Table 2 Sources and features of the insider's online activities
Domain name | Source | Features |
|---|---|---|
Logon | Daily System logs | # Auxiliary Information such as user ID, PC ID, activity code, time of day # after hour logons, # logons on user’s PC, # logons on other PC(s), # login duration time, # login frequency. |
File | Daily System logs, Access logs | # Auxiliary Information such as user ID, PC ID, activity code, time of day, # accessed directory(s), # file created, copied, moved, written, renamed or deleted, |
Database | Database audit logs | # Auxiliary Information such as user ID, PC ID, activity code, time of day # Which data items were accessed? # Were any modifications made? . |
HTTP | Web server logs | # Auxiliary Information such as user ID, PC ID, time of day # URL and domain information activity codes (upload or download) # URLs visited # Whether the website is encrypted # browser information (internet explorer, Firefox, or Chrome) |
Removable device (e.g., USB drives) | Event logs | # Auxiliary Information such as user ID, PC ID, activity code, time of day # Device name and type are logged with usage code |
Email transaction logs | # Auxiliary Information such as user ID, PC ID, activity code, time of day # Source and destination of email traffic # Communication patterns # Attachment names | |
Mobile calls | Call logs | # Source and destination of mobile calls # Duration, date and time of calls # Communication patterns |
Printer activity logs | # Auxiliary Information such as user ID, PC ID, activity code, time of day # Name of document printed # Number of copies | |
TCP/IP network flows | TCP/IP network flow logs | # The source and destination of IP packets on a TCP/IP network # The size of traffic sent over the connections # t The average duration of connections # Positive and failed events from different IP addresses # Time difference between IP events |
Other Applications (e.g., MS Word, MS Power Point, PDF, MS Excel, JPG, TXT) | Event logs, Error logs |