Insider abuse comprehension through capability acquisition graphs

Insider attacks constitute one of the most potent, yet difficult to detect threats to information security in the cyber-domain. Malicious actions perpetrated by privileged insiders usually circumvent intrusion detection systems (IDS) and other mechanisms designed to detect and prevent unauthorized activity. In this paper, we present an architectural framework and technique to aid in situation awareness of insider threats in a networked computing environment such as a corporate network. Individual actions by users are analyzed using a theoretical model called a Capability Acquisition Graph (CAG) to evaluate their cumulative effect and detect possible violations. Our approach is based on periodic evaluation of the privileges that users accumulate with respect to critical information assets during their workflow. A static analysis tool called Information-Centric Modeler and Auditor Program (ICMAP) is used to periodically construct CAGs which are then analyzed to uncover possible attacks. The process is demonstrated by considering an information process cycle from the real-world.

[1]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[2]  Hung Q. Ngo,et al.  Insider Threat Analysis Using Information-Centric Modeling , 2007, IFIP Int. Conf. Digital Forensics.

[3]  Amit P. Sheth,et al.  An Ontological Approach to the Document Access Problem of Insider Threat , 2005, ISI.

[4]  Stephen H. Conrad,et al.  Modeling the Emergence of Insider Threat Vulnerabilities , 2006, Proceedings of the 2006 Winter Simulation Conference.

[5]  Hung Q. Ngo,et al.  On the Hardness of Approximating the Min-Hack Problem , 2005, J. Comb. Optim..

[6]  Robert H. Anderson,et al.  Understanding the Insider Threat: Proceedings of a March 2004 Workshop , 2005 .

[7]  Kathryn B. Laskey,et al.  DTB Project: A Behavioral Model for Detecting Insider Threats , 2005 .

[8]  Ronald F. DeMara,et al.  Mitigation of Insider Risks using Distributed Agent Detection, Filtering, and Signaling , 2006, Int. J. Netw. Secur..

[9]  Paul Thompson,et al.  Weak models for insider threat detection , 2004, SPIE Defense + Commercial Sensing.

[10]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[11]  Pascal van Eck,et al.  Defense against Insider Threat: a Framework for Gathering Goal-based Requirements , 2006, EMMSAD.

[12]  Hung Q. Ngo,et al.  Towards a theory of insider threat assessment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[13]  Matt Bishop,et al.  The insider problem revisited , 2005, NSPW '05.

[14]  Shambhu J. Upadhyaya,et al.  Security policies to mitigate insider threat in the document control domain , 2004, 20th Annual Computer Security Applications Conference.

[15]  Robert H. Anderson,et al.  Understanding the Insider Threat , 2004 .

[16]  Greg Shipley,et al.  Cover story: dragon claws its way to the top , 2001 .