Towards insider threat detection using web server logs

Malicious insiders represent one of the most difficult categories of threats an organization must consider when mitigating operational risk. Insiders by definition possess elevated privileges; have knowledge about control measures; and may be able to bypass security measures designed to prevent, detect, or react to unauthorized access. In this paper, we discuss our initial research efforts focused on the detection of malicious insiders who exploit internal organizational web servers. The objective of the research is to apply lessons learned in network monitoring domains and enterprise log management to investigate various approaches for detecting insider threat activities using standardized tools and a common event expression framework.

[1]  Guangtian Liu,et al.  Composite events for network event correlation , 1999, Integrated Network Management VI. Distributed Management for the Networked Millennium. Proceedings of the Sixth IFIP/IEEE International Symposium on Integrated Network Management. (Cat. No.99EX302).

[2]  Robert F. Mills,et al.  Insider Threat Prevention, Detection and Mitigation , 2009 .

[3]  Hervé Debar,et al.  Time series modeling for IDS alert management , 2006, ASIACCS '06.

[4]  Jude W. Shavlik,et al.  Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage , 2004, KDD.

[5]  Peter R. Pietzuch,et al.  Composite event detection as a generic middleware extension , 2004, IEEE Network.

[6]  Carrie Gates,et al.  Defining the insider threat , 2008, CSIIRW '08.

[7]  Paul E. Proctor,et al.  Practical Intrusion Detection Handbook , 2000 .

[8]  Randall F. Trzeciak,et al.  Common Sense Guide to Prevention and Detection of Insider Threats , 2006 .

[9]  Klaus R. Dittrich,et al.  Detecting composite events in active database systems using Petri nets , 1994, Proceedings of IEEE International Workshop on Research Issues in Data Engineering: Active Databases Systems.

[10]  Risto Vaarandi,et al.  Mining event logs with SLCT and LogHound , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[11]  Stephen H. Conrad,et al.  A behavioral theory of insider-threat risks: A system dynamics approach , 2008, TOMC.

[12]  Sharma Chakravarthy,et al.  Snoop: An Expressive Event Specification Language for Active Databases , 1994, Data Knowl. Eng..

[13]  Morris Sloman,et al.  GEM: a generalized event monitoring language for distributed systems , 1997, Distributed Syst. Eng..

[14]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[15]  Thomas Finne,et al.  Information Systems Risk Management: Key Concepts and Business Processes , 2000, Comput. Secur..

[16]  John Stearley,et al.  Towards informatic analysis of syslogs , 2004, 2004 IEEE International Conference on Cluster Computing (IEEE Cat. No.04EX935).