ABSTRACT
Protecting sensitive data against malicious or compromised insiders is a challenging problem. Access control mechanisms are not always able to prevent authorized users from misusing or stealing sensitive data as insiders often have access permissions to the data. Also, security vulnerabilities and phishing attacks make it possible for external malicious parties to compromise identity credentials of users who have access to the data. Therefore, solutions for protection from insider threat require combining access control mechanisms and other security techniques, such as encryption, with techniques for detecting anomalies in data accesses. In this paper, we propose a novel approach to create fine-grained profiles of the users' normal file access behaviors. Our approach is based on the key observation that even if a user's access to a file seems legitimate, only a fine-grained analysis of the access (size of access, timestamp, etc.) can help understanding the original intention of the user. We exploit the users' file access information at block level and develop a feature-extraction method to model the users' normal file access patterns (user profiles). Such profiles are then used in the detection phase for identifying anomalous file system accesses. Finally, through performance evaluations we demonstrate that our approach has an accuracy of 98.64% in detecting anomalies and incurs an overhead of only 2%.
- Security breach at sony-- here's what you need to know. http://www.forbes.com/sites/josephsteinberg/2014/12/ 11/massive-security-breach-at-sony-heres-what-you-need -to-know/, December 2014.Google Scholar
- Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. Computer, 29(2):38--47, February 1996. Google ScholarDigital Library
- J. Park and R. Sandhu. Originator control in usage control. In Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02), POLICY '02, pages 60--, Washington, DC, USA, 2002. IEEE Computer Society. Google ScholarDigital Library
- Elisa Bertino. Data Protection from Insider Threats. Synthesis Lectures on Data Management. Morgan & Claypool Publishers, San Rafael, 2012. Google ScholarDigital Library
- Elisa Bertino and Gabriel Ghinita. Towards mechanisms for detection and prevention of data exfiltration by insiders: Keynote talk paper. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS '11, pages 10--19, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- Cybersecurity watch survey: How bad is the insider threat? Technical report, Carnegie Mellon University, 2012. http://resources.sei.cmu.edu/asset_files/Presentation/2013_017_101_57766.pdf.Google Scholar
- Carly Huth and Robin Ruefle. Components and considerations in building an insider threat program. Technical report, Carnegie Mellon University, 2013. http://resources.sei.cmu.edu/asset\_files/Webinar/ 2013\_018\_101\_69083.pdf.Google Scholar
- Matthew Collins, Dawn M. Cappelli, Tom Caron, Randall F. Trzeciak, and Andrew P. Moore. Spotlight on: Programmers as malicious insiders (updated and revised). Technical report, Carnegie Mellon University, 2013. http://resources.sei.cmu.edu/asset\_files/WhitePaper/ 2013\_019\_001\_85232.pdf.Google Scholar
- David Mundie Andrew P. Moore, Michael Hanley. A pattern for increased monitoring for intellectual property theft by departing insiders. Technical report, Carnegie Mellon University, 2012. http://www.sei.cmu.edu/reports/12tr008.pdf.Google Scholar
- Andrew P. Moore, Matthew L. Collins, David A. Mundie, Robin M. Ruefle, and David M. McIntire. Pattern-based design of insider threat programs. Technical report, Carnegie Mellon University, 2014. http://resources.sei.cmu.edu/asset\_files/technicalnote/ 2014\_004\_001\_427430.pdf.Google Scholar
- Ashish Kamra, Evimaria Terzi, and Elisa Bertino. Detecting anomalous access patterns in relational databases. The VLDB Journal, 17(5):1063--1077, August 2008. Google ScholarDigital Library
- Syed Rafiul Hussain, Asmaa M. Sallam, and Elisa Bertino. Detanom: Detecting anomalous database transactions by insiders. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY '15, pages 25--35, New York, NY, USA, 2015. ACM. Google ScholarDigital Library
- E. Bertino, A Kamra, and James P. Early. Profiling database application to detect sql injection attacks. In IEEE International Performance, Computing, and Communications Conference, IPCCC 2007, pages 449--458, April 2007.Google Scholar
- Sunu Mathew, Michalis Petropoulos, Hung Q. Ngo, and Shambhu Upadhyaya. A data-centric approach to insider attack detection in database systems. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, RAID'10, pages 382--401, Berlin, Heidelberg, 2010. Springer-Verlag. Google ScholarDigital Library
- P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macia-Fernandez, and E. Vazquez. Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security, pages 18--28, 2009. Google ScholarDigital Library
- Matthew V. Mahoney and Philip K. Chan. Learning nonstationary models of normal network traffic for detecting novel attacks. In Proceedings of the Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD '02, pages 376--385, New York, NY, USA, 2002. ACM. Google ScholarDigital Library
- M. Thottan and Chuanyi Ji. Anomaly detection in ip networks. Signal Processing, IEEE Transactions on, 51(8):2191--2204, Aug 2003. Google ScholarDigital Library
- Christopher Gates, Ninghui Li, Zenglin Xu, SureshN. Chari, Ian Molloy, and Youngja Park. Detecting insider information theft using features from file access logs. In Computer Security - ESORICS 2014, volume 8713 of Lecture Notes in Computer Science, pages 383--400. Springer International Publishing, 2014.Google ScholarDigital Library
- Salvatore J. Stolfo, Shlomo Hershkop, LinhH. Bui, Ryan Ferster, and Ke Wang. Anomaly detection in computer security and an application to file system accesses. In Mohand-Said Hacid, NeilV. Murray, Zbigniew W. Ra, and Shusaku Tsumoto, editors, Foundations of Intelligent Systems, volume 3488 of Lecture Notes in Computer Science, pages 14--28. Springer Berlin Heidelberg, 2005. Google ScholarDigital Library
- Liang Huang and Kenny Wong. Anomaly detection by monitoring filesystem activities. In Proceedings of the 2011 IEEE 19th International Conference on Program Comprehension, ICPC '11, pages 221--222, Washington, DC, USA, 2011. IEEE Computer Society. Google ScholarDigital Library
- ZFS End-to-End Data Integrity. https://blogs.oracle.com/bonwick/entry/ zfs\_end\_to\_end\_data.Google Scholar
- Swapnil Patil, Anand Kashyap, Gopalan Sivathanu, and Erez Zadok. Fs: An in-kernel integrity checker and intrusion detection file system. In Proceedings of the 18th USENIX Conference on System Administration, LISA '04, pages 67--78, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
- Brendan Juba, Christopher Musco, Fan Long, Stelios Sidiroglou-douskos, and Martin Rinard. Principled sampling for anomaly detection. In Proceedings of the Network and Distributed System Security Symposium, 2015.Google ScholarCross Ref
- Blktrace. http://linux.die.net/man/8/blktrace/.Google Scholar
- Heikki Mannila, Hannu Toivonen, and A. Inkeri Verkamo. Discovery of frequent episodes in event sequences. Data Min. Knowl. Discov., 1(3):259--289, January 1997. Google ScholarDigital Library
- Rakesh Agrawal and Ramakrishnan Srikant. Fast algorithms for mining association rules in large databases. In Proceedings of the 20th International Conference on Very Large Data Bases, VLDB '94, pages 487--499, San Francisco, CA, USA, 1994. Morgan Kaufmann Publishers Inc. Google ScholarDigital Library
- Srivatsan Laxman, P. S. Sastry, and K. P. Unnikrishnan. A fast algorithm for finding frequent episodes in event streams. In Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD '07, pages 410--419, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- Block I/O Layer Tracing using blktrace. http://smackerelofopinion.blogspot.com/2009/10/block-io-layer-tracing-using-blktrace.html.Google Scholar
- Kaustubh Nyalkalkar, Sushant Sinha, Michael Bailey, and Farnam Jahanian. A comparative study of two network-based anomaly detection methods, 2011.Google Scholar
- R. Buschkes, D. Kesdogan, and P. Reichl. How to increase security in mobile networks by anomaly detection. In Computer Security Applications Conference, 1998. Proceedings. 14th Annual, pages 3--12, Dec 1998. Google ScholarDigital Library
- Nathalie Baracaldo and James Joshi. A trust-and-risk aware rbac framework: Tackling insider threat. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT '12, pages 167--176, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- Nico Görnitz, Marius Kloft, Konrad Rieck, and Ulf Brefeld. Toward supervised anomaly detection. J. Artif. Int. Res., 46(1):235--262, January 2013. Google ScholarDigital Library
- Yingjiu Li, Ningning Wu, Sean Wang, and Sushil Jajodia. Enhancing profiles for anomaly detection using time granularities. J. Comput. Secur., 10(1--2):137--157, July 2002. Google ScholarDigital Library
- Shagufta Mehnaz and Elisa Bertino. Building robust temporal user profiles for anomaly detection in file system accesses. In Proceedings of the Fourteenth IEEE International Conference on Privacy, Security and Trust (PST), 2016.Google ScholarCross Ref
- Brian M. Bowen, Shlomo Hershkop, Angelos D. Keromytis, and Salvatore J. Stolfo. Baiting Inside Attackers Using Decoy Documents, pages 51--70. Springer Berlin Heidelberg, Berlin, Heidelberg, 2009.Google Scholar
- Brian M. Bowen, Vasileios P. Kemerlis, Pratap Prabhu, Angelos D. Keromytis, and Salvatore J. Stolfo. Automating the injection of believable decoys to detect snooping. In Proceedings of the Third ACM Conference on Wireless Network Security, WiSec '10, pages 81--86, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
- Ted E. Senator, Henry G. Goldberg, Alex Memory, William T. Young, Brad Rees, Robert Pierce, Daniel Huang, Matthew Reardon, David A. Bader, Edmond Chow, Irfan Essa, Joshua Jones, Vinay Bettadapura, Duen Horng Chau, Oded Green, Oguz Kaya, Anita Zakrzewska, Erica Briscoe, Rudolph IV L. Mappus, Robert McColl, Lora Weiss, Thomas G. Dietterich, Alan Fern, Weng-Keen Wong, Shubhomoy Das, Andrew Emmott, Jed Irvine, Jay-Yoon Lee, Danai Koutra, Christos Faloutsos, Daniel Corkill, Lisa Friedland, Amanda Gentzel, and David Jensen. Detecting insider threats in a real corporate database of computer usage activity. In Proceedings of the 19th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD '13, pages 1393--1401, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- Indrajit Ray and Nayot Poolsapassit. Using attack trees to identify malicious attacks from authorized insiders. In Proceedings of the 10th European Conference on Research in Computer Security, ESORICS'05, pages 231--246, Berlin, Heidelberg, 2005. Springer-Verlag. Google ScholarDigital Library
- William Claycomb, Dongwan Shin, and Gail-Joon Ahn. Enhancing directory virtualization to detect insider activity. Security and Communication Networks, 5(8):873--886, 2012. Google ScholarDigital Library
- J. Benito Camiña, Jorge Rodríguez, and Raúl Monroy. Towards a Masquerade Detection System Based on User's Tasks, pages 447--465. Springer International Publishing, Cham, 2014.Google Scholar
- A. Kamra and E. Bertino. Design and implementation of an intrusion response system for relational databases. IEEE Transactions on Knowledge and Data Engineering, 23(6):875--888, June 2011. Google ScholarDigital Library
- Richard Simon and Mary Ellen Zurko. Separation of duty in role-based environments. In Proceedings of the 10th IEEE Workshop on Computer Security Foundations, CSFW '97, pages 183--, Washington, DC, USA, 1997. IEEE Computer Society. Google ScholarDigital Library
Index Terms
- Ghostbuster: A Fine-grained Approach for Anomaly Detection in File System Accesses
Recommendations
A-PANDDE: Advanced Provenance-based ANomaly Detection of Data Exfiltration
AbstractInsider threats are a serious problem that could be more damaging than outsiders’ attacks. The reason is that insiders are users who have legitimate access to the data. A database management system (DBMS) access control mechanism is ...
DetAnom: Detecting Anomalous Database Transactions by Insiders
CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and PrivacyDatabase Management Systems (DBMSs) provide access control mechanisms that allow database administrators (DBA) to grant application programs access privileges to databases. However, securing the database alone is not enough, as attackers aiming at ...
POSTER: Protecting Against Data Exfiltration Insider Attacks Through Application Programs
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityIn this paper, we describe a system that distinguishes between legitimate and malicious database transactions performed by application programs. Our system is particularly useful for protecting against code-modification attacks performed by insiders who ...
Comments