Towards a Cyber Ontology for Insider Threats in the Financial Sector

Insider attack has become a major threat in financial sector. Currently, there is no insider threat ontology in this domain and such an ontology is critical to developing countermeasures against insider attacks which are very serious and pervasive security problems. In this paper, we offer a methodology to categorize insider attack suspicions using an ontology we create, which focuses on insider attacks in the banking domain targeting database systems. The scheme we propose takes a suspicion alert as input that triggers the ontology mechanism to analyze the chronology of the events. Our model formulates the ordinary processes that take place in a financial organization and systematically evaluate events in a sequential order. To create the ontology, we use a top-down analysis approach to define a taxonomy and identify the relationships between the taxonomy classes. The ontology is mapped onto the Suggested Upper Merged Ontology (SUMO), Friend of a Friend (FOAF) and Finance ontologies to make it integrable to the systems that use these ontologies and to create a broad knowledge base. It captures masquerade, privilege elevation, privilege abuse and collusion attacks and can be extended to any other novel attack type that may emerge. It classifies an attack using the knowledge base provided and the missing relationships between classes. We validate the ontology showing how description logic works with a given synthetic scenario which is created by banking experts.