论文信息 - Detecting the Misappropriation of Sensitive Information through Bottleneck Monitoring

Detecting the Misappropriation of Sensitive Information through Bottleneck Monitoring

Abstract : The insider threat has proved a tough nut to crack. Previous work in this area has been dominated by efforts to model normal user behavior through statistical measures and then detect substantial anomalies. Unfortunately, while these methods have shown some ability in the detection of masqueraders, broader applications have proved ineffectual due to extremely high false alarm rates. In this paper, the authors describe an alternative approach, Stochastic Long-String Analysis with Feedback (SL-SAFE), that can achieve high levels of accuracy in detecting the unauthorized access and distribution of sensitive/proprietary information by insiders -- the single most costly type of computer crime. SL-SAFE succeeds in this task by means of a stochastic sampling of bottlenecks through which information must flow to be useful to the malicious insider. Further, it achieves a low (and shrinking) false alarm rate by validating its suspicions through public information sources and eliciting feedback from the information owner.

Terrance Goan | Matthew Broadhead

[1] Justin Zobel,et al. Methods for Identifying Versioned and Plagiarized Documents , 2003, J. Assoc. Inf. Sci. Technol..

[2] Richard P. Lippmann,et al. Using Bottleneck Verification to Find Novel New Attacks with a Low False Alarm Rate , 1998 .

[3] Rangaswamy Jagannathan,et al. SYSTEM DESIGN DOCUMENT: NEXT-GENERATION INTRUSION DETECTION EXPERT SYSTEM (NIDES) , 1993 .

[4] Stephanie Forrest,et al. A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[5] Peter G. Neumann,et al. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[6] Geoffrey H. Kuenning,et al. Detecting insider threats by monitoring system call activity , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[7] E Flahavin,et al. 19th National Information Systems Security Conference , 1997 .

[8] Michael Gertz,et al. DEMIDS: A Misuse Detection System for Database Systems , 2000, IICIS.

[9] Philip K. Chan,et al. Learning Patterns from Unix Process Execution Traces for Intrusion Detection , 1997 .

[10] Carla E. Brodley,et al. Temporal sequence learning and data reduction for anomaly detection , 1998, CCS '98.

[11] Harold S. Javitz,et al. The NIDES Statistical Component Description and Justification , 1994 .