论文信息 - Profiling file repository access patterns for identifying data exfiltration activities

Profiling file repository access patterns for identifying data exfiltration activities

Studies show that a significant number of employees steal data when changing jobs. Insider attackers who have the authorization to access the best-kept secrets of organizations pose a great challenge for organizational security. Although increasing efforts have been spent on identifying insider attacks, little research concentrates on detecting data exfiltration activities. This paper proposes a model for identifying data exfiltration activities by insiders. It uses statistical methods to profile legitimate uses of file repositories by authorized users. By analyzing legitimate file repository access logs, user access profiles are created and can be employed to detect a large set of data exfiltration activities. The effectiveness of the proposed model was tested with file access histories from the subversion logs of the popular open source project KDE.

Yi Hu | James Walden | Charles E. Frank | Dhanuja Kasturiratna | Emily Crawford

[1] Hung Q. Ngo,et al. Towards a theory of insider threat assessment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[2] Stephen H. Conrad,et al. A behavioral theory of insider-threat risks: A system dynamics approach , 2008, TOMC.

[3] Gregory Stephens,et al. Statistical profiling and visualization for detection of malicious insider attacks on computer networks , 2004, VizSEC/DMSEC '04.

[4] Andreas Karlsson,et al. Elementary Survey Sampling , 2007, Technometrics.

[5] Michael Gertz,et al. Data profiling and the access path model: a step toward addressing insider misuse in database systems , 2005 .

[6] Malek Ben Salem,et al. A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[7] Geoffrey H. Kuenning,et al. Detecting insider threats by monitoring system call activity , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[8] Yali Liu,et al. SIDD: A Framework for Detecting Sensitive Data Exfiltration by an Insider Attack , 2008, 2009 42nd Hawaii International Conference on System Sciences.

[9] Steven B. Lipner,et al. A comment on the confinement problem , 1975, SOSP.

[10] E. Cole,et al. Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft , 2005 .

[11] Thomas Bozek,et al. Research on Mitigating the Insider Threat to Information Systems - #2 , 2000 .