research-article

Ghostbuster: A Fine-grained Approach for Anomaly Detection in File System Accesses

Authors:
Shagufta Mehnaz

Purdue University, West Lafayette, IN, USA

Purdue University, West Lafayette, IN, USA
View Profile

,
Elisa Bertino

Purdue University, West Lafayette, IN, USA

Purdue University, West Lafayette, IN, USA
View Profile

CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and PrivacyMarch 2017Pages 3–14https://doi.org/10.1145/3029806.3029809

Published:22 March 2017Publication History

CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy

Pages 3–14

ABSTRACT

Protecting sensitive data against malicious or compromised insiders is a challenging problem. Access control mechanisms are not always able to prevent authorized users from misusing or stealing sensitive data as insiders often have access permissions to the data. Also, security vulnerabilities and phishing attacks make it possible for external malicious parties to compromise identity credentials of users who have access to the data. Therefore, solutions for protection from insider threat require combining access control mechanisms and other security techniques, such as encryption, with techniques for detecting anomalies in data accesses. In this paper, we propose a novel approach to create fine-grained profiles of the users' normal file access behaviors. Our approach is based on the key observation that even if a user's access to a file seems legitimate, only a fine-grained analysis of the access (size of access, timestamp, etc.) can help understanding the original intention of the user. We exploit the users' file access information at block level and develop a feature-extraction method to model the users' normal file access patterns (user profiles). Such profiles are then used in the detection phase for identifying anomalous file system accesses. Finally, through performance evaluations we demonstrate that our approach has an accuracy of 98.64% in detecting anomalies and incurs an overhead of only 2%.

References

Security breach at sony-- here's what you need to know. http://www.forbes.com/sites/josephsteinberg/2014/12/ 11/massive-security-breach-at-sony-heres-what-you-need -to-know/, December 2014.Google Scholar
Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. Computer, 29(2):38--47, February 1996. Google ScholarDigital Library
J. Park and R. Sandhu. Originator control in usage control. In Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02), POLICY '02, pages 60--, Washington, DC, USA, 2002. IEEE Computer Society. Google ScholarDigital Library
Elisa Bertino. Data Protection from Insider Threats. Synthesis Lectures on Data Management. Morgan & Claypool Publishers, San Rafael, 2012. Google ScholarDigital Library
Elisa Bertino and Gabriel Ghinita. Towards mechanisms for detection and prevention of data exfiltration by insiders: Keynote talk paper. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS '11, pages 10--19, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
Cybersecurity watch survey: How bad is the insider threat? Technical report, Carnegie Mellon University, 2012. http://resources.sei.cmu.edu/asset_files/Presentation/2013_017_101_57766.pdf.Google Scholar
Carly Huth and Robin Ruefle. Components and considerations in building an insider threat program. Technical report, Carnegie Mellon University, 2013. http://resources.sei.cmu.edu/asset\_files/Webinar/ 2013\_018\_101\_69083.pdf.Google Scholar
Matthew Collins, Dawn M. Cappelli, Tom Caron, Randall F. Trzeciak, and Andrew P. Moore. Spotlight on: Programmers as malicious insiders (updated and revised). Technical report, Carnegie Mellon University, 2013. http://resources.sei.cmu.edu/asset\_files/WhitePaper/ 2013\_019\_001\_85232.pdf.Google Scholar
David Mundie Andrew P. Moore, Michael Hanley. A pattern for increased monitoring for intellectual property theft by departing insiders. Technical report, Carnegie Mellon University, 2012. http://www.sei.cmu.edu/reports/12tr008.pdf.Google Scholar
Andrew P. Moore, Matthew L. Collins, David A. Mundie, Robin M. Ruefle, and David M. McIntire. Pattern-based design of insider threat programs. Technical report, Carnegie Mellon University, 2014. http://resources.sei.cmu.edu/asset\_files/technicalnote/ 2014\_004\_001\_427430.pdf.Google Scholar
Ashish Kamra, Evimaria Terzi, and Elisa Bertino. Detecting anomalous access patterns in relational databases. The VLDB Journal, 17(5):1063--1077, August 2008. Google ScholarDigital Library
Syed Rafiul Hussain, Asmaa M. Sallam, and Elisa Bertino. Detanom: Detecting anomalous database transactions by insiders. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY '15, pages 25--35, New York, NY, USA, 2015. ACM. Google ScholarDigital Library
E. Bertino, A Kamra, and James P. Early. Profiling database application to detect sql injection attacks. In IEEE International Performance, Computing, and Communications Conference, IPCCC 2007, pages 449--458, April 2007.Google Scholar
Sunu Mathew, Michalis Petropoulos, Hung Q. Ngo, and Shambhu Upadhyaya. A data-centric approach to insider attack detection in database systems. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, RAID'10, pages 382--401, Berlin, Heidelberg, 2010. Springer-Verlag. Google ScholarDigital Library
P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macia-Fernandez, and E. Vazquez. Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security, pages 18--28, 2009. Google ScholarDigital Library
Matthew V. Mahoney and Philip K. Chan. Learning nonstationary models of normal network traffic for detecting novel attacks. In Proceedings of the Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD '02, pages 376--385, New York, NY, USA, 2002. ACM. Google ScholarDigital Library
M. Thottan and Chuanyi Ji. Anomaly detection in ip networks. Signal Processing, IEEE Transactions on, 51(8):2191--2204, Aug 2003. Google ScholarDigital Library
Christopher Gates, Ninghui Li, Zenglin Xu, SureshN. Chari, Ian Molloy, and Youngja Park. Detecting insider information theft using features from file access logs. In Computer Security - ESORICS 2014, volume 8713 of Lecture Notes in Computer Science, pages 383--400. Springer International Publishing, 2014.Google ScholarDigital Library
Salvatore J. Stolfo, Shlomo Hershkop, LinhH. Bui, Ryan Ferster, and Ke Wang. Anomaly detection in computer security and an application to file system accesses. In Mohand-Said Hacid, NeilV. Murray, Zbigniew W. Ra, and Shusaku Tsumoto, editors, Foundations of Intelligent Systems, volume 3488 of Lecture Notes in Computer Science, pages 14--28. Springer Berlin Heidelberg, 2005. Google ScholarDigital Library
Liang Huang and Kenny Wong. Anomaly detection by monitoring filesystem activities. In Proceedings of the 2011 IEEE 19th International Conference on Program Comprehension, ICPC '11, pages 221--222, Washington, DC, USA, 2011. IEEE Computer Society. Google ScholarDigital Library
ZFS End-to-End Data Integrity. https://blogs.oracle.com/bonwick/entry/ zfs\_end\_to\_end\_data.Google Scholar
Swapnil Patil, Anand Kashyap, Gopalan Sivathanu, and Erez Zadok. Fs: An in-kernel integrity checker and intrusion detection file system. In Proceedings of the 18th USENIX Conference on System Administration, LISA '04, pages 67--78, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
Brendan Juba, Christopher Musco, Fan Long, Stelios Sidiroglou-douskos, and Martin Rinard. Principled sampling for anomaly detection. In Proceedings of the Network and Distributed System Security Symposium, 2015.Google ScholarCross Ref
Blktrace. http://linux.die.net/man/8/blktrace/.Google Scholar
Heikki Mannila, Hannu Toivonen, and A. Inkeri Verkamo. Discovery of frequent episodes in event sequences. Data Min. Knowl. Discov., 1(3):259--289, January 1997. Google ScholarDigital Library
Rakesh Agrawal and Ramakrishnan Srikant. Fast algorithms for mining association rules in large databases. In Proceedings of the 20th International Conference on Very Large Data Bases, VLDB '94, pages 487--499, San Francisco, CA, USA, 1994. Morgan Kaufmann Publishers Inc. Google ScholarDigital Library
Srivatsan Laxman, P. S. Sastry, and K. P. Unnikrishnan. A fast algorithm for finding frequent episodes in event streams. In Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD '07, pages 410--419, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
Block I/O Layer Tracing using blktrace. http://smackerelofopinion.blogspot.com/2009/10/block-io-layer-tracing-using-blktrace.html.Google Scholar
Kaustubh Nyalkalkar, Sushant Sinha, Michael Bailey, and Farnam Jahanian. A comparative study of two network-based anomaly detection methods, 2011.Google Scholar
R. Buschkes, D. Kesdogan, and P. Reichl. How to increase security in mobile networks by anomaly detection. In Computer Security Applications Conference, 1998. Proceedings. 14th Annual, pages 3--12, Dec 1998. Google ScholarDigital Library
Nathalie Baracaldo and James Joshi. A trust-and-risk aware rbac framework: Tackling insider threat. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT '12, pages 167--176, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
Nico Görnitz, Marius Kloft, Konrad Rieck, and Ulf Brefeld. Toward supervised anomaly detection. J. Artif. Int. Res., 46(1):235--262, January 2013. Google ScholarDigital Library
Yingjiu Li, Ningning Wu, Sean Wang, and Sushil Jajodia. Enhancing profiles for anomaly detection using time granularities. J. Comput. Secur., 10(1--2):137--157, July 2002. Google ScholarDigital Library
Shagufta Mehnaz and Elisa Bertino. Building robust temporal user profiles for anomaly detection in file system accesses. In Proceedings of the Fourteenth IEEE International Conference on Privacy, Security and Trust (PST), 2016.Google ScholarCross Ref
Brian M. Bowen, Shlomo Hershkop, Angelos D. Keromytis, and Salvatore J. Stolfo. Baiting Inside Attackers Using Decoy Documents, pages 51--70. Springer Berlin Heidelberg, Berlin, Heidelberg, 2009.Google Scholar
Brian M. Bowen, Vasileios P. Kemerlis, Pratap Prabhu, Angelos D. Keromytis, and Salvatore J. Stolfo. Automating the injection of believable decoys to detect snooping. In Proceedings of the Third ACM Conference on Wireless Network Security, WiSec '10, pages 81--86, New York, NY, USA, 2010. ACM. Google ScholarDigital Library
Ted E. Senator, Henry G. Goldberg, Alex Memory, William T. Young, Brad Rees, Robert Pierce, Daniel Huang, Matthew Reardon, David A. Bader, Edmond Chow, Irfan Essa, Joshua Jones, Vinay Bettadapura, Duen Horng Chau, Oded Green, Oguz Kaya, Anita Zakrzewska, Erica Briscoe, Rudolph IV L. Mappus, Robert McColl, Lora Weiss, Thomas G. Dietterich, Alan Fern, Weng-Keen Wong, Shubhomoy Das, Andrew Emmott, Jed Irvine, Jay-Yoon Lee, Danai Koutra, Christos Faloutsos, Daniel Corkill, Lisa Friedland, Amanda Gentzel, and David Jensen. Detecting insider threats in a real corporate database of computer usage activity. In Proceedings of the 19th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD '13, pages 1393--1401, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
Indrajit Ray and Nayot Poolsapassit. Using attack trees to identify malicious attacks from authorized insiders. In Proceedings of the 10th European Conference on Research in Computer Security, ESORICS'05, pages 231--246, Berlin, Heidelberg, 2005. Springer-Verlag. Google ScholarDigital Library
William Claycomb, Dongwan Shin, and Gail-Joon Ahn. Enhancing directory virtualization to detect insider activity. Security and Communication Networks, 5(8):873--886, 2012. Google ScholarDigital Library
J. Benito Camiña, Jorge Rodríguez, and Raúl Monroy. Towards a Masquerade Detection System Based on User's Tasks, pages 447--465. Springer International Publishing, Cham, 2014.Google Scholar
A. Kamra and E. Bertino. Design and implementation of an intrusion response system for relational databases. IEEE Transactions on Knowledge and Data Engineering, 23(6):875--888, June 2011. Google ScholarDigital Library
Richard Simon and Mary Ellen Zurko. Separation of duty in role-based environments. In Proceedings of the 10th IEEE Workshop on Computer Security Foundations, CSFW '97, pages 183--, Washington, DC, USA, 1997. IEEE Computer Society. Google ScholarDigital Library

Index Terms

Ghostbuster: A Fine-grained Approach for Anomaly Detection in File System Accesses
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. File system security

Recommendations

A-PANDDE: Advanced Provenance-based ANomaly Detection of Data Exfiltration
Abstract
Insider threats are a serious problem that could be more damaging than outsiders’ attacks. The reason is that insiders are users who have legitimate access to the data. A database management system (DBMS) access control mechanism is ...
Read More
DetAnom: Detecting Anomalous Database Transactions by Insiders
CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

Database Management Systems (DBMSs) provide access control mechanisms that allow database administrators (DBA) to grant application programs access privileges to databases. However, securing the database alone is not enough, as attackers aiming at ...
Read More
POSTER: Protecting Against Data Exfiltration Insider Attacks Through Application Programs
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

In this paper, we describe a system that distinguishes between legitimate and malicious database transactions performed by application programs. Our system is particularly useful for protecting against code-modification attacks performed by insiders who ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy
March 2017
382 pages
ISBN:9781450345231
DOI:10.1145/3029806
General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Alexander Pretschner
Technische Universität München, Germany
,
Gabriel Ghinita
University of Massachusetts Boston, USA
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 22 March 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Best Paper
Author Tags
anomaly detection
file system access
insider attacks
Qualifiers
- research-article
Conference

Acceptance Rates
CODASPY '17 Paper Acceptance Rate21of134submissions,16%Overall Acceptance Rate149of789submissions,19%
More
Upcoming Conference
CODASPY '24

Sponsor:

sigsac

Fourteenth ACM Conference on Data and Application Security and Privacy

June 19 - 21, 2024

Porto , Portugal
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 14
  Total Citations
  View Citations
- 512
  Total Downloads
- Downloads (Last 12 months)17
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Ghostbuster: A Fine-grained Approach for Anomaly Detection in File System Accesses

CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy

ABSTRACT

References

Cited By

Index Terms

Recommendations

A-PANDDE: Advanced Provenance-based ANomaly Detection of Data Exfiltration

DetAnom: Detecting Anomalous Database Transactions by Insiders

POSTER: Protecting Against Data Exfiltration Insider Attacks Through Application Programs