Abstract
In this chapter, we propose a design for an insider threat detection system that combines an array of complementary techniques that aims to detect evasive adversaries. We are motivated by real world incidents and our experience with building isolated detectors: such standalone mechanisms are often easily identified and avoided by malefactors. Our work-in-progress combines host-based user-event monitoring sensors with trap-based decoys and remote network detectors to track and correlate insider activity. We introduce and formalize a number of properties of decoys as a guide to design trap-based defenses to increase the likelihood of detecting an insider attack. We identify several challenges in scaling up, deploying, and validating our architecture in real environments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bell, J., Whaley, B.: Cheating and Deception. Transaction Publishers, New Brunswick, NJ (1982)
Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: In Proceedings of the 5th International ICST Conference on Security and Privacy in Communication Networks (SecureComm 2009) (2009)
Bowen, B.M., Salem, M.B., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Designing host and network sensors to mitigate the insider threat. In IEEE Security & Privacy Magazine 7(6), 22–29 (2009)
(2009). URL http://www.cs.cornell.edu/bigreddata/cayuga/
Ilett, D.: Trojan attacks microsoft’s anti-spyware (2005)
Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of vm-based high-interaction honeypots. In: Proc. of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 198–218. Cambridge, MA, USA (2007)
Katz, J., Lindell, Y.: Introduction to Modern Cryptography: Principles and Protocols. Chapman & Hall/Crc Cryptography and Network Security Series (2007)
Lee, W., Fan, W., Miller, M., Stolfo, S.J., Zadok: Toward cost-sensitive modeling for intrusion detection and response. In: Workshop on Intrusion Detection and Prevention, 7th ACM Conference on Computer Security, November 2000 (2000)
Li, W., Stolfo, S.J., Stavrou, A., Androulaki, E., Keromytis, A.D.: A study of malcode-bearing documents. In:Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA), pp. 231–250
Maloof, M.A., Stephens, G.D.: Keying hash functions for message authentication. In: Proceedings of the 16thAnnual International Cryptology Conference on Advances in Cryptology, pp. 1–15 (1996)
Maloof, M.A., Stephens, G.D.: Elicit: A system for detecting insiders who violate need-to-know’. In: Recent Advances in Intrusion Detection (RAID 2007), pp. 146–166 (2007)
(2009). URL http://www.oakleynetworks.com/products/sureview.php
Richardson, R.: Csi computer crime and security survey. Technical report, CERT (2008)
Salem, M.B., Stolfo, S.J.: Masquerade attack detection using a search-behavior modeling approach. Technical report, Columbia University (2009)
Masquerading user data (2009). URL http://www.schonlau.net/intrusion.html
Spitzner, L.: Honeypots: Catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC), pp. 170–179 (2003)
Spitzner, L.: Honeytokens: The other honeypot. Technical report, SecurityFocus (2003)
Stoll, C.: The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Pocket Books, New York (1990)
Symantec: Trends for july - december ’07. White paper (2008)
(2009). URL http://www.verdasys.com
Webb, S., Caverlee, J., Pu, C.: Social honeypots: Making friends with a spammer near you. In: In Proceedings of the Fifth Conference on Email and Anti-Spam (CEAS 2008) (2008)
Yuill, J., Denning, D., Feer, F.: Using deception to hide things from hackers: Processes, principles, and techniques. Journal of Information Warfare 5(3), 26–40 (2006)
Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: Deceptive files for intrusion detection. In: Proceedings of the 5th Annual IEEE SMC Information Assurance Workshop (IAW), pp. 116–122 (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Bowen, B.M., Salem, M.B., Keromytis, A.D., Stolfo, S.J. (2010). Monitoring Technologies for Mitigating Insider Threats. In: Probst, C., Hunker, J., Gollmann, D., Bishop, M. (eds) Insider Threats in Cyber Security. Advances in Information Security, vol 49. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-7133-3_9
Download citation
DOI: https://doi.org/10.1007/978-1-4419-7133-3_9
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-7132-6
Online ISBN: 978-1-4419-7133-3
eBook Packages: Computer ScienceComputer Science (R0)