In this paper we detail the use of e-mail social network analysis for the detection of security policy violations on computer systems. We begin by formalizing basic policies that derive from the expected social behavior of computer users. We then extract the social networks of three organizations by analyzing e-mail server logs collected over several months and apply the policies to the resultant social network and identify subsequent policy violators. After closer examination of the outlier accounts, we find that a significant fraction of the suspect accounts were supposed to have been terminated long ago for a variety of reasons. Through the analysis and experiments presented in the paper, we conclude the analysis of social networks extracted from network logs can prove useful in a variety of traditionally hard to solve security problems, such as detecting insider threats.
Adam J. O'Donnell, Walter C. Mankowski, Jeff Abrah