使用增强的目录虚拟化检测内部活动

Insider Threats '10 Pub Date : 2010-10-08 DOI:10.1145/1866886.1866894

W. Claycomb, Dongwan Shin

{"title":"使用增强的目录虚拟化检测内部活动","authors":"W. Claycomb, Dongwan Shin","doi":"10.1145/1866886.1866894","DOIUrl":null,"url":null,"abstract":"Insider threats often target authentication and access control systems, which are frequently based on directory services. Detecting these threats is challenging, because malicious users with the technical ability to modify these structures often have sufficient knowledge and expertise to conceal unauthorized activity. The use of directory virtualization to monitor various systems across an enterprise can be a valuable tool for detecting insider activity. The addition of a policy engine to directory virtualization services enhances monitoring capabilities by allowing greater flexibility in analyzing changes for malicious intent. The resulting architecture is a system-based approach, where the relationships and dependencies between data sources and directory services are used to detect an insider threat, rather than simply relying on point solutions. This paper presents such an architecture in detail, including a description of implementation results.","PeriodicalId":249095,"journal":{"name":"Insider Threats '10","volume":"33 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":"{\"title\":\"Detecting insider activity using enhanced directory virtualization\",\"authors\":\"W. Claycomb, Dongwan Shin\",\"doi\":\"10.1145/1866886.1866894\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Insider threats often target authentication and access control systems, which are frequently based on directory services. Detecting these threats is challenging, because malicious users with the technical ability to modify these structures often have sufficient knowledge and expertise to conceal unauthorized activity. The use of directory virtualization to monitor various systems across an enterprise can be a valuable tool for detecting insider activity. The addition of a policy engine to directory virtualization services enhances monitoring capabilities by allowing greater flexibility in analyzing changes for malicious intent. The resulting architecture is a system-based approach, where the relationships and dependencies between data sources and directory services are used to detect an insider threat, rather than simply relying on point solutions. This paper presents such an architecture in detail, including a description of implementation results.\",\"PeriodicalId\":249095,\"journal\":{\"name\":\"Insider Threats '10\",\"volume\":\"33 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2010-10-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"9\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Insider Threats '10\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/1866886.1866894\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Insider Threats '10","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1866886.1866894","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

摘要

内部威胁通常针对身份验证和访问控制系统，这些系统通常基于目录服务。检测这些威胁具有挑战性，因为具有修改这些结构的技术能力的恶意用户通常具有足够的知识和专业知识来隐藏未经授权的活动。使用目录虚拟化来监视企业中的各种系统，对于检测内部活动来说是一种很有价值的工具。将策略引擎添加到目录虚拟化服务中，可以更灵活地分析恶意意图的更改，从而增强监视功能。由此产生的体系结构是一种基于系统的方法，其中数据源和目录服务之间的关系和依赖关系用于检测内部威胁，而不是简单地依赖于点解决方案。本文详细介绍了这种体系结构，包括实现结果的描述。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Detecting insider activity using enhanced directory virtualization

Insider threats often target authentication and access control systems, which are frequently based on directory services. Detecting these threats is challenging, because malicious users with the technical ability to modify these structures often have sufficient knowledge and expertise to conceal unauthorized activity. The use of directory virtualization to monitor various systems across an enterprise can be a valuable tool for detecting insider activity. The addition of a policy engine to directory virtualization services enhances monitoring capabilities by allowing greater flexibility in analyzing changes for malicious intent. The resulting architecture is a system-based approach, where the relationships and dependencies between data sources and directory services are used to detect an insider threat, rather than simply relying on point solutions. This paper presents such an architecture in detail, including a description of implementation results.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Insider Threats '10

自引率

0.00%

发文量

期刊最新文献

M-score: estimating the potential damage of data leakage incident by assigning misuseability weight Using empirical insider threat case data to design a mitigation strategy Reverse engineering for mobile systems forensics with Ares Detecting insider activity using enhanced directory virtualization Duress detection for authentication attacks against multiple administrators