography and Security
Machine Learning
We present a method to detect departures from business-justified workflows among support agents. Our goal is to assist auditors in identifying agent actions that cannot be explained by the activity within their surrounding context, where normal activity patterns are established from historical data. We apply our method to help audit millions of actions of over three thousand support agents. We collect logs from the tools used by support agents and construct a bipartite graph of Actions and Entities representing all the actions of the agents, as well as background information about entities. From this graph, we sample subgraphs rooted on security-significant actions taken by the agents. Each subgraph captures the relevant context of the root action in terms of other actions, entities and their relationships. We then prioritize the rooted-subgraphs for auditor review using feed-forward and graph neural networks, as well as nearest neighbors techniques. To alleviate the issue of scarce labeling data, we use contrastive learning and domain-specific data augmentations. Expert auditors label the top ranked subgraphs as ``worth auditing" or ``not worth auditing" based on the company's business policies. This system finds subgraphs that are worth auditing with high enough precision to be used in production.
title Fine Grained Insider Risk Detection
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2411.02645