TWOS: A Dataset of Malicious Insider Threat Behavior Based on a Gamified Competition

Published in The 9th ACM CCS International Workshop on Managing Insider Security Threats (MIST), Dallas, USA, 2017

Authors: Athul Harilal, Flavio Toffalini, John Castellanos, Juan Guarnizo, Ivan Homoliak, Martín Ochoa

In this paper we present the design and outcome of a gamified competition that was devised in order to obtain a dataset containing realistic instances of insider threats. The competition simulated user interactions in/among competing companies, where two types of behaviors (normal and malicious) were incentivized. For the case of malicious behavior, we designed sessions for two types of insider threats (masqueraders and traitors). The game involved the participation of 6 teams consisting of 4 students who competed with each other for a period of 5 days, while their activities were monitored considering several heterogeneous sources (mouse, keyboard, process and file-system monitor, network traffic, emails and login/logout). In sum, we obtained 320 hours of active participation that included 18 hours of masquerader data and at least two instances of traitor data. Additionally to malicious behaviors, the students explored various defensive and offensive strategies, such as denial of service attacks and obfuscation techniques, in an effort to get ahead in the competition. The TWOS dataset is publicly accessible for further research purposes.

Download paper here