Surveillance of anomaly and misuse in critical networks to counter insider threats using computational intelligence

The Insider threat is minimally addressed by current information security practices, yet the insider poses the most serious threat to organization through various malicious activities. Forensic investigation is a technique used to prove the presence of malicious insider with digital evidence. The proposed surveillance mechanism for countering insider threats operates in two phases. In phase one, the network has to be monitored for incoming and outgoing packets. The information is transferred using packets, and these packets are monitored and captured and the important features are extracted. By performing investigation on the captured packets, information related to suspicious activities can be obtained. In phase two, we mine various log files which are considered to posses vital traces of information when insider attack has been performed. The analysis of the log files is performed in order to extract the key pattern from files. The extracted patterns from log files are further processed. The suspicious data patterns are grouped into clusters to trace the anomaly. They are classified as legal and anomaly pattern with the help of KNN classifier .If anomaly is traced, the user’s past activities are referred and a cross check is made with the features of captured packets the computational intelligence based on Dempster–Shafer theory is applied to prove with digital evidence, the presence of malicious insider in the critical networks with utmost accuracy.

[1]  Alexander Liu,et al.  AI Lessons Learned from Experiments in Insider Threat Detection , 2006, AAAI Spring Symposium: What Went Wrong and Why: Lessons from AI Research and Applications.

[2]  Salvatore J. Stolfo,et al.  Insider Attack and Cyber Security - Beyond the Hacker , 2008, Advances in Information Security.

[3]  Jimeng Sun,et al.  Neighborhood formation and anomaly detection in bipartite graphs , 2005, Fifth IEEE International Conference on Data Mining (ICDM'05).

[4]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[5]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[6]  George Varghese,et al.  Automatically inferring patterns of resource consumption in network traffic , 2003, SIGCOMM '03.

[7]  Vasant Honavar,et al.  Learning Classifiers for Misuse Detection Using a Bag of System Calls Representation , 2005, ISI.

[8]  Marcus A. Maloof,et al.  elicit: A System for Detecting Insiders Who Violate Need-to-Know , 2007, RAID.

[9]  Giovanni Vigna,et al.  Exploiting Execution Context for the Detection of Anomalous System Calls , 2007, RAID.

[10]  Eugene Santos,et al.  Intelligence Analyses and the Insider Threat , 2012, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[11]  Bradley Malin,et al.  Detecting Anomalous Insiders in Collaborative Information Systems , 2012, IEEE Transactions on Dependable and Secure Computing.

[12]  Yang Yu,et al.  Display-only file server: a solution against information theft due to insider attack , 2004, DRM '04.

[13]  Aleksandar Lazarevic,et al.  Incremental Local Outlier Detection for Data Streams , 2007, 2007 IEEE Symposium on Computational Intelligence and Data Mining.

[14]  Flemming Nielson,et al.  Where Can an Insider Attack? , 2006, Formal Aspects in Security and Trust.

[15]  Marc Dacier,et al.  A framework for attack patterns' discovery in honeynet data , 2008 .

[16]  Hien Nguyen,et al.  Capturing User Intent for Information Retrieval , 2004, AAAI.

[17]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.

[18]  Michael S. Greenberg,et al.  Network Forensics Analysis , 2002, IEEE Internet Comput..

[19]  Vern Paxson,et al.  Semi-automated discovery of application session structure , 2006, IMC '06.

[20]  Michael S. Kirkpatrick,et al.  An Architecture for Contextual Insider Threat Detection , 2009 .

[21]  Elizabeth D. Liddy,et al.  Leveraging One-Class SVM and Semantic Analysis to Detect Anomalous Content , 2005, ISI.

[22]  Elizabeth D. Liddy,et al.  Semantic Analysis for Monitoring Insider Threats , 2004, ISI.

[23]  Dov Dori,et al.  Situation-Based Access Control: Privacy management via modeling of patient data access scenarios , 2008, J. Biomed. Informatics.

[24]  Christian W. Probst,et al.  Insiders and Insider Threats - An Overview of Definitions and Mitigation Techniques , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[25]  Wietse Z. Venema,et al.  TCP Wrapper: Network Monitoring, Access Control, and Booby Traps , 1992, USENIX Summer.

[26]  Fabien Pouget,et al.  Internet attack knowledge discovery via clusters and cliques of attack traces , 2006 .

[27]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[28]  Eoghan Casey,et al.  Network traffic as a source of evidence: tool strengths, weaknesses, and future needs , 2004, Digit. Investig..

[29]  Hal Berghel The discipline of Internet forensics , 2003, CACM.

[30]  Ajith Abraham,et al.  Feature deduction and ensemble design of intrusion detection systems , 2005, Comput. Secur..

[31]  Fabien Pouget,et al.  Honeypot-based forensics , 2004 .

[32]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[33]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[34]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[35]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[36]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[37]  Vinod Yegneswaran,et al.  Using Honeynets for Internet Situational Awareness , 2005 .

[38]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[39]  Ying Zhu,et al.  Attack Pattern Discovery in Forensic Investigation of Network Attacks , 2011, IEEE Journal on Selected Areas in Communications.

[40]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[41]  Charles P. Pfleeger Reflections on the Insider Threat , 2008, Insider Attack and Cyber Security.

[42]  Shambhu J. Upadhyaya,et al.  Security policies to mitigate insider threat in the document control domain , 2004, 20th Annual Computer Security Applications Conference.

[43]  Bradley Malin,et al.  Detection of anomalous insiders in collaborative environments via relational analysis of access logs , 2011, CODASPY '11.

[44]  Anand Natarajan,et al.  Towards a Social Network Approach for Monitoring Insider Threats to Information Security , 2004, ISI.

[45]  Jonathon T. Giffin,et al.  Understanding Precision in Host Based Intrusion Detection , 2007, RAID.

[46]  Nianjun Liu,et al.  Knowledge Discovery from Honeypot Data for Monitoring Malicious Attacks , 2008, Australasian Conference on Artificial Intelligence.

[47]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[48]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[49]  V. Rao Vemuri,et al.  Use of K-Nearest Neighbor classifier for intrusion detection , 2002, Comput. Secur..

[50]  A. Liu,et al.  A comparison of system call feature representations for insider threat detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[51]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[52]  Yinhui Li,et al.  An efficient intrusion detection system based on support vector machines and gradually feature removal method , 2012, Expert Syst. Appl..

[53]  Jian Tang,et al.  Enhancing Effectiveness of Outlier Detections for Low Density Patterns , 2002, PAKDD.

[54]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[55]  Dae-Ki Kang,et al.  Learning classifiers for misuse and anomaly detection using a bag of system calls representation , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[56]  Wenke Lee,et al.  Understanding precision in host based intrusion detection: formal analysis and practical models , 2007 .

[57]  E. Santos,et al.  Impacts of User Modeling on Personalization of Information Retrieval : An Evaluation with Human Intelligence Analysts , 2005 .