Inferring Sources of Leaks in Document Management Systems

A document management system (DMS) provides for secure operations on a distributed repository of digital documents. This paper presents a two-phase approach to address the problem of locating the sources of information leaks in a DMS. The initial monitoring phase treats user interactions in a DMS as a series of transactions, each involving content manipulation by a user; in addition to standard audit logging, relevant contextual information and user-related metrics for transactions are recorded. In the detection phase, leaked information is correlated with the existing document repository and context information to identify the sources of leaks. The monitoring and detecting phases are incorporated in a forensic extension module (FEM) to a DMS to combat the insider threat.

[1]  Jennifer Widom,et al.  Change detection in hierarchically structured information , 1996, SIGMOD '96.

[2]  Marko Jahnke,et al.  Data Hiding in Journaling File Systems , 2005, DFRWS.

[3]  Shambhu J. Upadhyaya,et al.  Detecting Masquerading Users in a Document Management System , 2006, 2006 IEEE International Conference on Communications.

[4]  Shambhu J. Upadhyaya,et al.  Security policies to mitigate insider threat in the document control domain , 2004, 20th Annual Computer Security Applications Conference.

[5]  Hector Garcia-Molina,et al.  Meaningful change detection in structured data , 1997, SIGMOD '97.

[6]  V. Sankaranarayanan,et al.  Dynamic document reclassification for preventing insider abuse , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[7]  Eugene W. Myers,et al.  AnO(ND) difference algorithm and its variations , 1986, Algorithmica.

[8]  Hugo Zaragoza,et al.  Information Retrieval: Algorithms and Heuristics , 2002, Information Retrieval.

[9]  John Langford,et al.  Telling humans and computers apart automatically , 2004, CACM.

[10]  Wei Wang,et al.  Building evidence graphs for network forensics analysis , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[11]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[12]  Nasir D. Memon,et al.  Automatic reassembly of document fragments via context based statistical models , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..