Using E-Mail Social Network Analysis for Detecting Unauthorized Accounts

In this paper we detail the use of e-mail social network anal- ysis for the detection of security policy violations on com- puter systems. We begin by formalizing basic policies that derive from the expected social behavior of computer users. We then extract the social networks of three organizations by analyzing e-mail server logs collected over several months and apply the policies to the resultant social network and identify subsequent policy violators. After closer examination of the outlier accounts, we find that a significant fraction of the suspect accounts were sup- posed to have been terminated long ago for a variety of reasons. Through the analysis and experiments presented in the paper, we conclude the analysis of social networks extracted from network logs can prove useful in a variety of traditionally hard to solve security problems, such as de- tecting insider threats.