A Framework for Data-Driven Physical Security and Insider Threat Detection

This paper presents PS0, an ontological framework and a methodology for improving physical security and insider threat detection. PS0 can facilitate forensic data analysis and proactively mitigate insider threats by leveraging rule-based anomaly detection. In all too many cases, rule-based anomaly detection can detect employee deviations from organizational security policies. In addition, PS0 can be considered a security provenance solution because of its ability to fully reconstruct attack patterns. Provenance graphs can be further analyzed to identify deceptive actions and overcome analytical mistakes that can result in bad decision-making, such as false attribution. Moreover, the information can be used to enrich the available intelligence (about intrusion attempts) that can form use cases to detect and remediate limitations in the system, such as loosely-coupled provenance graphs that in many cases indicate weaknesses in the physical security architecture. Ultimately, validation of the framework through use cases demonstrates and proves that PS0 can improve an organization’s security posture in terms of physical security and insider threat detection.

💡 Research Summary

The paper introduces PS0 (Physical Security Ontology 0), an ontological framework designed to bridge the gap between physical security controls and insider‑threat detection in the digital domain. Recognizing that many organizations treat physical security as an afterthought and rely on isolated alerts from access‑control systems, the authors propose a data‑driven, holistic approach that ingests, normalizes, and semantically enriches logs from both the physical environment (RFID readers, biometric scanners, cameras, motion sensors, etc.) and the IT environment (endpoint logs, network flow records, Active Directory events, printers, BYOD devices, etc.).

The architecture consists of five tightly coupled layers:

1. Data Sources – raw event streams from physical and logical assets.
2. Log Collection & Aggregation – secure, tamper‑resistant storage of all logs on a central server, ensuring confidentiality, integrity, and availability.
3. Parsing Engine – a transformation component that converts heterogeneous log formats into RDF triples conforming to a predefined OWL schema. This step performs time‑synchronization, identifier mapping (e.g., MAC address ↔ user), and data cleansing.
4. Ontology (Knowledge Base) – the core of PS0, modeled in OWL with classes for Infrastructure, Users, Policies, Incidents, and Events. The ontology captures both structured (e.g., access‑card IDs) and unstructured (e.g., free‑text alarm notes) information, enabling rich semantic queries.
5. Forensic Analysis & Rule‑Based Anomaly Detection – two complementary engines. The rule‑based component uses OWL restrictions and SWRL rules to flag policy violations in real time, assigning a threat level (red/amber/green) and inserting the event into the “Incident” class. The forensic engine runs SPARQL queries over the ontology to reconstruct provenance graphs that illustrate the causal chain of an attack, from physical entry to network compromise.

Key innovations include:

• Provenance‑centric design: Every event is linked temporally and causally, producing a graph that can reveal “loosely‑coupled” sections indicative of missing logs or weak monitoring points.
• Iterative risk‑management loop: Findings from forensic analysis feed back into risk indicators, prompting policy updates, additional sensor deployments, or changes in physical layout.
• Hybrid physical‑digital visibility: By correlating, for example, a badge swipe with a subsequent VPN login from a previously unseen device, PS0 can detect “shadow” activity that traditional systems miss.

The authors validate PS0 through two realistic use cases. In the first, an unauthorized attempt to access a data‑center is detected; PS0 correlates badge logs, camera footage, and network authentication records to produce a complete attack timeline, enabling rapid containment. In the second, an employee accesses a high‑value system outside normal working hours; rule‑based detection flags the event as “amber,” prompting a manual investigation that uncovers a policy breach. Both scenarios demonstrate reduced mean‑time‑to‑detect (MTTD) and lower false‑positive rates compared with conventional, siloed security solutions.

Beyond detection, PS0 serves as a security provenance platform. The accumulated provenance graphs can be shared across organizations to enrich collective threat intelligence, and they support advanced analytics such as attack‑tree generation and scenario simulation. The paper also discusses future extensions, including integration of machine‑learning anomaly detectors, standardization of cloud‑based physical‑security logs, and scaling the ontology for multi‑site enterprises.

In conclusion, PS0 offers a comprehensive, ontology‑driven methodology that unifies physical and cyber security data, provides real‑time rule‑based alerts, and enables deep forensic reconstruction of insider‑threat incidents. By embedding a feedback loop into the risk‑management process, the framework not only improves immediate detection capabilities but also continuously strengthens an organization’s overall security posture.