TY - GEN
T1 - The optimization of situational awareness for insider threat detection
AU - Brancik, Kenneth
AU - Ghinita, Gabriel
PY - 2011
Y1 - 2011
N2 - In recent years, organizations ranging from defense and other government institutions to commercial enterprises, research labs, etc., have witnessed an increasing amount of sophisticated insider attacks that manage to bypass existing security controls. Insider threats are staged by either disgruntled employees, or employees engaged in malicious activities such as industrial espionage. The objectives of such threats range from sabotage, e.g., in order to disrupt the completion of a project, to exfiltration of sensitive data such as trade secrets, patents, etc. Insiders are often skilled and motivated individuals with good knowledge of internal security measures in the organization. They devise effective and carefully planned attacks, prepared over long periods of time and customized to inflict maximum damage. Such attacks are difficult to detect and protect against, because insiders have the proper credentials to access services and systems within the organization, and possess knowledge that may allow them to deceive network defense controls. As a result, a large number of hosts may be taken over, allowing malicious insiders to maintain control over the network even after leaving the organization. The objective of this study is to identify a high-level architecture and mechanisms for early detection and protection against insider threats. One of the main aspects we focus on is preventing data exfiltration, which is known to cost billions of dollars in losses annually. The goal is to either (i) detect attacks as they occur and prevent insiders from gaining control over the network, or (ii) detect early hosts and services that are compromised such that malware is prevented from spreading/morphing, hence insiders are no longer able to control the network or to exfiltrate sensitive data. We envision a data-intensive approach that leverages large amounts of events collected from a diverse set of sources such as network sensors, intrusion detection systems, service logs, as well as known attack databases (e.g., virus signature collections, digital artifacts), security and service logs, etc. The proposed approach aims to study and understand the relationships and correlations between events, with the purpose of detecting anomalous and/or malicious behavior.
AB - In recent years, organizations ranging from defense and other government institutions to commercial enterprises, research labs, etc., have witnessed an increasing amount of sophisticated insider attacks that manage to bypass existing security controls. Insider threats are staged by either disgruntled employees, or employees engaged in malicious activities such as industrial espionage. The objectives of such threats range from sabotage, e.g., in order to disrupt the completion of a project, to exfiltration of sensitive data such as trade secrets, patents, etc. Insiders are often skilled and motivated individuals with good knowledge of internal security measures in the organization. They devise effective and carefully planned attacks, prepared over long periods of time and customized to inflict maximum damage. Such attacks are difficult to detect and protect against, because insiders have the proper credentials to access services and systems within the organization, and possess knowledge that may allow them to deceive network defense controls. As a result, a large number of hosts may be taken over, allowing malicious insiders to maintain control over the network even after leaving the organization. The objective of this study is to identify a high-level architecture and mechanisms for early detection and protection against insider threats. One of the main aspects we focus on is preventing data exfiltration, which is known to cost billions of dollars in losses annually. The goal is to either (i) detect attacks as they occur and prevent insiders from gaining control over the network, or (ii) detect early hosts and services that are compromised such that malware is prevented from spreading/morphing, hence insiders are no longer able to control the network or to exfiltrate sensitive data. We envision a data-intensive approach that leverages large amounts of events collected from a diverse set of sources such as network sensors, intrusion detection systems, service logs, as well as known attack databases (e.g., virus signature collections, digital artifacts), security and service logs, etc. The proposed approach aims to study and understand the relationships and correlations between events, with the purpose of detecting anomalous and/or malicious behavior.
KW - Data exfiltration
KW - Insider threat
UR - https://www.scopus.com/pages/publications/79952811900
U2 - 10.1145/1943513.1943544
DO - 10.1145/1943513.1943544
M3 - Conference contribution
AN - SCOPUS:79952811900
SN - 9781450304665
T3 - CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy
SP - 231
EP - 235
BT - CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy
T2 - 1st ACM Conference on Data and Application Security and Privacy, CODASPY'11
Y2 - 21 February 2011 through 23 February 2011
ER -