Simulating Malicious Insiders in Real Host-Monitored User Data

Our task is to produce test data for a research program developing a new generation of insider threat detection technologies. Test data is created by injecting fictional malicious activity into a background of real user activity. We rely on fictional narratives to specify threats that simulate realistic social complexity, with “drama as data” as a central organizing metaphor. Test cases are scripted as episodes of a fictional crime series, and compiled into time-series data of fictional characters. Users are selected from background to perform the role of fictional characters that best match their real-world roles and activities. Fictional activity is blended into the activity of real users in the cast. The cast and unmodified background users perform dramas in test windows: performances are test cases. Performances by different casts of users, or by the same cast of users in different test windows, constitute distinct test cases.