內部威脅是由已具有訪問機密文件的員工所做的行為，對組職而言很難判別正常與異常之間的差異。近年來研究員常使用機器學習算法建立在一個基準線來檢測使用者異常行為，如行為偏離基準線過多則為異常，但內鬼可透過給予額外行為使得演算法學習錯誤的基準線，進而欺騙學習模型。

本論文提出了一個名為 HoneyDeception 的框架，此框架基於舞弊鑽石理論（Fraud Diamond Theory）和 MOC 模型來偵測偷取智慧財產權的內部人員，舞弊鑽石理論與 MOC 模型的元素皆提及能力(Capability)與可能性(Opportunity)。企業應建立一圈套，而此圈套是使用者有能力察覺到此可能性。本論文框架之設計亦結合誘騙技術(Deception Technology)與避免不當激勵(Perverse Incentive)的概念。誘騙技術將減少日誌(log)的產生，因正常使用者並不會碰觸之而避免不當激勵則降低內鬼將找尋其他防禦者無法處理的行為。

HoneyDeception 為阻止所有使用者可從授權區域到非保護區域獲取機密文件之動作，如複製貼上及上傳雲端等，但給予一個能把資料偷出去的可能性，而在本論文所給予之可能性為螢幕擷取功能，因此內部人員使用電腦將資料偷出去唯一的可能性將剩下螢幕擷取功能。HoneyDeception 將判斷電腦中剪貼簿內容，如為圖片格式則記錄該圖片內容；當有資料傳輸至外部時，記錄使用者所傳送之圖片。根據兩模組的紀錄判別是否真的將機密文件攜出。而透過此框架可有效避免內部人員不小心的藉口，因為使用者至少需兩個步驟才能成功地從授權區域傳輸到外部。

The insider threats are done by employees who have already had the privilege to access the confidential documents. It is difficult for the defender to be aware of the differences between normal and abnormal behaviors. Most of the researchers focus on the theft of intellectual property(IP) by using machine learning algorithms to create a baseline before detecting abnormal executed by the users. However, an insider can cheat on the learning model a wrong baseline beforehand by doing extra activities. In this paper, we propose a framework, called HoneyDeception, which focuses on the theft of IP based on fraud diamond theory and MOC-Model. Moreover, we adopt deception technology and perverse incentive concept into our framework. The trap of the framework is to restrict the behavior of insiders but gives a door (i.e., an opportunity) for insiders to pass. It prevents all of the actions to get confidential documents from the authorized area to the non-protected area, except allow "Print Screen" event command to the users. We record the content of the clipboard about "Print Screen" events and record the files containing the image transmitted by the users. Especially, HoneyDeception can avoid the insider giving unintentional excuses. Because HoneyDeception requires two steps to transfer from authorized area to external area, it can avoid the insider giving unintentional excuses for violating the intellectual property.

[1] “Breach level index.” https://breachlevelindex.com/.
[2] R. F. T. Dawn M. Cappelli, Andrew P. Moore, The CERT Guide to Insider
Threats: How to Prevent, Detect, and Respond to Information Technology
Crimes. Addison-Wesley Professional, 2012.
[3] A. Harilal, F. Toffalini, J. Castellanos, J. Guarnizo, I. Homoliak, and M. Ochoa,
“Twos: A dataset of malicious insider threat behavior based on a gamified competition,”
in Proceedings of the 2017 International Workshop on Managing Insider
Security Threats, MIST ’17, pp. 45–56, 2017.
[4] J. Glasser and B. Lindauer, “Bridging the gap: A pragmatic approach to generating
insider threat data,” in 2013 IEEE Security and Privacy Workshops, pp. 98–
104, May 2013.
[5] M. Schonlau, W. DuMouchel, W.-H. Ju, A. F. Karr, M. Theus, and Y. Vardi,
“Computer intrusion: Detecting masquerades,” Statistical science, pp. 58–74,
2001.
[6] “Fülöp, l. kovács, t. kurics, and e. windhager-pokol. 2016. balabit mouse dynamics challenge dataset. (2016).” https://github.com/balabit/
Mouse-Dynamics-ChallengeAccessedonMay/2017.
[7] “1998 darpa intrusion detection evaluation data set.” https://www.ll.mit.edu/
ideval/data/1998data.html.
[8] B. Camiña, R. Monroy, L. A. Trejo, and E. Sánchez, “Towards building a masquerade
detection method based on user file system navigation,” in Advances in
Artificial Intelligence (I. Batyrshin and G. Sidorov, eds.), (Berlin, Heidelberg),
pp. 174–186, Springer Berlin Heidelberg, 2011.
[9] M. B. Salem and S. J. Stolfo, “Masquerade attack detection using a searchbehavior
modeling approach,” 2009.
[10] M. B. Salem and S. J. Stolfo, “Modeling user search behavior for masquerade
detection,” in Recent Advances in Intrusion Detection (R. Sommer, D. Balzarotti,
and G. Maier, eds.), (Berlin, Heidelberg), pp. 181–200, Springer Berlin Heidelberg,
2011.
[11] E. S. Jr., H. Nguyen, F. Yu, K. Kim, D. Li, J. T. Wilkinson, A. Olson, and R. Jacob,
“Intent-driven insider threat detection in intelligence analyses,” in 2008 IEEE/
WIC/ACM International Conference on Web Intelligence and Intelligent Agent
Technology, vol. 2, pp. 345–349, Dec 2008.
[12] “Calo project. 2015. enron email dataset. (2015)..” http://www.cs.cmu.edu/
~enron/.
[13] S. Greenberg, “Using unix: Collected traces of 168 users,” University of Calgary,
1988.
[14] T. Lane and C. E. Brodley, “An application of machine learning to anomaly detection,”
in Proceedings of the 20th National Information Systems Security Conference,
vol. 377, pp. 366–380, Baltimore, USA, 1997.
[15] F. Linton, A. Charron, and D. Joy, “Owl: A recommender system for
organization-wide learning,” Educational Technology & Society, pp. 62–76,
2000.
[16] B. Böse, B. Avasarala, S. Tirthapura, Y. Y. Chung, and D. Steiner, “Detecting
insider threats using radish: A system for real-time anomaly detection in heterogeneous
data streams,” IEEE Systems Journal, vol. 11, pp. 471–482, June 2017.
[17] P. G. Owen Lo, William J. Buchanan and R. Macfarlane, “Distance measurement
methods for improved insider threat detection,” Security and Communication Networks,
vol. 2018, p. 18, January 2018.
[18] T. Rashid, I. Agrafiotis, and J. R. Nurse, “A new take on detecting insider threats:
Exploring the use of hidden markov models,” in Proceedings of the 8th ACM
CCS International Workshop on Managing Insider Security Threats, MIST ’16,
pp. 47–56, 2016.
[19] P. A. Legg, O. Buckley, M. Goldsmith, and S. Creese, “Automated insider threat
detection system using user and role-based profile assessment,” IEEE Systems
Journal, vol. 11, pp. 503–512, June 2017.
[20] A. Gamachchi, L. Sun, and S. Boztas, “Graph based framework for malicious
insider threat detection,” pp. 2638–2647, January 2017.
[21] “The cert division and exactdata llc. insider threat tools, the cert division.” https:
//resources.sei.cmu.edu/library/asset-view.cfm?assetid=508099.
[22] D. H. Seungwoo KIM1, Jangju KIM2 and Y. RYU4, “Carnegie mellon university’s
cert dataset analysis and suggestions,” vol. 1, pp. 1–6, 12 2017.
[23] “Side-channel attack.” https://en.wikipedia.org/wiki/Side-channel_attack.
[24] “Electromagnetic attack.” https://en.wikipedia.org/wiki/Electromagnetic_
attack.
[25] T. Sasaki, “Towards detecting suspicious insiders by triggering digital data sealing,”
in 2011 Third International Conference on Intelligent Networking and Collaborative
Systems, pp. 637–642, Nov 2011.
[26] T. Sasaki, “A framework for detecting insider threats using psychological triggers,”
JoWUA, vol. 3, no. 1/2, pp. 99–119, 2012.
[27] R. Willison and M. Siponen, “Overcoming the insider: Reducing employee
computer crime through situational crime prevention,” Commun. ACM, vol. 52,
pp. 133–137, Sept. 2009.
[28] R. V. Clarke, “Situational crime prevention,” Crime and justice, vol. 19, pp. 91–
150, 1995.
[29] J. R. C. Nurse, O. Buckley, P. A. Legg, M. Goldsmith, S. Creese, G. R. T. Wright, and M. Whitty, “Understanding insider threat: A framework for characterising attacks,” in 2014 IEEE Security and Privacy Workshops, pp. 214–228, May 2014.
[30] I. Homoliak, F. Toffalini, J. Guarnizo, Y. Elovici, and M. Ochoa, “Insight into
insiders: A survey of insider threat taxonomies, analysis, modeling, and countermeasures,”
ArXiv e-prints, May 2018.
[31] M. Kandias, A. Mylonas, N. Virvilis, M. Theoharidou, and D. Gritzalis, “An insider
threat prediction model,” in Trust, Privacy and Security in Digital Business
(S. Katsikas, J. Lopez, and M. Soriano, eds.), pp. 26–37, Springer Berlin Heidelberg,
2010.
[32] G. Magklaras and S. Furnell, “A preliminary model of end user sophistication
for insider threat prediction in it systems,” Computers & Security, vol. 24, no. 5,
pp. 371–380, 2005.
[33] D. T. Wolfe and D. R. Hermanson, “The fraud diamond: Considering the four
elements of fraud,” The CPA Journal, vol. 74, no. 12, p. 38, 2004.
[34] “Alphabet inc..” https://en.wikipedia.org/wiki/Alphabet_Inc.
[35] “The eu general data protection regulation (gdpr).” https://www.eugdpr.org/.
[36] “Defending against the wrong enemy: 2017 sans insider threat survey.”
https://www.sans.org/reading-room/whitepapers/analyst/
defending-wrong-enemy-2017-insider-threat-survey-37890/.
[37] “Edward snowden.” https://en.wikipedia.org/wiki/Edward_Snowden.
[38] “Military deception.” http://www.bits.de/NRANEU/others/jp-doctrine/
jp3_13_4%2806%29.pdf.
[39] “Perverse incentive.” https://en.wikipedia.org/wiki/Perverse_incentive
[40] “Cobra effect.” https://en.wikipedia.org/wiki/Cobra_effect.
[41] “It sabotage, san francisco admin charged with hijacking city’s network.” https:
//www.wired.com/2008/07/sf-city-charged/.
[42] “The disappearing ueba market.” https://blogs.gartner.com/avivah-litan/
2017/01/03/the-disappearing-ueba-market/.
[43] “Risk and the pareto principle: Applying the 80/20 rule to your risk
management strategy.” https://www.helpnetsecurity.com/2016/08/30/
risk-management-strategy-pareto-principle/.
[44] D. Kaufman, “An analytical framework for cyber security,” tech. rep., DEFENSE
ADVANCED RESEARCH PROJECTS AGENCY ARLINGTON VA INFORMATION
INNOVATION OFFICE, 2011.