PROTECTION AND PREVENTION AGANIST
“INSIDER”,THE MOSTLY COST TYPE OF
ATTACK
P. Varsha Suresh
Computer Science And Engineering Computer Science And Engineering
Sree Buddha College of Engineering Sree Buddha College of Engineering
Pattoor, India
varsha2361995@gmail.com
Abstract—An Information security threat involves an effort to
acquire, modify, demolish, detach, insert or disclose knowledge
without approved access or sanction is an attack. It happens
to both individual users as well as to administration. Internet
security prevents attacks targeted at browsers, network and
other applications. Cyber attack or cyber threat is an effort
used to harm computers, steal data, or hacked computer system
is used to start further attacks. Cyber Security is the condition
or action of safeguarding and retrieving web, appliance and
applications from any type of cyberattack. External as well
as Insider are two most common cyber attack. Insider attack
is most costly type of attack and hard to detect as well as
prevent. An insider attack is a malicious attack penetrated on
a computer system by a person with authorized system access.
From the evolution of cyber space, It is evident that internal
cyber attack is most dangerous attack which is very difficult to
identify and prevent.It is very much difficult to separate
ordinary user behavior from insider attacks than the outer ones.
Insider as distinct advantages over outsider,since they are aware
of system architecture. According to the reports of cyber security
53% of organizations and 42% of U.S. federal agencies are
suffering from insider attack. Many novel approach are
implemented to prevent insider attack. This paper reviews
existing different insider threat detection mechanisms and
evaluate their performance. The variety of different approach is
used to prevent the internal cyber threat.
Index Terms—Cyber Security, Cyber Attack, Insider Attack,
External Attack.
I. I NTRODUCTION
Securing information from unauthorized access is known
as information Security. The practice of stopping the disclo-
sure, disruption, modification, inspection and destruction of
information without knowledge of user. Information can be
anything like user’s details, profile on social media, data in
mo- bile phone or biometrics etc. Authentication and
authorization are essence of information security.
Authentication does the duty of confirming a person’s identity
while authorization does the work of providing appropriate
privileges to an individual after verifying the person’s identity.
Cyber Security is the approach of technologies to check and to
safeguard systems, networks, devices and data from cyber
attacks. A cyber attack can illegally damage computers, steal
data, or use a breached
threats have been an issue for companies long back, but they
have gain more strength after the system gotten increasingly
interconnected. The study sponsored by Ponemon Institute
Ms. Minu Lalitha Madhavu
Pattoor, India
minulalitha@gmail.com
computer as a starting point for other attacks. Cyber Security
is the state of safeguarding and recovering computer system
from any type of cyber attack. Cyber attack can be divided in
to insider as well as outsider attack. There are different type
of cyber attack such as Phishing, Manin-the-middle attack,
Denial-of-service attack etc. According to the evolution of
cyber space Insider attack is the most promising attack faced
by user’s in today’s world. A threat that originates inside
the industry or government firms, and causes exploitation
is known as internal Cyber threat or internal cyber attack.
Insiders that perform attacks have a dominance over external
attackers because they have approved system access and also
may be familiar with web architecture and system guidelines.
Moreover, there may be fewer safety against internal cyber
attacks because many firm focal point is on protection from
exterior attacks. Source of attack or behavior of attack are
used to classify security attack. Source defines the place from
which attack originate and behavior defines the aggressive
behavior which leads to forceful access of data. Attacks are
classified as insider or external attack in case of the former
and in the case of the latter, they are classified as active or
passive attacks. External attack originate from the outside the
organization and some of the important external attack are
network security attacks, physical security attacks, etc. A
malicious attack caused by an individual within the
organization is known as insider Insider may be a current
working employee , a former employee or a business
associate. Whereas, Active attack has more importance over
passive attack as it tries to modify the content of the
messages. In case of Passive attack, an attacker observes the
messages or it’s content and subsequent retransmission takes
place.
According to cyber security report , 25% of all the attacks to
organizations are due to insider and their number is increasing
day by day. It is very much importance in the current era .
According to recently published report of IBM, because of
COVID- 19, 53% of employees are working from their home
using personal laptops and 61% employees haven’t provide
tools to properly secure those devices. Which leads to loss of
secure data and it is done by a known person. Actually insider
which was sponsored by IBM explains that insider-related
incidents costs $4.3 million in year 2016. According 2018, cost
for these internal cyber attacks was $8.7 million. This is the big
take away and the data breach cost is trending upwards both in
the US as well as globally. In 2019 also the number of attacker
is increasing tremendously , which leads to increasing in lose
that was faced by organization. Same time user’s or each
individual may effected by insider attack or an internal friend
who behave as an attacker. User’s personal information or
credentials are traced by the attacker with out the knowledge
of user. As a result, the user may also face many problems
such as lose of money or their personal properties etc.
Different techniques are introduced prevent insider and their
harmful attack.
The contributions in this paper are as follows. Section 2
provides an overview of Insider Cyber Attack Section 3
explains different techniques used for detection of Insider
Attack. Section 4 illustrates the theoretical analysis performed
between the different techniques. Section 5 concludes the
paper.
II. OVERVIEW OF INSIDER ATTACK
Attack that originates inside the industry or government
firms, and causes exploitation is known as internal Cyber
threat or internal cyber attack. Insiders have dominance over
external attackers because they have permitted system access
and also be familiar with the architecture of network as well
as system procedures. Moreover, It has less security against
insider attacks when compared with external attack.
Types of Insider Attack are:
• Malicious insider - A Turncloak, who maliciously and
intentionally abuses credentials such as Password , to
steal information for financial or personal reason.
• Careless insider - An innocent user who unknowingly
reveal the system to outside threats. It is common type of
insider threat that arises from mistakes, such as keeping
a device expose. Careless insider may arises when an
employee unknowingly click an insecure link, affecting
the system with malware.
• A mole - A person who is actually an outsider but behave
as an insider to gain access to a privileged network.
Actually the outsider impersonate as a worker in the
organization.
An insider threat is one of the most expensive types of attacks
and hardest to detect. It mainly occur inside the organization
by peer worker or colleague with our knowledge. An employ
change in to insider due to dissatisfaction in his work. Due
to avoidance of promotion or unnecessary cutting of income
will change their mind. Some times, company may not provide
employee proper reward or sudden termination may lead the
path to an insider. This circumstance of worker is usually used
by other agencies to make him insider.
III. DIFFERENT TECHNIQUES USED FOR INSIDER
ATTACK DETECTION
Different techniques which are used to train the dataset used
for insider detection and used for the precise division of data
in to the action performed by normal user or the attackers.
A. To detect insider attacks at SC level by using data mining
and forensic techniques
Firewalls and intrusion detection systems (IDSs) usually
safeguard or protect against external attacks compared to
insider attack, since insider attack is difficult to detect.
Internal Intrusion Detection and Protection System (IIDPS) a
new security system, which identify malicious behaviors starts
toward a network at SC level.The IIDPS, as shown in Figure
1, which include elements such as SC monitor and filter, a
mining server, a detection server, a local computational grid,
and three repositories, such as log files of user, Profiles of
user, and an attacker profile. The two element SC monitor and
filter, act as a loadable module embedded in the system being ,
System Call (sc) submitted to the kernel are captured and
system call are saved in the format of uid, pid, SC submitted
by the user. They stores the inputs of user in the user’s log file,
the file consist of SCs passed by individual use with regard to
their submitted sequence.The user’s computer usage habits are
identified by the mining server using data mining techniques
to analyze log data, which is stored in user’s user profile. In
order to compare the user’s behavior patterns with the
particular SC- patterns collected in the attacker profile a new
entity called detection Server is used. Attackers patterns as
well as those in user profiles are compared to detect malicious
behaviors. The detection server create alert and warn SC
monitor,when an intrusion is discovered and filter is used to
isolate individual users from the protected system.
Aim is used to prevent insider from continuously attacking the
system. In case, when a user enter in to the system by using
another individual personal credentials, at this point IIDPS
identifies who the entered user by calculating the similarity
scores between current inputs of user. In the IIDPS, SCs
prevented it to be used by different clusters of users in the
corresponding system. It also show whether NCSu includes
includes attack created by particular attacker, it determine
whether “u” is the account holder. After computing the sim-
ilarity scores if the attacker profile decisive rate is higher, it
ends up to a decision that it is an attacker and a system log
alert message is produced. Of course, if the declared attacker
is not Internet user, some important entity such as a trace-
back system or other identification systems are used. It shows
a division between internal intruder from normal user [1].
B. Detected by utilizing the replication of data on various
nodes in the system.
The attack determining model is based on misuse of pro-
gram information, which is performed by system admin on a
big data platform. The motive of an insider who perform the
attacks can vary from personal revenge to matter of financial
needs.

Fig. 1. IIDPS system framework
The main aim to point out control-flow susceptibility in the
programs that can be utilize by the internal attacker. The
proposed approach uses a safe and secure communication
protocol and a two stage harmful action detection algorithm.
The first and foremost step in the attack detection algorithm
is profiling of process as shown in Figure 2, that is conducted
individually at each node to identify possible attacks. In the
next stage matching of hash is used, which is performed by
copy of nodes to finalize about the authenticity of a different
attack.
The proposed system is a blend of security modules which
are independent can work together and situated on particular
system nodes or junction. It uses secure and safe protocol
which is used for communication for sharing data packets
with their neighbours. All information passed by any junction
using this safe transmission channel is encipher using Private
key encryption . The corresponding public key will be passed
with all other duplicate junction that a data node need to com-
municate. All incoming packets to a node will be enciphered
using public key which is used currently and corresponding
private key can be used for deciphering. Information about
decryption can be be sent to the process matching module to
correctly identify different attacks.
After every T time, fresh public-private key is used for
communication with duplicate node n. The private key will be
used for deciphering incoming information and a key which is
public is also transmitted. Private keys are stored in an array
for accessing it easily. In big data cluster,the algorithm will
run in analyzer module of all machines. Each and every
process output, procnew is captured by the analyzer module.
Procnew is analysed line by line and individual instruction
is related to control flow instructions in the the processor
architecture. For this work, we used only the most prominent
control flow instructions of Intel’s x86 architecture. Fixed
length hash outputs are joined together as hashhashes and then
Fig. 2. Proposed System Architecture for Detecting Insider Attacks in Big
Data Systems
after combining they are rehashed to create final hash which
is called msg that represents the program.In hash matching an
algorithm for detecting attack is used. The local version of the
same string will be contrast against the hashhashes(receivedp)
to find similarity between two hash ( local and received ). The
output of hash matching is transferred as confirmation to the
coordinator node. In case of a perfect match of hashes the
confirmation will be safe and secure and unsafe otherwise. In
case of coordinator node get responses from all the recipients.
Safe or unsafe message is passed by the worker node. Number
of safe responses count matches with the number of nodes in
the replica set, the coordinator node believe that there is no
malicious action in the current process and resets the attack
variable otherwise attack variable is set and the master node is
made aware about the possibility of an attack in process [2].
C. Selective Jamming/Dropping Insider Attacks in Wireless
Mesh Networks
Wireless mesh networks(WMNs) consist of a two-layer
network architecture. The first tier constitute of the stations
(STAs), also mentioned as end users, these are connected
to mesh nodes directly, referred to as mesh access points
(MAPs).Peer-To-Peer network of the MAPs act as second tier.
Connectivity in the second stage consist of routers which are
intermediate known as mesh points (MPs), which interconnect
MAPs. MPs is fixed and uses different frequency bands to
transfer data and control information. Lastly, mesh gateways
(MGs) also provide connectivity to the wired infrastructure as
shown in Figure 3.
Selective jamming is used to prevent acceptance while trans-
mitting packet. Post reception mainly include selective drop-
ping. Wireless medium open nature make it it vulnerable to
jamming attacks. Anti-jamming approach consist of certain
kind of spread spectrum (SS), in which the signal is transmit-
ted across a large bandwidth using a pseudo-noise (PN) code.
Insiders who has the knowledge of commonly shared PN
codes have a chance to start jamming attacks. For starting a
channel- selective jamming attack , the opponent have
knowledge of location of targeted channel. Repeating control
information on multiple broadcast channels can counter
channel-selective jamming.
For protecting the control channel included in cluster, single
mesh node is used as the cluster head (CH). CH provides
cluster members a unique PN hopping sequences. If an insider

Fig. 3. Overview of insider threat detection method
use their personal PN sequence for jamming broadcast chan-
nel, CH has the capacity to identify it. CH updates all cluster
node with a fresh PN sequences, besides for the identified
malicious user or attacker.
One way to start a data-selective jamming attack by packets
classification before their transmission is finished.A possible
solution is by encrypting transmitted packets with a secure
key. This secret key is also known as inside jammer.
Encryption alone does not prevent insiders from classifying
packets that are broadcast. For that a packet must remain
hidden until it is entirely transmitted. Commitment schemes
can be used to hide transmitted packet. Transmitting node
hides the packet by passing a version which is committed in
the commitment approach. The content of packet is not known
by other. Finally a de-commitment value is passed when the
transmission is finished, shows the detail of original packet.
Public hiding transformations is another technique which is
used. All-or nothing transformations (AONTs) is an example.
An internal attacker can also drop packet [3].
D. Geo-Social Insider Threat Resilient Access Control
Frame-work (G-SIR)
To detect insider threats by using current and historic geo-
social information.Users’ geo-social behavior is used to deter-
mine those users whose behavior deviates from the expected-
patterns. Information is used to identify how trustworthy auser
is before granting access. The term ”role”may be subjectto
some constraints such as Spatial scope. Spatial scopedefines a
set of locations that can be activated by users. GeoSocial con-
straints indicate places where users cannot visitand people
they cannot frequently meet.Vicinity constraintsis used to
make restrictions on people who is at distancefrom the
requester at the time of an access. There are twotypes of
vicinity con-
straints that are inhibiting and enabling constraints.Inhibiting
constraints denote that a requested per-mission need not be
granted when certain inhibiting users arein the vicinity. These
constraints are used to avoid certainattacks, such as shoulder
surfing attacks.It is important to make sure that the enablers
and the requester are not colluding in order to avoid insider
attacks. Geo-social trace basedconstraints allow user to follow
a particular geo social path,then only he is authorized to
access a particular resource.Geo-social obligations are actions
that client need to satisfyafter they have been granted an
access.All monitoring and likelihood computations is present
in the Monitoring, Contextand Inference Module. The Access
Control Module carryAccess control decisions. To manage
the risk exposure, atthe time of policy specification, a utility
elicitation processshould be performed by system manager.
During this stage,costs of misuse of granting a malicious
access, denying a non-malicious access and profit of allowing
a non-malicious access are analyzed. Using this analysis, a
threshold thatdetermines the probability of attack is found.
According tothe risk management procedure, if the probability
of attack istoo high, the access is denied [4].
E. Addressing the DAO Insider Attack in RPL’s Internet of
Things Networks
In RPL routing protocol, the destination advertisement ob-
ject (DAO) which is a information used for control are passed
by the child nodes to their corresponding parents to produce
descending routes. A harmful insider node can utilize this
characteristics to send fraud DAOs to its parents periodically,
activate those parents to pass the fake messages to the root
node. This characteristics can have a harmful side effect on
the production of the network, power consumption can be
increased drastically, latency, and reliability can be reduce to
an extent.
RPL arrange its physical network into a shape of Directed
Acyclic Graphs (DAGs), If DAG is implant at a single
destination, then it is known as a Destination-Oriented DAG
(DODAG). To incorporate traffic pattern to upward, DODAG
should be constructed,topology centered at network root. The
manufacturing of the DODAG launch with the root multi-
casting control messages called DODAG Information Objects
(DIOs) that is passed to RPLs neighbors. An RPL node is
demonstrate as a available stopping place from the root. Most
important fact is that the passing of a DAO message by a
child node will trigger the transmission of several copies
of DAOs corresponding to the count of intermediate parent
nodes. An oponent can utilize this information to harm other
network continuously transmitting DAOs to its parent node.
In order to determine a DAO internal attack in RPL, a new
approach called SecRPL is used, that prevent the count of
forwarded DAOs by a parent. In fact, there are two opinion for
appling this restriction. Former is to regulate the total count of
transmitted DAOs regardless of the source node, the second
is to prevent the count of transmitted DAO per destination.
Second option is better compared to previous option and result
in preventing some DAOs coming from non malicious
junction

Fig. 4. Handshake-based MAC framework: 1. MAC control decision; 2.
Control communication; 3. Data communication; 4. Feedback from receiver
and network
or node. It may also leads to block DAOs of some nodes
and no effect to some others DAO. . In addition, parent node
maintain a counter with each child node in its sub-DODAG.
Incase, If the number of forwarded DAOs exceeds threshold
value, the parent discards any DAO message. It also make
clear that no node will be blocked due to the time factor, after
two consecutive DIOs, counter is reset . Mainly, when the
parent node pass a DIO message, all child node counter are
reset [5].
F. Securing Wireless Medium Access Control Against Insider
Denial-of-Service Attacks
An malicious user (attacker) who default the network can
start more harmful denial-of-service (DoS) attacks than a
External user by passing large amount reservation requests to
block the bandwidth.
SecureMAC is an approach used to protect against such
insider threats. It consist of four components such as
channelization which is used to block large reservations,
randomization method is used to counter reactive targeted
jamming, coor- dination perform duty to to prevent control-
message aware jamming and again over reserved and under-
reserved spec- trum should be solved and assignment of
power to find out each node’s contribution to the
particular power. Figure
4 demonstrate a general handshake-based MAC framework
where it denote how to send a packet, how the transmitter
shows a MAC-layer decision based on its observations and the
knowledge from previous transmission rounds. Save as well as
reserve the channels for data transmission. Reserved channels
is used for transmission of data packets and feedback is gain
from the receiver as well as the network
In wireless MAC, an internal attacker can carry out the
following actions that are more damaging than those from
an external users. False reservation injection means holding
the channel resources without operating them, false feedback
distribution consist of announcing wrong data to twist the
action on MAC control to the attacker’s favor , and MAC-
aware jamming where jamming is based up on to the received
control messages. False reservation hide bandwidth to actual
users and takes small insider resources and use network
resources out of proportion to attacker effort, it is more
efficient mistake than jamming. The goal of channelization
is to distribute spectrum bandwidth to each user proportional
according to their power capability, guarantee a specific power
spectral density. Channelization actions are made only once
per round.The coordination solve these problems by
enhancing the bandwidth allocation and the randomization
output solv- ing certain conflicting reservations and sharing
transmission to area that would otherwise be notutilized..
Finally, after each round of information transmission is over,
each junction carryout power attribution to calculate the count
of power contributed for communication of data by each
node [6].
G. Securing VPN from insider bandwidth flooding attack
The insider attack is launched by users residing within the
trusted zone of the VPN site. They are the legitimate users of
the VPN service. They can very easily attack the VPN service
through flooding packets. Protecting from an inside attacker
is considered to be more difficult as it is being intentionally
launched by users who have been trusted and authorized to use
the VPN service. This type of flooding attack disrupts the
VPN service to its other legitimate users. Most of the research
work on network security focuses on protecting network
perimeter from external attack even though inside attack is
more serious. The aim of this work is to add a bandwidth
control mechanism to control the bandwidth each user can
avail. The bandwidth control mechanism must ensure that the
packet through the reserved bandwidth is within the allowable
limit. If not, then the control mechanism has to rate limit it by
dropping packets from the flooding source so that the other
legitimate users are not adversely affected Virtual Private
Network ( VPN) is an encrypted connection over Internet
from a device to a network.It helps to transmit data from a
branch office to main office.
Flooding is a routing algorithm present in computer network
in which all arriving packet is passed through every other link
not on the link from which it has came.
VPN site 1 and VPN site 2, are connected to gateway routers
called customer edge (CE) as shown in Figure 5. CE1 and
CE2 are interconnected to provider edge (PE) routers PE1
and PE2. Bandwidth is actually maximum data transfer rate
over network. Customer Edge router ensure that bandwidth
allocated to VPN site is being fairly distributed among users
to avoid insider attack. It employs entropy based probabilistic
model at CE router to rate limit of insider attack traffic.
Entropy is used to measure the uncertainty. Entropy is used to
calculate deviation of user from normal use age [7].
 Fig. 5. Attack Packet Drop
H.Insider threat risk prediction based on bayesian network
Bayesian network is a graphical model based on probability,
consist of a number of variables via directed acylic graph
(DAG) is used to show conditional dependencies. The features
which used by the graph are technological aspects, Organiza-
tional impact and Human Factors as shown in Figure 6.
Information are collected from organization and particular
measure sealing to ensure insider threat breaches are kept
to minimum. Investment balance is the balance between in-
vestment in insider and outsider threat is key to understand
insider threat breaches. Detection level is the measurement
of how accurate detection system with regards to previous
insider attack. Security and privacy control include forensic
evidence, network as well as email logs. Organizational
Impact is the information related to the way in which
organization is structured and how insider threat breaches
are managed. Organizational impact deal with information like
security breaches, Structure , security policy as well as
employee work- related stress symptoms.
Security breaches include breaches that have occured histor-
ically with in the organization. Structure include information
about recruitment procedure, previous employment screening.
Security policy contain information related to organizational
security policy. The fragile link in an information security
chain is one and only human factors. It include motivation
which include motivation for showing misbehavior, Oppor-
tunity is the factors which is available to perform attack.
Capability include the power to do something by the fellow
being[8].
I. Motivation And Opportunity Based Model
Situational crime prevention theory (SCPT) opportunities
for misbehaviour is lowered to an extent.Social Bond Theory
Fig. 6. Framework for Insider Threat Risk Prediction
(SBT) can be used to help understand motivation to engage
in misbehaviour as shown in Figure 7. Raise in effort, risk
and lower the rewards, stimulation, keep away exempt are the
elements considered in SCPT. SBT pivot on mainly four fac-
tors such as organisation attachment, realtion with institution
or organisational , involve n a particular work, and personal
standard. Increase the effort is used to raise the amount of
effort which is taken to perform attack. Increase the risk is
used to increase amount of risk that is faced by the attacker,
when he/she do a malicious action which is harmful to
organization. It also reduce the excuse which made by worker
in doing mistake, since they fear to do it again. Reward which
the attacker get by doing mistake is also reduce drastically.
Social bond theory include attachment with the organization.
If their is any problem with the organization as well as worker,
chance of performing attack is more. Commitment with the
organization is also considered. If a person is commitment
with organization, he/she will not do any negative thing to the
organization. Workers involvement with the organization show
that whether he is an attacker or normal user. If user is
sensitive towards organization, he/she will not do any
malicious activity [9].
J. Insider Threat Detection Based on User Behavior Model-
ing and Anomaly Detection Algorithms
User behavior-modeling phase, each user’s behaviors are
converted in to daily activity summary, e-mail contents, and e-
mail communication network. Anomaly detection algorithm
consist of Gaussian density estimation (Gauss), Parzen win-
dow density estimation (Parzen), principal component
analysis (PCA) and K-means clustering (KMC) are algorithms
used for separation of pattern. gaussian density estimation
which is important anomaly detection algorithm is used
exhibit

Fig. 7. Framework for Insider Threat Risk Prediction
probability distribution of variable which distributed
randomly. Parzen window classification is used for density
estimation. It find a point of interest. Only the features inside
the window is considered to find which group the point of
interest is present. It is used to calculate output probability
when a point is given. Principal component analysis is used in
dimensionality reduc- tion for the reduction of noise or
unwanted data. Dimensional Reduction consist of feature
selection and feature extraction. PCA comes under feature
extraction in order to reduce noise or error. As the number of
feature decreases, processing will be fast. K-mean clustering is
an unsupervised algorithm does not have labelled data. Set of
data is put together in a group or cluster. cluster consist of
object which is similar in nature. K denote the number of
cluster or group.For best classification of data in to different
group, appropriate cluster need to find.The attack observation
model surrender at most 53.67% of the detection rate by only
tracking the top 1% of malicious or suspicious instances [10].
To detect insider threats by using current and historic
geosocial information.Users’ geo-social behavior is used to
de- termine those users whose behavior deviates from the
expected patterns. Information is used to identify how
trustworthy a user is before granting access. The term
”role”may be subject to some constraints such as Spatial
scope. Spatial scope defines a set of locations that can be
activated by users. Geo Social constraints indicate places
where users cannot visit and people they cannot frequently
meet.Vicinity constraints is used to make restrictions on
people who is at distance from the requester at the time of an
access. There are two types of vicinity constraints that are
inhibiting and enabling constraints.Inhibiting constraints
denote that a requested per- mission need not be granted when
certain inhibiting users are in the vicinity. These constraints
are used to avoid certain
internal Cyber threat or internal cyber attack. The need for
detection of insider and the approach used are mentioned in
the relevant literatures. A Comparative analysis on different
attacks, such as shoulder surfing attacks.It is important to
make sure that the enablers and the requester are not colluding
in order to avoid insider attacks. Geo-social trace based
constraints allow user to follow a particular geo social path,
then only he is authorized to access a particular resource. Geo-
social obligations are actions that client need to satisfy after
they have been granted an access.All monitoring and
likelihood computations is present in the Monitoring, Context
and Inference Module. The Access Control Module carry
Access control decisions. To manage the risk exposure, at
the time of policy specification, a utility elicitation process
should be performed by system manager. During this stage,
costs of misuse of granting a malicious access, denying a non-
malicious access and profit of allowing a non-malicious
access are analyzed. Using this analysis, a threshold that
determines the probability of attack is found. According to
the risk management procedure, if the probability of attack is
too high, the access is denied [10]. To detect insider threats
by using current and historic geosocial information.Users’
geo-social behavior is used to determine those users whose
behavior deviates from the expected patterns. Information is
used to identify how trustworthy a user is before granting
access. The term ”role”may be subject to some constraints
such as Spatial scope. Spatial scope defines a set of locations
that can be activated by users. Geo Social constraints indicate
places where users cannot visit and people they cannot fre-
quently meet.Vicinity constraints is used to make restrictions
on people who is at distance from the requester at the time
of an access. There are two types of vicinity constraints that
are inhibiting and enabling constraints.Inhibiting constraints
denote that a requested permission need not be granted when
certain inhibiting users are in the vicinity. These constraints
are used to avoid certain attacks, such as shoulder surfing
attacks.It is important to make sure that the enablers and the
requester are not colluding in order to avoid insider attacks.
Geo-social trace based constraints allow user to follow a
particular geo social path, then only he is authorized to access
a particular resource. Geo-social obligations are actions that
client need to satisfy after they have been granted an
access.All monitoring and likelihood computations is present
in the Monitoring, Context and Inference Module. The Access
Control Module carry Access control decisions. To manage
the risk exposure, at the time of policy specification, a utility
elicitation process should be performed by system manager.
During this stage, costs of misuse of granting a malicious
access, denying a non-malicious access and profit of allowing
a non-malicious access are analyzed. Using this analysis, a
threshold that determines the probability of attack is found.
According to the risk management procedure, if the
probability of attack is too high, the access is denied [10].
IV. CONCLUSION
Several Insider Attack detection Mechanisms proposed by
various researches have been reviewed and discussed in rele-
vant sections. A threat or attack that emerge inside the
industry or government firms, and causes exploitation is
known as
insider attack detection mechanisms based on several factors
had also been done. According to evolution of cyber space,
insider attack is the most promising attack faced by people of
today’s world. Detection mechanism can prevent insider up to of Sree Buddha College of Engineering. She has published
an extent. around 25 research papers in reputed international journals.
Her main areas of research focus on Network and Security.
She has more than 14 years of experience as Assistant
Professor in Computer Science at Sree Buddha College Of
Engineering.
ACKNOWLEDGEMENT
This research was supported by Dr. K Krishnakumar, the
head of the institution. We would also like to show gratitude
to the head of our institution, Dr. S.V. Annlin Jeba for sharing
her pearls of wisdom with us during the course of research.
We thank our colleagues from Sree Buddha College Of
Engineer- ing who provided insight and expertise that greatly
assisted us although they may not agree with all of the
interpretations and conclusion of the paper.

REFERENCES
[1]Fang-Yie Leu, Kun-Lin Tsai, Member, IEEE, Yi-Ting Hsiao, and Chao-
Tung Yang , “An Internal Intrusion Detection and Protection System
by Using Data Mining and Forensic Techniques,”IEEE SYSTEMS
JOURNAL, 2015.
[2]Santosh Aditham and Nagarajan Ranganathan, “A System Architecture
for the Detection of Insider Attacks in Big Data Systems ,” IEEE
Transactions on Dependable and Secure Computing, 2017.
[3]Loukas Lazos and Marwan Krunz, ” Selective Jamming/Dropping In-
sider Attacks in Wireless Mesh Networks,”Scopus Indexed
Journal,2011.
[4]Nathalie Baracaldo, Balaji Palanisamy, and James Joshi, “G-SIR: An
Insider Attack Resilient Geo-Social Access Control Framework ,”IEEE
Transactions on Dependable and Secure Computing, 2017.
[5]Baraq Ghaleb, Ahmed Al-Dubai, IEEE, Elias Ekonomou , Mamoun
Qasem, Imed Romdhani , and Lewis Mackenzie, “Addressing the DAO
Insider Attack in RPL’s Internet of Thing,” IEEE COMMUNICATIONS
LETTERS, VOL. 23, NO. 1, JANUARY 2019.
[6]Sang-Yoon Chang, Member, IEEE, and Yih-Chun Hu, Member, IEEE,
“SecureMAC: Securing Wireless Medium Access Control Against In-
sider Denial-of-Service Attacks,” IEEE Transactions on Mobile Com-
puting ,2016.
[7]Saraswathi Shunmuganathan a,* , Renuka Devi Saravanan b , Yogesh
Palanichamy c , “Securing VPN from insider and outsider bandwidth
flooding attack ,” Elsevier journal , 2020.
[8]Nebrase Elmrabit a, , Shuang-Hua Yang b , Lili Yangc , Huiyu Zhou,
“ Insider Threat Risk Prediction based on Bayesian Network,” Elsevier
Journal on Computers and Security, 2020.
[9]Nader Sohrabi Safaa,b, , Carsten Maplea , Tim Watsona , Rossouw Von
Solms, “ Motivation and opportunity based model to reduce information
security insider threats in organisations,” Journal of Information
Security and Applications , 2017.
[10]Junhong Kim, Minsik Park, Haedong Kim, Suhyoun Cho and Pilsung
Kang , “ Insider Threat Detection Based on User Behavior Modeling
and Anomaly Detection Algorithms ,” Appl. Sci., 2019.

Ms. P. Varsha Suresh has completed B.Tech (CSE) from Sree

Buddha College Of Engineering, Elavumthitta in 2018 and is
currently pursuing M.Tech (CSE) from Sree Buddha College
of Engineering, Pattoor.
Mrs. Minu Lalitha Madhavu pursued Bachelor of Technol-
ogy from Rajiv Gandhi Institute of Technology (RIT). She
received her Master’s degree in technology management from
Kerala University. She is currently working as an Assistant
Professor in Computer Science and Engineering department