We have met the enemy and he is us

The insider threat has long been considered one of the most serious threats in computer security, and one of the most difficult to combat. But the problem has never been defined precisely, and that lack of precise definition inhibits solutions. This paper presents a precise definition of insider threat, and shows how the definition enables an analysis of the set of problems traditionally lumped into \the insider threat". It introduces a hierarchy of policy abstractions, and argues that the discrepancies between the different layers of abstraction expose the potential for insider threat. It also presents a methodology for analyzing the threat based upon our definitions. In the process, we introduce Attribute-Based Group Access Control, a generalization of the Role-Based Access Control model that allows any attributes to define a group. We apply this to the insider threat by defining groups based on access capabilities, and using that to identify users with a high level of threat with respect to high-risk resources.

[1]  Robert H. Anderson,et al.  Understanding the Insider Threat , 2004 .

[2]  Keith Marzullo,et al.  Analysis of Computer Intrusions Using Sequences of Function Calls , 2007, IEEE Transactions on Dependable and Secure Computing.

[3]  Matt Bishop Position: "insider" is relative , 2005, NSPW '05.

[4]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[5]  Jianyi Lin,et al.  Computer crime and security survey , 2002 .

[6]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[7]  Adam Carlson,et al.  Modeling network intrusion detection alerts for correlation , 2007, ACM Trans. Inf. Syst. Secur..

[8]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[9]  Sean Peisert,et al.  A model of forensic analysis using goal-oriented logging , 2007 .

[10]  Edsger W. Dijkstra,et al.  The structure of the “THE”-multiprogramming system , 1968, CACM.

[11]  David S. Zeidberg Archival and Manuscript Repositories in California Office of the California Secretary of State , 1986 .

[12]  Matt Bishop,et al.  Traducement: A model for record security , 2004, TSEC.

[13]  Ning Hu,et al.  Applying role based access control and genetic algorithms to insider threat detection , 2006, ACM-SE 44.

[14]  William Yurcik,et al.  Toward a threat model for storage systems , 2005, StorageSS '05.

[15]  Robert H. Anderson,et al.  Understanding the Insider Threat: Proceedings of a March 2004 Workshop , 2005 .

[16]  Rosemary Killeen “We have Met the Enemy and He is Us” , 2010 .

[17]  Paulo B. Góes,et al.  Privacy Protection of Binary Confidential Data Against Deterministic, Stochastic, and Insider Threat , 2002, Manag. Sci..

[18]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[19]  Hung Q. Ngo,et al.  Towards a theory of insider threat assessment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).