ABSTRACT
E¡ective detection of insider threats requires monitoring mechanisms that are far more ’ne-grained than for external threat detection. ese monitors must be e¨ciently and reliably deployable in the software environments where actions endemic to malicious insider missions are caught in a timely manner. Such environments typically include user-level applications, such as word processors, email clients, and web browsers, for which reliable monitoring of internal events by conventional means is di¨cult.
