A Framework for Data-Driven Physical Security and Insider Threat Detection

TL;DR

This paper introduces PS0, an ontological framework that enhances physical security and insider threat detection through rule-based anomaly detection and security provenance analysis, improving forensic capabilities and organizational security posture.

Contribution

The paper presents PS0, a novel ontological framework that integrates forensic data analysis, anomaly detection, and security provenance to improve physical security and insider threat detection.

Findings

PS0 effectively reconstructs attack patterns using provenance graphs.

PS0 enhances detection of insider threats through rule-based anomaly detection.

Validation shows PS0 improves security posture in real-world use cases.

Abstract

This paper presents PS0, an ontological framework and a methodology for improving physical security and insider threat detection. PS0 can facilitate forensic data analysis and proactively mitigate insider threats by leveraging rule-based anomaly detection. In all too many cases, rule-based anomaly detection can detect employee deviations from organizational security policies. In addition, PS0 can be considered a security provenance solution because of its ability to fully reconstruct attack patterns. Provenance graphs can be further analyzed to identify deceptive actions and overcome analytical mistakes that can result in bad decision-making, such as false attribution. Moreover, the information can be used to enrich the available intelligence (about intrusion attempts) that can form use cases to detect and remediate limitations in the system, such as loosely-coupled provenance graphs that in many cases indicate weaknesses in the physical security architecture. Ultimately, validation of the framework through use cases demonstrates and proves that PS0 can improve an organization's security posture in terms of physical security and insider threat detection.