Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise

Insider attacks are often subtle and slow, or preceded by behavioral indicators such as organizational rule-breaking which provide the potential for early warning of malicious intent; both these cases pose the problem of identifying attacks from limited evidence contained within a large volume of event data collected from multiple sources over a long period. This paper proposes a scalable solution to this problem by maintaining long-term estimates that individuals or nodes are attackers, rather than retaining event data for post-facto analysis. These estimates are then used as triggers for more detailed investigation. We identify essential attributes of event data, allowing the use of a wide range of indicators, and show how to apply Bayesian statistics to maintain incremental estimates without global updating. The paper provides a theoretical account of the process, a worked example, and a discussion of its practical implications. The work includes examples that identify subtle attack behaviour in subverted network nodes, but the process is not network-specific and is capable of integrating evidence from other sources, such as behavioral indicators, document access logs and financial records, in addition to events identified by network monitoring.

[1]  Stuart J. Russell,et al.  Artificial Intelligence , 1986 .

[2]  Patrick Henry Winston,et al.  Artificial intelligence (3rd ed.) , 1992 .

[3]  Joseph T. Wells Principles of Fraud Examination , 2004 .

[4]  Lundy Lewis,et al.  Insider threat detection using situation-aware MAS , 2008, 2008 11th International Conference on Information Fusion.

[5]  Todd Heberlein Tactical Operations and Strategic Intelligence: Sensor Purpose and Placement , 2002 .

[6]  Marcus A. Maloof,et al.  Detecting Insider Theft of Trade Secrets , 2009, IEEE Security & Privacy.

[7]  Phillip G. Bradford,et al.  Towards proactive computer-system forensics , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[8]  Peter Mell,et al.  Intrusion Detection Systems , 2001 .

[9]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[10]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[11]  Katherine L. Herbig,et al.  Espionage against the United States by American citizens, 1947-2001 , 2003 .

[12]  Dawn M. Cappelli,et al.  Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis , 2006 .

[13]  Robert H. Anderson,et al.  Understanding the Insider Threat , 2004 .

[14]  William Eberle,et al.  Insider Threat Detection Using Graph-Based Approaches , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[15]  Geoffrey H. Kuenning,et al.  Detecting insider threats by monitoring system call activity , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[16]  AbrahamAjith,et al.  Feature deduction and ensemble design of intrusion detection systems , 2005 .

[17]  Ajith Abraham,et al.  Feature deduction and ensemble design of intrusion detection systems , 2005, Comput. Secur..

[18]  Gregory Stephens,et al.  Statistical profiling and visualization for detection of malicious insider attacks on computer networks , 2004, VizSEC/DMSEC '04.

[19]  Hao Chen,et al.  Accumulating evidence of insider attacks , 2009 .