Abstract
This paper describes a proof-of-concept system for detecting insider threats. The system measures insider behavior by observing a user’s processes and threads, information about user mode and kernel mode time, network interface statistics, etc. The system is built using Microsoft’s Windows Management Instrumentation (WMI) implementation of the Web Based Enterprise Management (WBEM) standards. It facilitates the selection and storage of potential digital evidence based on anomalous user behavior with minimal administrative input.
Chapter PDF
Similar content being viewed by others
References
S. Axelsson, Intrusion Detection Systems: A Survey and Taxonomy, Technical Report 99-15, Department of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden, 2000.
P. Bradford, M. Brown, J. Perdue and B. Self, Towards proactive computer-system forensics, Proceedings of the International Conference on Information Technology: Coding and Computing, vol. 2, pp. 648–652, 2004.
P. Bradford and N. Hu, A layered approach to insider threat detection and proactive forensics, Proceedings of the Twenty-First Annual Computer Security Applications Conference (Technology Blitz), 2005.
J. Cooperstein, Windows management instrumentation: Administering Windows and applications across your enterprise, MSDN Magazine (http://msdn.microsoft.com/msdnmag/issues/0500/wmiover), May 2000.
D. Denning, An intrusion-detection model, IEEE Transactions on Software Engineering, vol. 13(2), pp. 222–232, 1987.
J. Evers, Computer crime costs $67 billion FBI says, CNET News.com, January 19, 2006.
M. Gerken, Statistical-based intrusion detection, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania (http://www.sei.cmu.edu/str/descriptions/sbid.htm).
K. Goss, WMI made easy for C#, C# Help (http://www.csharphelp.com/archives2/archive334.html).
C. Hobbs, A Practical Approach to WBEM/CIM Management, Auerbach/CRC Press, Boca Raton, Florida, 2004.
A. Jones and R. Sielken, Computer System Intrusion Detection: A Survey, Technical Report, Department of Computer Science, University of Virginia, Charlottesville, Virginia, 2000.
P. Kahai, M. Srinivasan, K. Namuduri and R. Pendse, Forensic profiling system, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, New York, pp. 153–164, 2005.
W. Lee, S. Stolfo and K. Mok, A data mining framework for building intrusion detection models, Proceedings of the IEEE Symposium on Security and Privacy, pp. 120–132, 1999.
T. Lunt, Automated audit trail analysis and intrustion detection: A survey, Proceedings of the Eleventh National Computer Security Conference, 1988.
T. Lunt, A survey of intrusion detection techniques, Computers and Security, vol. 12(4), pp. 405–418, 1993.
Microsoft Corporation, WMI classes (http://msdn2.microsoft.com/en-us/library/aa394554.aspx), 2006.
J. Murphy, A quick introduction to WMI from.NET, O’Reilly Network (http://www.ondotnet.com/pub/a/dotnet/2003/04/07/wmi.html), 2003.
K. Salchner, An in-depth look at WMI and instrumentation, DeveloperLand (http://www.developerland.com/DotNet/Enterprise/145.aspx), 2004.
L. Snow, Optimizing management queries, .NET Developer’s Journal (http://dotnet.sys-con.com/read/38914.htm), July 21, 2003.
SRI International, Event Monitoring Enabling Responses to Anomalous Live Disturbances (EMERALD) (http://www.csl.sri.com/projects/emerald).
C. Tunstall and G. Cole, Developing WMI Solutions, Pearson Education, Boston, Massachusetts, 2002.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Ray, D., Bradford, P. (2007). An Integrated System for Insider Threat Detection. In: Craiger, P., Shenoi, S. (eds) Advances in Digital Forensics III. DigitalForensics 2007. IFIP — The International Federation for Information Processing, vol 242. Springer, New York, NY. https://doi.org/10.1007/978-0-387-73742-3_5
Download citation
DOI: https://doi.org/10.1007/978-0-387-73742-3_5
Publisher Name: Springer, New York, NY
Print ISBN: 978-0-387-73741-6
Online ISBN: 978-0-387-73742-3
eBook Packages: Computer ScienceComputer Science (R0)