Information Technology Reference
In-Depth Information
•
Former programmer Timothy Lloyd, who was fired in 1996, retaliated by setting
off a logic bomb that destroyed employer Omega Engineering's primary database,
causing $12 million damage and forcing 80 people to be laid off (Security Wire
Digest, Vol. 3, No. 12, Feb. 12, 2001).
• Feds charge 3 in massive credit fraud scheme. Initial losses estimated at $2.7 mil-
lion (CNN.com, 2002).
CSI/FBI 1999 Computer Crime Survey indicated that 55% of the reported attacks
were from insiders. CSI/FBI 2000 Computer Crime Survey stated that 71% of the
respondents had been the victim of internal attacks. Dealing with this problem in-
volves three steps: modeling the insider, prevention of internal misuse and detection,
and analysis and identification of misuse. Approaches to prevention are to install and
execute appropriate anti-virus tools, install software updates and patches, encrypt
databases, key system files and even executables, electronically “watermark” docu-
ments so that their passage through any electronic gate can be automatically detected
and prevented and isolate privileged execution domain from less privileged execution
domains and implement multilevel security policies.
5
Surveillance Issues
The questions that need to be addressed to mitigate insider attacks are: what kind of
model one should develop?, should we consider prevention or detection or both?,
should the method be passive or proactive? For optimizing detection, the technology
must be tamper-resistant, must not burden the monitoring system and must be cost-
effective. In this talk, we consider just the detection problem. The insider attack de-
tection approaches are generally anomaly-based and could range from rule-based
detection, to statistical anomaly detection and proactive schemes such as query-based
encapsulation of owner intent [4].
6
A New Proactive Scheme for Insider Threat Detection
Our approach relies on user level anomaly detection that avoids after-the-fact solu-
tions such as audit data analysis. We leverage ideas from fault tolerance where con-
current monitoring is used to detect control-flow errors. We capture owner's intent
and use it as a reference signature for monitoring and a reasoning framework is de-
veloped for making rational decisions about intrusions. Certain engineering method-
ologies such as Divide and Conquer are used to address scalability of the approach.
We obtain the reference graph by
Encapsulation of owner's intent,
which requires
an implicit or explicit query of users for a session-scope. We then translate it into a set
of verifiable assertions. Actual operations are monitored at user command level and
the user behavior is assessed. The advantages of this approach are: no need to process
huge audit data and both external/internal abuse can be handled uniformly [4]. Rea-
soning about intrusions is done by a stochastic modeling of job activity. A double-
threshold scheme is used to resolve situations arising when job activity cost maps into
an ambiguous region. Cost gradients are used to shrink the window of uncertainty so
that a speedy decision on intrusion can be arrived [5]. Anomaly detectors are always
