Countering Network-Centric Insider Threats through Self-Protective Autonomic Rule Generation

Insider threats are a growing problem in today's organizations. Detecting such attacks is especially challenging because most system owners and system administrators use networks to remotely manage the systems they are responsible for. In previous work, we introduced the Autonomic Violation Prevention System (AVPS) that has a scalable architecture to deal with such threats. This system uses low level human-specified and manually-entered rules to protect networked applications from disgruntled privileged users. However, rule-based systems are generally difficult to maintain when the number of rules is too large. This paper addresses this problem by allowing human beings to enter a smaller number of high-level rules that are automatically translated into one or more low-level rules based on an analysis of the incoming network traffic. The paper discusses how various high level rules (HLR) can detect new unwanted behaviors without any user intervention. Experiments conducted on three types of applications -- FTP, database, and Web -- show that the enhanced AVPS can detect known and unknown insider attacks through high level rules and process automation.

[1]  Dipankar Dasgupta,et al.  Immuno-inspired autonomic system for cyber defense , 2007, Inf. Secur. Tech. Rep..

[2]  Daniel A. Menascé,et al.  Policy-Based Enforcement of Database Security Configuration through Autonomic Capabilities , 2008, Fourth International Conference on Autonomic and Autonomous Systems (ICAS'08).

[3]  Simon Pietro Romano,et al.  REFACING: An autonomic approach to network security based on multidimensional trustworthiness , 2008, Comput. Networks.

[4]  Dieter Gollmann,et al.  Aspects of Insider Threats , 2010, Insider Threats in Cyber Security.

[5]  William Eberle,et al.  Insider Threat Detection Using Graph-Based Approaches , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[6]  David Selby,et al.  Insider attack and real-time data mining of user behavior , 2007, IBM J. Res. Dev..

[7]  Ferenc Szidarovszky,et al.  Multi-Level Intrusion Detection System (ML-IDS) , 2008, 2008 International Conference on Autonomic Computing.

[8]  Elisa Bertino Protecting information systems from insider threats - concepts and issues , 2011, IRI.

[9]  Shyhtsun Felix Wu,et al.  An experimental study of insider attacks for OSPF routing protocol , 1997, Proceedings 1997 International Conference on Network Protocols.

[10]  Daniel A. Menascé,et al.  Defeating the insider threat via autonomic network capabilities , 2011, 2011 Third International Conference on Communication Systems and Networks (COMSNETS 2011).

[11]  Julie A. McCann,et al.  A survey of autonomic computing—degrees, models, and applications , 2008, CSUR.

[12]  Franco Zambonelli,et al.  A survey of autonomic communications , 2006, TAAS.

[13]  Hung Q. Ngo,et al.  Towards a theory of insider threat assessment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[14]  Daniel A. Menascé,et al.  The Insider Threat Security Architecture: A Framework for an Integrated, Inseparable, and Uninterrupted Self-Protection Mechanism , 2009, 2009 International Conference on Computational Science and Engineering.

[15]  Elisa Bertino,et al.  Design and Implementation of an Intrusion Response System for Relational Databases , 2011, IEEE Transactions on Knowledge and Data Engineering.

[16]  Dieter Gollmann,et al.  Insider Threats in Cyber Security , 2010, Insider Threats in Cyber Security.

[17]  T. Markham,et al.  Security at the network edge: a distributed firewall architecture , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[18]  Brett Wilson,et al.  Autonomic Response to Distributed Denial of Service Attacks , 2001, Recent Advances in Intrusion Detection.

[19]  Hung Q. Ngo,et al.  Insider Threat Analysis Using Information-Centric Modeling , 2007, IFIP Int. Conf. Digital Forensics.

[20]  Daniel A. Menascé,et al.  A Scalable Architecture for Countering Network-Centric Insider Threats , 2011, SECURWARE 2011.

[21]  Charles C. Palmer,et al.  Security in an autonomic computing environment , 2003, IBM Syst. J..

[22]  Guangzhi Qu,et al.  Self-Configuration of Network Security , 2007, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007).

[23]  Ladan Tahvildari,et al.  Self-adaptive software: Landscape and research challenges , 2009, TAAS.