Insider threat mitigation models based on thresholds and dependencies

Insider threat causes great damage to data in any organization and is considered a serious issue. In spite of the presence of threat prevention mechanisms, sophisticated insiders still continue to attack a database with new techniques. One such technique which remains an advantage for insiders to attack databases is the dependency relationship among data items. This thesis investigates the ways by which an authorized insider detects dependencies in order to perform malicious write operations. The goal is to monitor malicious write operations performed by an insider by taking advantage of dependencies. A term called 'threshold' is associated with every data item, which defines the limit and constraints to which changes could be made to a data item by a write operation. Having threshold as the key factor, the thesis proposes two different attack prevention systems which involve log and dependency graphs that aid in monitoring malicious activities and ultimately secure the data items in a database. The proposed systems continuously monitors all the data items to prevent malicious operations, but the priority is to secure the most sensitive data items first, since any damage to them can hinder the functions of critical applications that use the database. By prioritizing the data items, delay in the transaction execution time is reduced in addition to mitigating insider threats arising from write operations. The developed algorithms have been implemented on a simulated database and the results show that the models mitigate insider threats arising from write operations effectively.