A FRAMEWORK FOR ROLE-BASED MONITORING OF INSIDER MISUSE Aung Htike Phyo, Steven M. Furnell, and Francisco Portilla Network Research Group, School of Computing, Communications and Electronics, University of Plymouth, Drake Circus, Plymouth, PL4 8AA, United Kingdom, nrg@plymouth.ac.uk Abstract: Many security incidents involve legitimate users who misuse their existing privileges, such that they have the system-level right to perform an action, but not the moral right to do so. Current Intrusion Detection Systems (IDSs) are ineffective in this context, because they do not have knowledge of user responsibilities, normal working scope of a user for a relevant position, or the separation of duties that should be enforced. This paper considers examples of the forms that misuse may take within typical applications, and then outlines a novel framework to address the problem of insider misuse monitoring. The approach argues that users with similar roles and responsibilities will exhibit similar behaviour within the system, enabling any activity that deviates from the normal profile to be flagged for further examination. The system utilises established access control principles for defining user roles, and the relationships between them, and proposes a misuse monitoring agent that will police application-level activities for signs of unauthorised behaviour. Key words: Misuse Detection, Insider Misuse, Intrusion Detection, Role-based Monitoring. 1. INTRODUCTION The need for information security is increasing as organizations depend on IT infrastructures for the smooth functioning of their businesses. While the media has highlighted the threat brought about by external intruders and viruses, it has not promoted the awareness of the threat to the organization’s IT infrastructure from its own employees. In reality, however, insiders are