Results 1 - 10
of
22
Data Loss Prevention Based on DataDriven Usage Control
- in Proc. 23rd IEEE Intl. Symp. on Software Reliability Engineering
, 2012
"... Abstract—Inadvertent data disclosure by insiders is con-sidered as one of the biggest threats for corporate informa-tion security. Data loss prevention systems typically try to cope with this problem by monitoring access to confidential data and preventing their leakage or improper handling. Current ..."
Abstract
-
Cited by 9 (3 self)
- Add to MetaCart
(Show Context)
Abstract—Inadvertent data disclosure by insiders is con-sidered as one of the biggest threats for corporate informa-tion security. Data loss prevention systems typically try to cope with this problem by monitoring access to confidential data and preventing their leakage or improper handling. Current solutions in this area, however, often provide limited means to enforce more complex security policies that for instance specify temporal or cardinal constraints on the execution of events. This paper presents UC4Win, a data loss prevention solution for Microsoft Windows operating systems that is based on the concept of data-driven usage control to allow such a fine-grained policy-based protection. UC4Win is capable of detecting and controlling data-loss related events at the level of individual function calls. This is done with function call interposition techniques to intercept application calls to the Windows API in combination with methods to track the flows of confidential data through the system. Keywords-data loss prevention; usage control; microsoft windows security; dynamic data flow tracking I.
Proactive Insider Threat Detection through Graph Learning and Psychological Context
"... Abstract — The annual incidence of insider attacks continues to grow, and there are indications this trend will continue. While there are a number of existing tools that can accurately identify known attacks, these are reactive (as opposed to proactive) in their enforcement, and may be eluded by pre ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
Abstract — The annual incidence of insider attacks continues to grow, and there are indications this trend will continue. While there are a number of existing tools that can accurately identify known attacks, these are reactive (as opposed to proactive) in their enforcement, and may be eluded by previously unseen, adversarial behaviors. This paper proposes an approach that combines Structural Anomaly Detection (SA) from social and information networks and Psychological Profiling (PP) of individuals. SA uses technologies including graph analysis, dynamic tracking, and machine learning to detect structural anomalies in large-scale information network data, while PP constructs dynamic psychological profiles from behavioral patterns. Threats are finally identified through a fusion and ranking of outcomes from SA and PP. The proposed approach is illustrated by applying it to a large data set from a massively multi-player online game, World of Warcraft (WoW). The data set contains behavior traces from over 350,000 characters observed over a period of 6 months. SA is used to predict if and when characters quit their guild (a player association with similarities to a club or workgroup in nongaming contexts), possibly causing damage to these social groups. PP serves to estimate the five-factor personality model for all characters. Both threads show good results on the gaming data set and thus validate the proposed approach.
Insider Threat Detection using Stream Mining and Graph Mining
"... Abstract—Evidence of malicious insider activity is often buried within large data streams, such as system logs accumulated over months or years. Ensemble-based stream mining leverages multiple classification models to achieve highly accurate anomaly detection in such streams even when the stream is ..."
Abstract
-
Cited by 4 (2 self)
- Add to MetaCart
(Show Context)
Abstract—Evidence of malicious insider activity is often buried within large data streams, such as system logs accumulated over months or years. Ensemble-based stream mining leverages multiple classification models to achieve highly accurate anomaly detection in such streams even when the stream is unbounded, evolving, and unlabeled. This makes the approach effective for identifying insider threats who attempt to conceal their activities by varying their behaviors over time. This paper applies ensemble-based stream mining, unsupervised learning, and graph-based anomaly detection to the problem of insider threat detection, demonstrating that the ensemble-based approach is significantly more effective than traditional single-model methods. Index Terms—anomaly detection; graph-based detection; insider threat; ensemble I.
Insiders and insider threats – an overview of definitions and mitigation techniques
- Journal of Wireless Mobile Networks, Ubiquitous Computing and Dependable Applications
, 2011
"... Threats from the inside of an organization’s perimeters are a significant problem, since it is diffi-cult to distinguish them from benign activity. In this overview article we discuss defining properties of insiders and insider threats. After presenting definitions of these terms, we go on to discus ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
(Show Context)
Threats from the inside of an organization’s perimeters are a significant problem, since it is diffi-cult to distinguish them from benign activity. In this overview article we discuss defining properties of insiders and insider threats. After presenting definitions of these terms, we go on to discuss a num-ber of approaches from the technological, the sociological, and the socio-technical domain. We draw two main conclusions. Tackling insider threats requires a combination of techniques from the tech-nical, the sociological, and the socio-technical domain, to enable qualified detection of threats, and their mitigation. Another important observation is that the distinction between insiders and outsiders seems to loose significance as IT infrastructure is used in performing insider attacks. Little real-world data is available about the insider threat [1], yet recognizing when insiders are attempting to do something they should not on a corporate or organizational (computer) system is an important problem in cyber and organizational security in general. This “insider threat ” has received considerable attention, and is cited as one of the most serious security problems [2]1. It is also considered the most difficult problem to deal with because insiders often have information and capabilities not known to external attackers, and as a consequence can cause serious harm. Yet, little real-world data is
Supervised learning for insider threat detection using stream mining
- in Proc. 23rd IEEE Int. Conf. Tools with Artificial Intelligence
"... Abstract—Insider threat detection requires the identification of rare anomalies in contexts where evolving behaviors tend to mask such anomalies. This paper proposes and tests an ensemble-based stream mining algorithm based on supervised learning that addresses this challenge by maintaining an evolv ..."
Abstract
-
Cited by 3 (2 self)
- Add to MetaCart
(Show Context)
Abstract—Insider threat detection requires the identification of rare anomalies in contexts where evolving behaviors tend to mask such anomalies. This paper proposes and tests an ensemble-based stream mining algorithm based on supervised learning that addresses this challenge by maintaining an evolving collection of multiple models to classify dynamic data streams of unbounded length. The result is a classifier that exhibits substantially increased classification accuracy for real insider threat streams relative to traditional supervised learning (traditional SVM and one-class SVM) and other single-model approaches. Keywords- anomaly detection, support vector machine, insider threat, ensemble I.
A cloud intrusion detection dataset for cloud computing and masquerade attacks, new generations
- in proc. Ninth International Conference on Information Technology- New Generations, 2012
"... Masquerade attacks pose a serious threat for cloud system due to the massive amount of resource of these systems. Lack of datasets for cloud computing hinders the building of efficient intrusion detection of these attacks. Current dataset cannot be used due to the heterogeneity of user requirements, ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
(Show Context)
Masquerade attacks pose a serious threat for cloud system due to the massive amount of resource of these systems. Lack of datasets for cloud computing hinders the building of efficient intrusion detection of these attacks. Current dataset cannot be used due to the heterogeneity of user requirements, the distinct operating systems installed in the VMs, and the data size of Cloud systems. This paper presents a Cloud Intrusion Detection Dataset (CIDD)that is the first one for cloud systems and that consists of both knowledge and behavior based audit data collected from both UNIX and Windows users. With respect to current datasets, CIDD has real instances of host and network based attacks and masquerades, and provides complete diverse audit parameters to build efficient detection techniques. The final statistic tables for each user are built by Log Analyzer and Correlator System (LACS) that parses and analyzes user’s binary log files, and correlates audits data according to user IP address(es) and audit time. We describe in details the components and the architecture of LACS and CIDD, and the attacks distribution in CIDD.
Reporting Insider Threats via Covert Channels
"... Abstract—Trusted insiders that betray an organization can inflict substantial harm. In addition to having privileged access to organization resources and information, these users may be familiar with the defenses surrounding valuable assets. Computers systems at the organization need a mechanism for ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Trusted insiders that betray an organization can inflict substantial harm. In addition to having privileged access to organization resources and information, these users may be familiar with the defenses surrounding valuable assets. Computers systems at the organization need a mechanism for communicating suspicious activity that is difficult for a malicious insider (or even an outsider) to detect or block. In this work, we propose a covert channel in the Ethernet frame that allows a computer system to report activity inside other, unrelated network communication. The covert channel leverages the differences in the framing approaches used by Ethernet and IP packets to append hidden information to IP packet and transmit it to an organization’s administrator. This stealthy communication is difficult for even advanced attackers and is challenging to block since it opportunistically uses unrelated communication. Further, since the transmission is tied to the Ethernet frame, the communication cannot traverse network routers, preventing security information from leaving the organization. We introduce the covert channel, incorporate it into a working prototype, and combine it with an intrusion detection system to show its promise for security event reporting. I.
Multi-Domain Information Fusion for Insider Threat Detection
"... Abstract—Malicious insiders pose significant threats to infor-mation security, and yet the capability of detecting malicious insiders is very limited. Insider threat detection is known to be a difficult problem, presenting many research challenges. In this paper we report our effort on detecting mal ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Malicious insiders pose significant threats to infor-mation security, and yet the capability of detecting malicious insiders is very limited. Insider threat detection is known to be a difficult problem, presenting many research challenges. In this paper we report our effort on detecting malicious insiders from large amounts of work practice data. We propose novel approaches to detect two types of insider activities: (1) blend-in anomalies, where malicious insiders try to behave similar to a group they do not belong to, and (2) unusual change anomalies, where malicious insiders exhibit changes in their behavior that are dissimilar to their peers ’ behavioral changes. Our first contribution focuses on detecting blend-in malicious insiders. We propose a novel approach by examining various activity domains, and detecting behavioral inconsistencies across these domains. Our second contribution is a method for detecting insiders with unusual changes in behavior. The key strength of this proposed approach is that it avoids flagging common changes that can be mistakenly detected by typical temporal anomaly detection mechanisms. Our third contribution is a method that combines anomaly indicators from multiple sources of information. Keywords—Insider threat detection; anomaly detection; infor-mation fusion I.
S.: Automated Mining of Software Component Interactions for Self-Adaptation
- In: Proc. of SEAMS ’14
, 2014
"... A self-adaptive software system should be able to monitor and analyze its runtime behavior and make adaptation deci-sions accordingly to meet certain desirable objectives. Tra-ditional software adaptation techniques and recent “mod- ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
A self-adaptive software system should be able to monitor and analyze its runtime behavior and make adaptation deci-sions accordingly to meet certain desirable objectives. Tra-ditional software adaptation techniques and recent “mod-
IEEE TRANSACTIONS ON COMPUTATIONAL SOCIAL SYSTEMS 1 Behavioral Analysis of Insider Threat: A Survey and Bootstrapped Prediction in Imbalanced
"... Abstract—The problem of insider threat is receiving increasing attention both within the computer science community as well as government and industry. This paper starts by presenting a broad, multidisciplinary survey of insider threat capturing contributions from computer scientists, psychologists, ..."
Abstract
- Add to MetaCart
Abstract—The problem of insider threat is receiving increasing attention both within the computer science community as well as government and industry. This paper starts by presenting a broad, multidisciplinary survey of insider threat capturing contributions from computer scientists, psychologists, criminologists, and security practitioners. Subsequently, we present the BAIT (Behavioral Analysis of Insider Threat) framework, in which we conduct a detailed experiment involving 795 subjects on Amazon Mechanical Turk in order to gauge the behaviors that real human subjects follow when attempting to exfiltrate data from within an organization. In the real world, the number of actual insiders found is very small, so supervised machine learning methods encounter a challenge. Unlike past works, we develop bootstrapping algorithms that learn from highly imbalanced data, mostly unlabeled, and almost no history of user behavior from an insider threat perspective. We develop and evaluate 7 algorithms using BAIT and show that they can produce a realistic (and acceptable) balance of precision and recall. Index Terms—computer security, behavioral models, insider threat F 1
