nach oben

Information Systems Frontiers

Erschienen in:

01.03.2013

Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise

verfasst von: Howard Chivers, John A. Clark, Philip Nobles, Siraj A. Shaikh, Hao Chen

Erschienen in: Information Systems Frontiers | Ausgabe 1/2013

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Insider attacks are often subtle and slow, or preceded by behavioral indicators such as organizational rule-breaking which provide the potential for early warning of malicious intent; both these cases pose the problem of identifying attacks from limited evidence contained within a large volume of event data collected from multiple sources over a long period. This paper proposes a scalable solution to this problem by maintaining long-term estimates that individuals or nodes are attackers, rather than retaining event data for post-facto analysis. These estimates are then used as triggers for more detailed investigation. We identify essential attributes of event data, allowing the use of a wide range of indicators, and show how to apply Bayesian statistics to maintain incremental estimates without global updating. The paper provides a theoretical account of the process, a worked example, and a discussion of its practical implications. The work includes examples that identify subtle attack behaviour in subverted network nodes, but the process is not network-specific and is capable of integrating evidence from other sources, such as behavioral indicators, document access logs and financial records, in addition to events identified by network monitoring.

Vorheriger Artikel Understanding insiders: An analysis of risk-taking behavior

Nächster Artikel Two-stage database intrusion detection by combining multiple evidence and belief update

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Bace, R., & Mell, P. (2001). Intrusion detection systems (IDS). Tech. Rep. SP 800-31, National Institute of Standards and Technology (NIST).

Band, S. R., Cappelli, D. M., Fischer, L. F., Moore, A. P., Shaw, E. D., & Trzeciak, R. F. (2006). Comparing insider it sabotage and espionage: A model-based analysis. Tech. rep., Carnegie Mellon Software Engineering Institute.

Brackney, R. C., & Anderson, R. H. (2004). Understanding the insider threat. Tech. Rep. Proceedings of March 2004 Workshop, RAND National Security Research Division.

Bradford, P. G., Brown, M., Perdue, J., & Self, B. (2004). Towards proactive computer-system forensics. In International conference on information technology: Coding and computing (ITCC 2004) (pp. 648–652). IEEE Computer Society.

Buford, J. F., Lewis, L., & Jakobson, G. (2008). Insider threat detection using situation-aware MAS. In 11th international conference on information fusion (pp. 1–8). Cologne, Germany: IEEE Xplore.

Caputo, D. D., Stephens, G. D., & Maloof, M. A. (2009). Detecting insider theft of trade secrets. IEEE Security & Privacy, 7(6), 14–21.CrossRef

CERT Incident Note (1998). IN-98-05: Probes with spoofed IP addresses.

Chebrolua, S., Abrahama, A., & Thomas, J. P. (2004). Feature deduction and ensemble design of intrusion detection systems. Computers & Security, 24(4), 295–307.CrossRef

Chivers, H., Nobles, P., Shaikh, S. A., Clark, J. A., & Chen, H. (2009). Accumulating evidence of insider attacks. In The 1st international workshop on managing insider security threats (MIST 2009) (In conjunction with IFIPTM 2009). CEUR Workshop Proceedings.

Colombe, J. B., & Stephens, G. (2004). Statistical profiling and visualization for detection of malicious insider attacks on computer networks. In The 2004 ACM workshop on visualization and data mining for computer security (pp. 138–142). ACM Press.

Eberle, W., & Holder, L. (2009). Insider threat detection using graph-based approaches. In Cybersecurity applications & technology conference for homeland security (CATCH) (pp. 237–241). IEEE Computer Society.

Goodin, D. (2007). TJX breach was twice as big as admitted, banks say. The Register.

Heberlein, T. (2002). Tactical operations and strategic intelligence: Sensor purpose and placement. Tech. Rep. TR-2002-04.02, Net Squared, Inc.

Herbig, K. L., & Wiskoff, M. F. (2002). Espionage against the united states by American citizens 1947–2001. Tech. Rep. 02-05, Defense Personnel Security Research Center (PERSEREC).

Nguyen, N., Reiher, P., & Kuenning, G. H. (2003). Detecting insider threats by monitoring system call activity. In 2003 IEEE Workshop on information assurance (pp. 18–20). IEEE Computer Society, United States Military Academy, West Point.

Randazzo, M.R., Cappelli, D., Keeney, M., Moore, A., & Kowalski, E. (2004). U.S. secret service and CERT coordination center/SEI insider threat study: Illicit cyber activity in the banking and finance sector. Tech. rep., Software Engineering Institute, Carnegie Mellon University.

Russell, S., & Norvig, P. (2010). Artificial intelligence (3rd ed.). Prentice Hall.

Spitzner, L. (2003). Honeypots: Catching the insider threat. In 19th annual computer security applications conference (ACSAC ’03) (pp. 170–179). IEEE Computer Society.

Staniford, S., Hoagland, J. A., & McAlerney, J. M. (2002). Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1/2), 105–136.

Wells, J. T. (2008). Principles of fraud examination (2nd ed.). Wiley.

Titel: Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise
verfasst von: Howard Chivers
John A. Clark
Philip Nobles
Siraj A. Shaikh
Hao Chen
Publikationsdatum: 01.03.2013
Verlag: Springer US
Erschienen in: Information Systems Frontiers / Ausgabe 1/2013
Print ISSN: 1387-3326
Elektronische ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-010-9268-7

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2013

PadSpace: A new framework for the service federation of web resources

A collaborative platform for buyer coalition: Introducing the Awareness-based Buyer Coalition (ABC) system

Application of density-based outlier detection to database activity monitoring

Comment on Lee et al.’s group signature and e-auction scheme

Two-stage database intrusion detection by combining multiple evidence and belief update

Investigating the role of an enterprise architecture project in the business-IT alignment in Iran