Toward an Insider Threat Detection Framework Using Honey Permissions

The insider threat remains one of the most serious challenges to computer security. An insider attack occurs when an authorized user misuses his privileges and causes damages to the organization. Deception techniques have served as a common solution to insider threat detection, and several techniques, such as approaches based on honey entities, have been proposed. On the other hand, access control systems lack the ability to detect insider threats. In this paper, we focus on integrating deception into the role-based access control (RBAC) model, which is one of the most widely used access control models. We introduce the notion of “honey permission” and use it to extend RBAC to help in insider threat detection. We define honey permissions as permissions that exceed the authorized access, and are assigned to a subset of roles known as “candidate roles”. Objects included in honey permissions are fake versions of sensitive objects that are enticing for malicious users. In this way, an attempt to access sensitive resources by unauthorized users would be detected. We extend the RBAC model by adding honey permissions, indicating candidate roles, and adding a monitoring unit which monitors the sessions in which the owners of the sessions activate a subset of candidate roles and have access to an object through a honey permission. We propose an algorithm to select candidate roles and assign honey permissions to them. Furthermore, we provide security analysis and consider the overhead that would be added to the RBAC system for evaluation.

[1]  C. Stoll The Cuckoo's Egg : Tracking a Spy Through the Maze of Computer Espionage , 1990 .

[2]  Charles P. Pfleeger Reflections on the Insider Threat , 2008, Insider Attack and Cyber Security.

[3]  Kaghazgaran Parisa,et al.  MASQUERADE DETECTION USING GUI EVENTS IN WINDOWS SYSTEMS , 2011 .

[4]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[5]  Robert E. Tarjan,et al.  Fast exact and heuristic methods for role minimization problems , 2008, SACMAT '08.

[6]  N. Levinson The Wiener (Root Mean Square) Error Criterion in Filter Design and Prediction , 1946 .

[7]  Morteza Amini,et al.  Separation of Duty in Role-Based Access Control Model through Fuzzy Relations , 2007, Third International Symposium on Information Assurance and Security.

[8]  Salvatore J. Stolfo,et al.  Lost in Translation: Improving Decoy Documents via Automated Translation , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[9]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[10]  John McLean,et al.  The specification and modeling of computer security , 1990, Computer.

[11]  Morteza Amini,et al.  Enhancing Role-Based Access Control Model through Fuzzy Relations , 2007, Third International Symposium on Information Assurance and Security.

[12]  Elisa Bertino,et al.  A risk management approach to RBAC , 2009, Risk Decis. Anal..

[13]  Mohamed Shehab,et al.  Towards a General Framework for Optimal Role Mining: A Constraint Satisfaction Approach , 2015, SACMAT.

[14]  Thomas Ristenpart,et al.  Honey Encryption: Encryption beyond the Brute-Force Barrier , 2014, IEEE Security & Privacy.

[15]  Jorge Lobo,et al.  Evaluating role mining algorithms , 2009, SACMAT '09.

[16]  J. Yuill,et al.  Honeyfiles: deceptive files for intrusion detection , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[17]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[18]  James B. D. Joshi,et al.  A trust-and-risk aware RBAC framework: tackling insider threat , 2012, SACMAT '12.

[19]  Morteza Amini,et al.  Trust-Based User-Role Assignment in Role-Based Access Control , 2007, 2007 IEEE/ACS International Conference on Computer Systems and Applications.

[20]  Frank L. Greitzer,et al.  Methods and Metrics for Evaluating Analytic Insider Threat Tools , 2013, 2013 IEEE Security and Privacy Workshops.

[21]  Salvatore J. Stolfo,et al.  Software decoys for insider threat , 2012, ASIACCS '12.

[22]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[23]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .

[24]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[25]  Hassan Takabi,et al.  StateMiner: an efficient similarity-based approach for optimal mining of role hierarchy , 2010, SACMAT '10.

[26]  N. Wiener The Wiener RMS (Root Mean Square) Error Criterion in Filter Design and Prediction , 1949 .

[27]  Mohammed H. Almeshekah,et al.  Planning and Integrating Deception into Computer Security Defenses , 2014, NSPW '14.

[28]  F. Cohen The Use of Deception Techniques : Honeypots and Decoys , 2004 .

[29]  Ravi S. Sandhu,et al.  Role activation hierarchies , 1998, RBAC '98.

[30]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[31]  Christian W. Probst,et al.  Countering Insider Threats , 2008 .

[32]  Ari Juels A bodyguard of lies: the use of honey objects in information security , 2014, SACMAT '14.