Detecting data leakage/misuse poses a great challenge for organizations. Whether caused by malicious intent or an inadvertent mistake, data leakage/misuse can diminish a company's brand, reduce shareholder value, and damage the company's goodwill and reputation. This challenge is intensified when trying to detect and/or prevent data leakage/misuse performed by an insider with legitimate permissions to access the organization's systems and its critical data. In this paper we propose a new approach for identifying suspicious insiders who can access data stored in a database via an application. In the proposed method suspicious access to sensitive data is detected by analyzing the result-sets sent to the user following a request that the user submitted. Result-sets are analyzed within the instantaneous context in which the request was submitted. From the analysis of the result-set and the context we derive a "level of anomality". If the derived level is above a predefined threshold, an alert can be sent to the security officer. The proposed method applies data-linkage techniques in order to link the contextual features and the result-sets. Machine learning algorithms are then employed for generating a behavioral model during a learning phase. The behavioral model encapsulates knowledge on the behavior of a user; i.e., the characteristics of the result-sets of legitimate or malicious requests. This behavioral model is used for identifying malicious requests based on their abnormality. An evaluation with sanitized data shows the usefulness of the proposed method in detecting data misuse.
{"title":"Detecting data misuse by applying context-based data linkage","authors":"Ma'ayan Gafny, A. Shabtai, L. Rokach, Y. Elovici","doi":"10.1145/1866886.1866890","DOIUrl":"https://doi.org/10.1145/1866886.1866890","url":null,"abstract":"Detecting data leakage/misuse poses a great challenge for organizations. Whether caused by malicious intent or an inadvertent mistake, data leakage/misuse can diminish a company's brand, reduce shareholder value, and damage the company's goodwill and reputation. This challenge is intensified when trying to detect and/or prevent data leakage/misuse performed by an insider with legitimate permissions to access the organization's systems and its critical data. In this paper we propose a new approach for identifying suspicious insiders who can access data stored in a database via an application. In the proposed method suspicious access to sensitive data is detected by analyzing the result-sets sent to the user following a request that the user submitted. Result-sets are analyzed within the instantaneous context in which the request was submitted. From the analysis of the result-set and the context we derive a \"level of anomality\". If the derived level is above a predefined threshold, an alert can be sent to the security officer. The proposed method applies data-linkage techniques in order to link the contextual features and the result-sets. Machine learning algorithms are then employed for generating a behavioral model during a learning phase. The behavioral model encapsulates knowledge on the behavior of a user; i.e., the characteristics of the result-sets of legitimate or malicious requests. This behavioral model is used for identifying malicious requests based on their abnormality. An evaluation with sanitized data shows the usefulness of the proposed method in detecting data misuse.","PeriodicalId":249095,"journal":{"name":"Insider Threats '10","volume":"83 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132743457","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jonathan S. Tuttle, R. Walls, E. Learned-Miller, B. Levine
We present Ares, a reverse engineering technique for assisting in the analysis of data recovered for the investigation of mobile and embedded systems. The focus of investigations into insider activity is most often on the data stored on the insider's computers and digital device - call logs, email messaging, calendar entries, text messages, and browser history - rather than on the status of the system's security. Ares is novel in that it uses a data-driven approach that incorporates natural language processing techniques to infer the layout of input data that has been created according to some unknown specification. While some other reverse engineering techniques based on instrumentation of executables offer high accuracy, they are hard to apply to proprietary phone architectures. We evaluated the effectiveness of Ares on call logs and contact lists from ten used Nokia cell phones. We created a rule set by manually reverse engineering a single Nokia phone. Without modification to that grammar, Ares parsed most phones' data with 90% of the accuracy of a commercial forensics tool based on manual reverse engineering, and all phones with at least 50% accuracy even though the endianess for one phone changed.
{"title":"Reverse engineering for mobile systems forensics with Ares","authors":"Jonathan S. Tuttle, R. Walls, E. Learned-Miller, B. Levine","doi":"10.1145/1866886.1866892","DOIUrl":"https://doi.org/10.1145/1866886.1866892","url":null,"abstract":"We present Ares, a reverse engineering technique for assisting in the analysis of data recovered for the investigation of mobile and embedded systems. The focus of investigations into insider activity is most often on the data stored on the insider's computers and digital device - call logs, email messaging, calendar entries, text messages, and browser history - rather than on the status of the system's security. Ares is novel in that it uses a data-driven approach that incorporates natural language processing techniques to infer the layout of input data that has been created according to some unknown specification. While some other reverse engineering techniques based on instrumentation of executables offer high accuracy, they are hard to apply to proprietary phone architectures. We evaluated the effectiveness of Ares on call logs and contact lists from ten used Nokia cell phones. We created a rule set by manually reverse engineering a single Nokia phone. Without modification to that grammar, Ares parsed most phones' data with 90% of the accuracy of a commercial forensics tool based on manual reverse engineering, and all phones with at least 50% accuracy even though the endianess for one phone changed.","PeriodicalId":249095,"journal":{"name":"Insider Threats '10","volume":"50 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123627131","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Insider threat problems are widespread in industry today, resulting in large losses of intellectual property. Reputable reports assert that attacks from within an organization are on the rise, making detection of insider-based attacks a top priority. This paper evaluates the effectiveness of using role-based differentiation of user behavior as a tool in detecting insider attack behavior. This differentiation is natural in contexts where role-based access control (RBAC) mechanisms are in place. Using synthetically generated traffic (which puts placement and intensity of insider behavior under experimental control), we train five different algorithms on "normal" behavior with and without RBAC differentiation, and measure the accuracy of detecting malicious behavior with, and without RBAC, as a function of insider behavior. We find that in some contexts RBAC differentiation significantly reduces these errors. However, in our experiments two of the five algorithms had statistically significant increases in false positives under RBAC as opposed to non-RBAC. However, these increases are small compared to the very large gain in detection capability that RBAC brings, and we conclude that RBAC is very much worth considering as a tool for insider threat detection.
{"title":"Role-based differentiation for insider detection algorithms","authors":"Suraj Nellikar, D. Nicol, Jai J. Choi","doi":"10.1145/1866886.1866897","DOIUrl":"https://doi.org/10.1145/1866886.1866897","url":null,"abstract":"Insider threat problems are widespread in industry today, resulting in large losses of intellectual property. Reputable reports assert that attacks from within an organization are on the rise, making detection of insider-based attacks a top priority. This paper evaluates the effectiveness of using role-based differentiation of user behavior as a tool in detecting insider attack behavior. This differentiation is natural in contexts where role-based access control (RBAC) mechanisms are in place. Using synthetically generated traffic (which puts placement and intensity of insider behavior under experimental control), we train five different algorithms on \"normal\" behavior with and without RBAC differentiation, and measure the accuracy of detecting malicious behavior with, and without RBAC, as a function of insider behavior. We find that in some contexts RBAC differentiation significantly reduces these errors. However, in our experiments two of the five algorithms had statistically significant increases in false positives under RBAC as opposed to non-RBAC. However, these increases are small compared to the very large gain in detection capability that RBAC brings, and we conclude that RBAC is very much worth considering as a tool for insider threat detection.","PeriodicalId":249095,"journal":{"name":"Insider Threats '10","volume":"63 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130652641","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Insider threats often target authentication and access control systems, which are frequently based on directory services. Detecting these threats is challenging, because malicious users with the technical ability to modify these structures often have sufficient knowledge and expertise to conceal unauthorized activity. The use of directory virtualization to monitor various systems across an enterprise can be a valuable tool for detecting insider activity. The addition of a policy engine to directory virtualization services enhances monitoring capabilities by allowing greater flexibility in analyzing changes for malicious intent. The resulting architecture is a system-based approach, where the relationships and dependencies between data sources and directory services are used to detect an insider threat, rather than simply relying on point solutions. This paper presents such an architecture in detail, including a description of implementation results.
{"title":"Detecting insider activity using enhanced directory virtualization","authors":"W. Claycomb, Dongwan Shin","doi":"10.1145/1866886.1866894","DOIUrl":"https://doi.org/10.1145/1866886.1866894","url":null,"abstract":"Insider threats often target authentication and access control systems, which are frequently based on directory services. Detecting these threats is challenging, because malicious users with the technical ability to modify these structures often have sufficient knowledge and expertise to conceal unauthorized activity. The use of directory virtualization to monitor various systems across an enterprise can be a valuable tool for detecting insider activity. The addition of a policy engine to directory virtualization services enhances monitoring capabilities by allowing greater flexibility in analyzing changes for malicious intent. The resulting architecture is a system-based approach, where the relationships and dependencies between data sources and directory services are used to detect an insider threat, rather than simply relying on point solutions. This paper presents such an architecture in detail, including a description of implementation results.","PeriodicalId":249095,"journal":{"name":"Insider Threats '10","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124790001","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
An authentication system is duress-resistant if it allows a user or system administrator to covertly send a silent alarm during the login process, indicating that they are being forced to authenticate against their will. The adversary knows that the system has this feature, e.g., if two passwords are used (one normal and one duress) then the adversary will demand from a victim both passwords. We require that the adversary is not able to distinguish a non-cooperating victim from a cooperating victim, even if there are multiple victims some of whom cooperate while others do not. To avoid a false alarm, we also require that the probability of a user accidentally sending a duress signal (e.g., through typos) is small. After arguing that existing techniques are inadequate for such requirements, we present our design and implementation of a duress-resistant authentication system that can be used by any number of administrators and users. Our system is compatible with existing authentication systems, and can be implemented as an augmentation of their capabilities that does not require modification of their internals.
{"title":"Duress detection for authentication attacks against multiple administrators","authors":"Emil Stefanov, M. Atallah","doi":"10.1145/1866886.1866895","DOIUrl":"https://doi.org/10.1145/1866886.1866895","url":null,"abstract":"An authentication system is duress-resistant if it allows a user or system administrator to covertly send a silent alarm during the login process, indicating that they are being forced to authenticate against their will. The adversary knows that the system has this feature, e.g., if two passwords are used (one normal and one duress) then the adversary will demand from a victim both passwords. We require that the adversary is not able to distinguish a non-cooperating victim from a cooperating victim, even if there are multiple victims some of whom cooperate while others do not. To avoid a false alarm, we also require that the probability of a user accidentally sending a duress signal (e.g., through typos) is small. After arguing that existing techniques are inadequate for such requirements, we present our design and implementation of a duress-resistant authentication system that can be used by any number of administrators and users. Our system is compatible with existing authentication systems, and can be implemented as an augmentation of their capabilities that does not require modification of their internals.","PeriodicalId":249095,"journal":{"name":"Insider Threats '10","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128841988","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Over the past few years data leakage and data misuse have become a major concern for organizations. A data leakage or data misuse incident can damage an organization's reputation and brand name as well as compromise the privacy of its customers. Much research has been conducted in order to find a solution to these threats. Most methods are based on anomaly detection that tracks the user's behavior by examining the syntax of SQL queries in order to detect outlier queries. Other methods examine the data retrieved by the query. In this paper, we propose a new concept for analyzing the retrieved data - the Misuseability Weight. This approach focuses on assigning a score that represents the sensitivity level of the data exposed to the user. This measure predicts the ability of a user to exploit the exposed data in a malicious way. We suggest a new measure, the M-score, which assigns a misuseability weight to a table of data, propose some properties of the new measure and demonstrate its usefulness using over several leakage scenarios.
{"title":"M-score: estimating the potential damage of data leakage incident by assigning misuseability weight","authors":"Amir Harel, A. Shabtai, L. Rokach, Y. Elovici","doi":"10.1145/1866886.1866891","DOIUrl":"https://doi.org/10.1145/1866886.1866891","url":null,"abstract":"Over the past few years data leakage and data misuse have become a major concern for organizations. A data leakage or data misuse incident can damage an organization's reputation and brand name as well as compromise the privacy of its customers. Much research has been conducted in order to find a solution to these threats. Most methods are based on anomaly detection that tracks the user's behavior by examining the syntax of SQL queries in order to detect outlier queries. Other methods examine the data retrieved by the query. In this paper, we propose a new concept for analyzing the retrieved data - the Misuseability Weight. This approach focuses on assigning a score that represents the sensitivity level of the data exposed to the user. This measure predicts the ability of a user to exploit the exposed data in a malicious way. We suggest a new measure, the M-score, which assigns a misuseability weight to a table of data, propose some properties of the new measure and demonstrate its usefulness using over several leakage scenarios.","PeriodicalId":249095,"journal":{"name":"Insider Threats '10","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116792425","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
1. Understanding the Complexity of Insider Threat According to research by the CERT Program (CERT) in the Software Engineering Institute at Carnegie Mellon University, approximately half of all organizat1ons experience at least one electronic crime perpetrated by an insider each year. These crimes include theft, sabotage, fraud, and espionage. CERT began researching this problem in 2001. It has compiled a database of more than 500 criminal cases in which current or former employees, contractors, or business partners abused the trust and access associated with their positions. As part of its research, CERT interviewed many victim organizations. It also interviewed some perpetrators themselves, complementing a wealth of case data with first-hand insights into the methods and motivations behind these crimes.
{"title":"Using empirical insider threat case data to design a mitigation strategy","authors":"Dawn M. Cappelli","doi":"10.1145/1866886.1866888","DOIUrl":"https://doi.org/10.1145/1866886.1866888","url":null,"abstract":"1. Understanding the Complexity of Insider Threat According to research by the CERT Program (CERT) in the Software Engineering Institute at Carnegie Mellon University, approximately half of all organizat1ons experience at least one electronic crime perpetrated by an insider each year. These crimes include theft, sabotage, fraud, and espionage. CERT began researching this problem in 2001. It has compiled a database of more than 500 criminal cases in which current or former employees, contractors, or business partners abused the trust and access associated with their positions. As part of its research, CERT interviewed many victim organizations. It also interviewed some perpetrators themselves, complementing a wealth of case data with first-hand insights into the methods and motivations behind these crimes.","PeriodicalId":249095,"journal":{"name":"Insider Threats '10","volume":"206 3","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120886344","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
R. Akavipat, Apurv Dhadphale, Apu Kapadia, M. Wright
P2P systems rely on directory services for locating peers with the desired content and services. Directory services are themselves decentralized, such as with distributed hash tables (DHTs) that allow for efficient locating of objects without a centralized directory. As a system distributed over a diverse set of untrusted nodes, however, directory services must be resilient to adversarial behavior by such malicious insiders. While redundancy-based DHTs such as Salsa and Halo mitigate the effects of adversarial behavior, they incur substantial overhead due to redundant lookups. We propose Reputation for Directory Services (ReDS), a framework for using reputation management to enhance the security and reduce the costs of redundancy-based DHTs in the face of insider attacks. We present ReDS designs for both Salsa and Halo, and we show that peers can significantly boost the success rates of directory lookups by considering past performance. For example, our simulations show that Salsa-ReDS can reduce lookup failure rates by up to 94%. We find that applying ReDS effectively cuts the redundancy required by both Salsa and Halo in half to get comparable results.
{"title":"ReDS: reputation for directory services in P2P systems","authors":"R. Akavipat, Apurv Dhadphale, Apu Kapadia, M. Wright","doi":"10.1145/1866886.1866896","DOIUrl":"https://doi.org/10.1145/1866886.1866896","url":null,"abstract":"P2P systems rely on directory services for locating peers with the desired content and services. Directory services are themselves decentralized, such as with distributed hash tables (DHTs) that allow for efficient locating of objects without a centralized directory. As a system distributed over a diverse set of untrusted nodes, however, directory services must be resilient to adversarial behavior by such malicious insiders. While redundancy-based DHTs such as Salsa and Halo mitigate the effects of adversarial behavior, they incur substantial overhead due to redundant lookups. We propose Reputation for Directory Services (ReDS), a framework for using reputation management to enhance the security and reduce the costs of redundancy-based DHTs in the face of insider attacks. We present ReDS designs for both Salsa and Halo, and we show that peers can significantly boost the success rates of directory lookups by considering past performance. For example, our simulations show that Salsa-ReDS can reduce lookup failure rates by up to 94%. We find that applying ReDS effectively cuts the redundancy required by both Salsa and Halo in half to get comparable results.","PeriodicalId":249095,"journal":{"name":"Insider Threats '10","volume":"79 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123406879","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: