Skip to main content
SpringerLink
Log in

Monitoring Technologies for Mitigating Insider Threats

  • Chapter
  • First Online:
Insider Threats in Cyber Security

Part of the book series: Advances in Information Security ((ADIS,volume 49))

Abstract

In this chapter, we propose a design for an insider threat detection system that combines an array of complementary techniques that aims to detect evasive adversaries. We are motivated by real world incidents and our experience with building isolated detectors: such standalone mechanisms are often easily identified and avoided by malefactors. Our work-in-progress combines host-based user-event monitoring sensors with trap-based decoys and remote network detectors to track and correlate insider activity. We introduce and formalize a number of properties of decoys as a guide to design trap-based defenses to increase the likelihood of detecting an insider attack. We identify several challenges in scaling up, deploying, and validating our architecture in real environments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bell, J., Whaley, B.: Cheating and Deception. Transaction Publishers, New Brunswick, NJ (1982)

    Google Scholar 

  2. Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: In Proceedings of the 5th International ICST Conference on Security and Privacy in Communication Networks (SecureComm 2009) (2009)

    Google Scholar 

  3. Bowen, B.M., Salem, M.B., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Designing host and network sensors to mitigate the insider threat. In IEEE Security & Privacy Magazine 7(6), 22–29 (2009)

    Article  Google Scholar 

  4. (2009). URL http://www.cs.cornell.edu/bigreddata/cayuga/

  5. Ilett, D.: Trojan attacks microsoft’s anti-spyware (2005)

    Google Scholar 

  6. Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of vm-based high-interaction honeypots. In: Proc. of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 198–218. Cambridge, MA, USA (2007)

    Google Scholar 

  7. Katz, J., Lindell, Y.: Introduction to Modern Cryptography: Principles and Protocols. Chapman & Hall/Crc Cryptography and Network Security Series (2007)

    Google Scholar 

  8. Lee, W., Fan, W., Miller, M., Stolfo, S.J., Zadok: Toward cost-sensitive modeling for intrusion detection and response. In: Workshop on Intrusion Detection and Prevention, 7th ACM Conference on Computer Security, November 2000 (2000)

    Google Scholar 

  9. Li, W., Stolfo, S.J., Stavrou, A., Androulaki, E., Keromytis, A.D.: A study of malcode-bearing documents. In:Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA), pp. 231–250

    Google Scholar 

  10. Maloof, M.A., Stephens, G.D.: Keying hash functions for message authentication. In: Proceedings of the 16thAnnual International Cryptology Conference on Advances in Cryptology, pp. 1–15 (1996)

    Google Scholar 

  11. Maloof, M.A., Stephens, G.D.: Elicit: A system for detecting insiders who violate need-to-know’. In: Recent Advances in Intrusion Detection (RAID 2007), pp. 146–166 (2007)

    Google Scholar 

  12. (2009). URL http://www.oakleynetworks.com/products/sureview.php

  13. Richardson, R.: Csi computer crime and security survey. Technical report, CERT (2008)

    Google Scholar 

  14. Salem, M.B., Stolfo, S.J.: Masquerade attack detection using a search-behavior modeling approach. Technical report, Columbia University (2009)

    Google Scholar 

  15. Masquerading user data (2009). URL http://www.schonlau.net/intrusion.html

  16. Spitzner, L.: Honeypots: Catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC), pp. 170–179 (2003)

    Google Scholar 

  17. Spitzner, L.: Honeytokens: The other honeypot. Technical report, SecurityFocus (2003)

    Google Scholar 

  18. Stoll, C.: The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Pocket Books, New York (1990)

    Google Scholar 

  19. Symantec: Trends for july - december ’07. White paper (2008)

    Google Scholar 

  20. (2009). URL http://www.verdasys.com

  21. Webb, S., Caverlee, J., Pu, C.: Social honeypots: Making friends with a spammer near you. In: In Proceedings of the Fifth Conference on Email and Anti-Spam (CEAS 2008) (2008)

    Google Scholar 

  22. Yuill, J., Denning, D., Feer, F.: Using deception to hide things from hackers: Processes, principles, and techniques. Journal of Information Warfare 5(3), 26–40 (2006)

    Google Scholar 

  23. Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: Deceptive files for intrusion detection. In: Proceedings of the 5th Annual IEEE SMC Information Assurance Workshop (IAW), pp. 116–122 (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Columbia University, 10027, 1214 Amsterdam Ave MC 0401, New York, NY, USA

    Brian M. Bowen, Malek Ben Salem, Angelos D. Keromytis & Salvatore J. Stolfo

Authors
  1. Brian M. Bowen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Malek Ben Salem
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Salvatore J. Stolfo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Brian M. Bowen .

Editor information

Editors and Affiliations

  1. , Informatics & Mathematical Modelling, Technical University of Denmark, Richard Petersens Plads, Kongens Lyngby, DK-2800, Denmark

    Christian W. Probst

  2. Copeland St., Pittsburgh, 15232, USA

    Jeffrey Hunker

  3. Hamburg-Harburg, Institut für Sicherheit in verteilten, Technische Universitaet, Harburger Schlossstrasse 20, Hamburg-Harburg, 21079, Germany

    Dieter Gollmann

  4. , Department of Computer Science, University of California, Davis, Shields Ave. One, Davis, 95616-8562, USA

    Matt Bishop

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer Science+Business Media, LLC

About this chapter

Cite this chapter

Bowen, B.M., Salem, M.B., Keromytis, A.D., Stolfo, S.J. (2010). Monitoring Technologies for Mitigating Insider Threats. In: Probst, C., Hunker, J., Gollmann, D., Bishop, M. (eds) Insider Threats in Cyber Security. Advances in Information Security, vol 49. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-7133-3_9

Download citation

  • DOI: https://doi.org/10.1007/978-1-4419-7133-3_9

  • Published:

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-1-4419-7132-6

  • Online ISBN: 978-1-4419-7133-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation