Top

Information Systems Frontiers

Published in:

01-03-2013

Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise

Authors: Howard Chivers, John A. Clark, Philip Nobles, Siraj A. Shaikh, Hao Chen

Published in: Information Systems Frontiers | Issue 1/2013

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Insider attacks are often subtle and slow, or preceded by behavioral indicators such as organizational rule-breaking which provide the potential for early warning of malicious intent; both these cases pose the problem of identifying attacks from limited evidence contained within a large volume of event data collected from multiple sources over a long period. This paper proposes a scalable solution to this problem by maintaining long-term estimates that individuals or nodes are attackers, rather than retaining event data for post-facto analysis. These estimates are then used as triggers for more detailed investigation. We identify essential attributes of event data, allowing the use of a wide range of indicators, and show how to apply Bayesian statistics to maintain incremental estimates without global updating. The paper provides a theoretical account of the process, a worked example, and a discussion of its practical implications. The work includes examples that identify subtle attack behaviour in subverted network nodes, but the process is not network-specific and is capable of integrating evidence from other sources, such as behavioral indicators, document access logs and financial records, in addition to events identified by network monitoring.

previous article Understanding insiders: An analysis of risk-taking behavior

next article Two-stage database intrusion detection by combining multiple evidence and belief update

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Bace, R., & Mell, P. (2001). Intrusion detection systems (IDS). Tech. Rep. SP 800-31, National Institute of Standards and Technology (NIST).

Band, S. R., Cappelli, D. M., Fischer, L. F., Moore, A. P., Shaw, E. D., & Trzeciak, R. F. (2006). Comparing insider it sabotage and espionage: A model-based analysis. Tech. rep., Carnegie Mellon Software Engineering Institute.

Brackney, R. C., & Anderson, R. H. (2004). Understanding the insider threat. Tech. Rep. Proceedings of March 2004 Workshop, RAND National Security Research Division.

Bradford, P. G., Brown, M., Perdue, J., & Self, B. (2004). Towards proactive computer-system forensics. In International conference on information technology: Coding and computing (ITCC 2004) (pp. 648–652). IEEE Computer Society.

Buford, J. F., Lewis, L., & Jakobson, G. (2008). Insider threat detection using situation-aware MAS. In 11th international conference on information fusion (pp. 1–8). Cologne, Germany: IEEE Xplore.

Caputo, D. D., Stephens, G. D., & Maloof, M. A. (2009). Detecting insider theft of trade secrets. IEEE Security & Privacy, 7(6), 14–21.CrossRef

CERT Incident Note (1998). IN-98-05: Probes with spoofed IP addresses.

Chebrolua, S., Abrahama, A., & Thomas, J. P. (2004). Feature deduction and ensemble design of intrusion detection systems. Computers & Security, 24(4), 295–307.CrossRef

Chivers, H., Nobles, P., Shaikh, S. A., Clark, J. A., & Chen, H. (2009). Accumulating evidence of insider attacks. In The 1st international workshop on managing insider security threats (MIST 2009) (In conjunction with IFIPTM 2009). CEUR Workshop Proceedings.

Colombe, J. B., & Stephens, G. (2004). Statistical profiling and visualization for detection of malicious insider attacks on computer networks. In The 2004 ACM workshop on visualization and data mining for computer security (pp. 138–142). ACM Press.

Eberle, W., & Holder, L. (2009). Insider threat detection using graph-based approaches. In Cybersecurity applications & technology conference for homeland security (CATCH) (pp. 237–241). IEEE Computer Society.

Goodin, D. (2007). TJX breach was twice as big as admitted, banks say. The Register.

Heberlein, T. (2002). Tactical operations and strategic intelligence: Sensor purpose and placement. Tech. Rep. TR-2002-04.02, Net Squared, Inc.

Herbig, K. L., & Wiskoff, M. F. (2002). Espionage against the united states by American citizens 1947–2001. Tech. Rep. 02-05, Defense Personnel Security Research Center (PERSEREC).

Nguyen, N., Reiher, P., & Kuenning, G. H. (2003). Detecting insider threats by monitoring system call activity. In 2003 IEEE Workshop on information assurance (pp. 18–20). IEEE Computer Society, United States Military Academy, West Point.

Randazzo, M.R., Cappelli, D., Keeney, M., Moore, A., & Kowalski, E. (2004). U.S. secret service and CERT coordination center/SEI insider threat study: Illicit cyber activity in the banking and finance sector. Tech. rep., Software Engineering Institute, Carnegie Mellon University.

Russell, S., & Norvig, P. (2010). Artificial intelligence (3rd ed.). Prentice Hall.

Spitzner, L. (2003). Honeypots: Catching the insider threat. In 19th annual computer security applications conference (ACSAC ’03) (pp. 170–179). IEEE Computer Society.

Staniford, S., Hoagland, J. A., & McAlerney, J. M. (2002). Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1/2), 105–136.

Wells, J. T. (2008). Principles of fraud examination (2nd ed.). Wiley.

Title: Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise
Authors: Howard Chivers
John A. Clark
Philip Nobles
Siraj A. Shaikh
Hao Chen
Publication date: 01-03-2013
Publisher: Springer US
Published in: Information Systems Frontiers / Issue 1/2013
Print ISSN: 1387-3326
Electronic ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-010-9268-7

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 1/2013

Understanding insiders: An analysis of risk-taking behavior

A collaborative platform for buyer coalition: Introducing the Awareness-based Buyer Coalition (ABC) system

Guest editorial: A brief overview of data leakage and insider threats

“Padding” bitmaps to support similarity and mining

Application of density-based outlier detection to database activity monitoring

Investigating the role of an enterprise architecture project in the business-IT alignment in Iran

Premium Partner