Guarding the source code against inside attacks: a case study of user access patterns

For software companies, the source code and the people are the most valuable assets. Employees are responsible for developing the source code, but paradoxically, may also pose the greatest potential threat. A single disgruntled employee can cause untold damage, by for example selling the source code to a competitor or inserting a malicious backdoor. Detecting and preventing inside attacks is an unsolved problem. Our proposed approach is to detect when a software engineer deviates from their usual work patterns and then match these anomalies against signatures of inside attacks. The first step is to establish a baseline of the normal access patterns of software engineers to source code. To this end we consider a case study of a commercial software project, analysing how 282 software engineers access the source code in their daily work over a period of three years. We obtained 3 years of access logs to a real SVN source code repository by software engineers at a commercial IT company (CA Technologies). In the study, we used the DEX graph database management system to store data and used a visual clustering algorithm (VAT) to analyse user access behaviour. From the visual clustering, communities of users are grouped together based on the projects they access and the networks they use. It is also noted that there are different daily access patterns between users with different roles in the enterprise. This suggests that the role of the user could be used as a key attribute of the user profile to be used in an insider threat detection system. This preliminary study will provide a good baseline for an insider threat detection system.