Research Student Profile

Home People Profile...

Dr George Magklaras PhD, MPhil

Research Student

Brief biographical information

Access thesis on-line

An Insider Misuse Threat Detection and Prediction Language

Numerous studies indicate that amongst the various types of security threats, the
problem of insider misuse of IT systems can have serious consequences for the health
of computing infrastructures. Although incidents of external origin are also dangerous,
the insider IT misuse problem is difficult to address for a number of reasons. A
fundamental reason that makes the problem mitigation difficult relates to the level of
trust legitimate users possess inside the organization. The trust factor makes it difficult
to detect threats originating from the actions and credentials of individual users. An
equally important difficulty in the process of mitigating insider IT threats is based on
the variability of the problem. The nature of Insider IT misuse varies amongst
organizations. Hence, the problem of expressing what constitutes a threat, as well as
the process of detecting and predicting it are non trivial tasks that add up to the multifactorial
nature of insider IT misuse.

This thesis is concerned with the process of systematizing the specification of insider
threats, focusing on their system-level detection and prediction. The design of suitable
user audit mechanisms and semantics form a Domain Specific Language to detect and
predict insider misuse incidents. As a result, the thesis proposes in detail ways to
construct standardized descriptions (signatures) of insider threat incidents, as means
of aiding researchers and IT system experts mitigate the problem of insider IT misuse.

The produced audit engine (LUARM – Logging User Actions in Relational Mode) and
the Insider Threat Prediction and Specification Language (ITPSL) are two utilities that
can be added to the IT insider misuse mitigation arsenal. LUARM is a novel audit
engine designed specifically to address the needs of monitoring insider actions. These
needs cannot be met by traditional open source audit utilities. ITPSL is an XML based
markup that can standardize the description of incidents and threats and thus make use
of the LUARM audit data. Its novelty lies on the fact that it can be used to detect as
well as predict instances of threats, a task that has not been achieved to this date by a
domain specific language to address threats.

The research project evaluated the produced language using a cyber-misuse
experiment approach derived from real world misuse incident data. The results of the
experiment showed that the ITPSL and its associated audit engine LUARM
provide a good foundation for insider threat specification and prediction. Some
language deficiencies relate to the fact that the insider threat specification process
requires a good knowledge of the software applications used in a computer system. As
the language is easily expandable, future developments to improve the language
towards this direction are suggested.

Dr George Magklaras

Director of studies: Prof Steven M Furnell
Other supervisors: Dr Phil Brooke

Journal papers

Towards an Insider Threat Prediction Specification Language
Magklaras GB, Furnell SM, Brooke PJ
Information Management & Computer Security, vol. 14, no. 4, pp361-381, 2006
More details

A Preliminary Model of End User Sophistication for Insider Threat Prediction in IT Systems
Magklaras GB, Furnell SM
Computers & Security, vol. 24, no. 5, pp371-380, 2005
More details

Insider Threat Prediction Tool: Evaluating the probability of IT misuse
Magklaras GB, Furnell SM
Computers & Security, vol. 21, no. 1, pp62-73, 2002
More details | Download PDF

3 Journal papers

Conference papers

The Insider Threat Prediction and Specification Language
Magklaras GB, Furnell SM
Proceedings of the Ninth International Network Conference (INC2012), Port Elizabeth, South Africa, July, ISBN: 978-1-84102-315-1, pp51-61, 2012
Can be ordered on-line.
More details | Download PDF

LUARM – An Audit Engine for Insider Misuse Detection
Magklaras GB, Furnell SM, Papadaki M
Proceedings of the Sixth International Workshop on Digital Forensics & Incident Analysis (WDFIA 2011), London, UK, ISBN: 978-1-84102-285-7, pp133-148, 2011
Can be ordered on-line.
More details | Download PDF

Insider Misuse Threat Survey: Investigating IT misuse from legitimate users
Magklaras GB, Furnell SM
Proceedings of the 5th Australian Information Warfare & Security Conference, Perth Western Australia, 25-26 November, CDROM, pp42-51, 2004
More details

Security Vulnerabilities and System Intrusions ? The need for Automatic Response Frameworks
Papadaki M, Magklaras GB, Furnell SM, Alayed A
Proceedings of the IFIP 8th Annual Working Conference on Information Security Management & Small Systems Security, Las Vegas, 27-28 September, 2001
More details | Download PDF

A Generic Taxonomy for Intrusion Specification and Response
Furnell SM, Magklaras GB, Papadaki M, Haskell-Dowland PS (Dowland PS)
Proceedings of Euromedia 2001, Valencia, Spain, 18-20 April, 2001
More details | Download PDF

5 Conference papers

Contributions to edited books

Insider Threat Specification as a Threat Mitigation Technique
Magklaras GB, Furnell SM
in "Insider Threats in Cyber Security", Probst, Christian W.; Hunker, Jeffrey; Gollmann, Dieter (Eds.), Springer, ISBN 978-1-4419-7132-6, 244pp, 2010
More details | External link available

1 Contributions to edited books


Advanced Authentication and Intrusion Detection Technologies
Haskell-Dowland PS (Dowland PS), Furnell SM, Magklaras GB, Papadaki M, Reynolds PL, Rodwell PM, Singh H
Poster presentation at Britain's Younger Engineers in 2000, House of Commons, London, 4 December, 2000
More details | Download PDF

1 Posters

10 publication(s) - all categories.