Novel Method for Insider Threat Detection

Ina Weiner


Prof. Ina Weiner Emeritus

While cyberattacks are typically connected with outsiders’ attacks, it is becoming increasingly recognized that an equally great threat to an organization’s security lies within.   Traditional IT security tools are ineffective for insider threats because they are designed to protect the perimeter, primarily stopping attackers from gaining access. More recently, big data analytics, and behavioral analytics in particular, has become an essential tool for security monitoring.  However, what is overlooked is that most malicious insiders do not exhibit suspicious activities. Rather, “insider misuse occurs within the boundaries of trust necessary to perform normal duties.”

I propose to develop a novel approach for detecting malicious insiders’ activity, namely, an unobtrusive monitoring, by means of a standard webcam, of changes in pupil size, an involuntary response that is produced when people are aroused, stressed and/or recruit their attentional and cognitive resources, as is the case when they are performing illicit acts. Pupil size is under the control of the autonomic nervous system (along with other involuntary functions such as heart rate and perspiration), which by constricting or dilating the pupil’s diameter, regulates the amount of light entering the eye. The sympathetic branch, known for triggering "fight or flight" responses when the body is under stress, induces pupil dilation, whereas the parasympathetic branch, known for "rest and digest" functions, causes constriction. But pupils respond not only to light. Hundreds of psychological experiments have shown that pupil dilation accompanies arousal, cognitive effort and load, attention, recruitment of executive control, and emotions. The unique advantage of the pupillary response is that it is universal, and cannot be controlled voluntarily. Therefore, an unobtrusive measurement of pupil size is a perfect candidate for detecting a change in emotional arousal and cognitive effort that cannot be suppressed deliberately, and using this signal for alerting the system of a potential threat. Of course, people become aroused, stressed and attentive not only when they perform illicit activities. Therefore, the pupillometry-based alerting system will be activated under two conditions: 1. automatically at random times to obtain and store baseline measurements against which anomalies will be evaluated and 2. when an employee logs in to malicious activity-sensitive target systems defined by the organization. Examination of the logs during the time of alert will enable an immediate decision of whether a malicious activity has been performed.

Windows 10 Hello with Intel Real Sense 3D camera system includes algorithms for user recognition based on fingerprints, facial recognition and iris scanning technologies. If such cameras become standard, they could be programmed for pupillometry.

In summary, to date, there is no method for monitoring pupil size using a standard web camera in real time. The development of such a method is the aim of this exploratory proposal.

Tel Aviv University, P.O. Box 39040, Tel Aviv 6997801, Israel
UI/UX Basch_Interactive