Detecting data misuse by applying context-based data linkage

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

14 Scopus citations


Detecting data leakage/misuse poses a great challenge for organizations. Whether caused by malicious intent or an inadvertent mistake, data leakage/misuse can diminish a company's brand, reduce shareholder value, and damage the company's goodwill and reputation. This challenge is intensified when trying to detect and/or prevent data leakage/misuse performed by an insider with legitimate permissions to access the organization's systems and its critical data. In this paper we propose a new approach for identifying suspicious insiders who can access data stored in a database via an application. In the proposed method suspicious access to sensitive data is detected by analyzing the result-sets sent to the user following a request that the user submitted. Result-sets are analyzed within the instantaneous context in which the request was submitted. From the analysis of the result-set and the context we derive a "level of anomality". If the derived level is above a predefined threshold, an alert can be sent to the security officer. The proposed method applies data-linkage techniques in order to link the contextual features and the result-sets. Machine learning algorithms are then employed for generating a behavioral model during a learning phase. The behavioral model encapsulates knowledge on the behavior of a user; i.e., the characteristics of the result-sets of legitimate or malicious requests. This behavioral model is used for identifying malicious requests based on their abnormality. An evaluation with sanitized data shows the usefulness of the proposed method in detecting data misuse.

Original languageEnglish
Title of host publicationProceedings of the 2010 ACM Workshop on Insider Threats, Insider Threats '10, Co-located with CCS'10
Number of pages9
StatePublished - 20 Dec 2010
Event2010 ACM Workshop on Insider Threats, Insider Threats '10, Co-located with CCS'10 - Chicago, IL, United States
Duration: 4 Oct 20108 Oct 2010

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221


Conference2010 ACM Workshop on Insider Threats, Insider Threats '10, Co-located with CCS'10
Country/TerritoryUnited States
CityChicago, IL


  • data leakage
  • data misuse
  • information leakage
  • insider threat


Dive into the research topics of 'Detecting data misuse by applying context-based data linkage'. Together they form a unique fingerprint.

Cite this