PROACTIVE INSIDER-THREAT DETECTION - Against Confidentiality in Sensitive Pervasive Applications

Joon S. Park, Jaeho Yim, Jason Hallahan

2009

Abstract

The primary objective of this research is to mitigate insider threats against sensitive information stored in an organization’s computer system, using dynamic forensic mechanisms to detect insiders’ malicious activities. Among various types of insider threats, which may break confidentiality, integrity, or availability, this research is focused on the violations of confidentiality with privilege misuse or escalation in sensitive applications. We identify insider-threat scenarios and then describe how to detect each threat scenario by analyzing the primitive user activities, we implement our detection mechanisms by extending the capabilities of existing software packages. Since our approach can proactively detect the insider’s malicious behaviors before the malicious action is finished, we can prevent the possible damage proactively. In this particular paper the primary sources for our implementation are from the Windows file system activities, the Windows Registry, the Windows Clipboard system, and printer event logs and reports. However, we believe our approaches for countering insider threats can be also applied to other computing environments.

References

  1. Anderson, R. H., 1999. Research and development initiatives focused on preventing, detecting, and responding to insider misuse of critical defense information systems. In Proceedings of Workshop at RAND. Santa Monica, CA.
  2. Apap, F., Honig, A., Hershkop, S., Eskin, E., Stolfo, S., 2001. Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses. CUCS Technical Report.
  3. Brackney, R. C., Anderson, R. H., 2004. Understanding the insider threat. In Proceedings of ARDA (The Advanced Research and Development Activity) Workshop.
  4. Bishop, M., 2005. The insider problem revisited. In Proceedings of the 2005 Workshop on New Security Paradigms (Lake Arrowhead, California, September 20 - 23, 2005). NSPW 7805. ACM, New York, NY.
  5. Chinchani, R., Iyer, A., Ngo, H., Upadhyaya, S., 2005. Towards A Theory Of Insider Threat Assessment. In Proceedings of the International Conference on Dependable Systems and Networks.
  6. CSI Computer Crime and Security Survey, 2007.
  7. Hayden, M. V., 1999. The insider threat to U.S. government information systems. Tech. rep., National Security Telecommunications and Information Systems Security Committee (NSTISSAM), INFOSEC 1-99.
  8. Honeycutt, J., 2002. Microsoft Windows XP Registry Guide. Microsoft Press.
  9. Keeney, M., Kowalski, E., Cappelli, D., Moore, A., Shimeall, T., and Rogers, S., 2005. Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. National Threat Assessment Center, U.S. Secret Service, and CERT® Coordination Center/Software Engineering Institute, Carnegie Mellon.
  10. Moore, A.P., Cappelli, D.M., Trzeciak, R.F., 2008. The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructure. CERT Tech. Report, CMU/SEI-2008-TR-009.
  11. Neumann, P. G., 1999. Inside risks: risks of insiders. Commun. ACM 42, 12.
  12. Park, J. S., Ho, S. M., 2004. Composite role-based monitoring (CRBM) for countering insider threats. In Proceedings of Symposium on Intelligence and Security Informatics (ISI). Tucson, AZ.
  13. Pramanik, S., Sankaranarayanan, V., Upadhyaya, S., 2004. Security policies to mitigate insider threat in the document control domain. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC), 2004.
  14. Print Inspector (http://www.softperfect.com/), 2008.
  15. Renesse, R., Birman, K., Vogels, W., 2003. Astrolabe: A Robust and Scalable Technology for Distributed System Monitoring, Management, and Data Mining. ACM Transactions on Computer Systems, Vol. 21, No. 2, Pages 164-206.
  16. Windows Clipboard (http://msdn2.microsoft.com/enus/library/ms648709.aspx), 2008.
  17. Windows Sysinternals (www.sysinternals.com), 2008.
Download


Paper Citation


in Harvard Style

S. Park J., Yim J. and Hallahan J. (2009). PROACTIVE INSIDER-THREAT DETECTION - Against Confidentiality in Sensitive Pervasive Applications . In Proceedings of the 11th International Conference on Enterprise Information Systems - Volume 3: ICEIS, ISBN 978-989-8111-86-9, pages 393-398. DOI: 10.5220/0002004203930398


in Bibtex Style

@conference{iceis09,
author={Joon S. Park and Jaeho Yim and Jason Hallahan},
title={PROACTIVE INSIDER-THREAT DETECTION - Against Confidentiality in Sensitive Pervasive Applications},
booktitle={Proceedings of the 11th International Conference on Enterprise Information Systems - Volume 3: ICEIS,},
year={2009},
pages={393-398},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002004203930398},
isbn={978-989-8111-86-9},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 11th International Conference on Enterprise Information Systems - Volume 3: ICEIS,
TI - PROACTIVE INSIDER-THREAT DETECTION - Against Confidentiality in Sensitive Pervasive Applications
SN - 978-989-8111-86-9
AU - S. Park J.
AU - Yim J.
AU - Hallahan J.
PY - 2009
SP - 393
EP - 398
DO - 10.5220/0002004203930398