A User Behavior-Based Approach to Detect the Insider Threat in Distributed Diagnostic Imaging Systems

A modern diagnostic imaging system integrates several PACS (Picture Archiving and Communication System) through datacenters that allow a large community of users to access and share sensitive patient medical images. In such integration user access to the medical images that are stored in non-local PACS systems is based on a trust model, which makes data integrity and privacy vulnerable due to possible malicious user behaviors. Moreover, the limited scope and precision of the existing policy-based access control solutions prevent them from detecting suspicious behaviors of the authenticated users. In this paper, we propose an approach for analyzing the user behaviors that allows the administrators to identify the users whose behaviors may jeopardize the data privacy and system integrity. In this context, the system administrator can define an arbitrary pattern of a suspicious user behavior using our new behavior pattern language. A constraint-based pattern-matching engine will identify the instances of the suspicious behavior pattern in the system’s audit-log repository. Finally, a decision support system will present the excerpt findings to the system administrator with the overall goal of refining the access control policy rules. We present a case study which indicates our proposed approach provides promising results.