Abstract
Access control is a necessary, but often insufficient, mechanism for protecting sensitive resources. In some scenarios, the cost of anticipating information needs and specifying precise access control policies is prohibitive. For this reason, many organizations provide employees with excessive access to some resources, such as file or source code repositories. This allows the organization to maximize the benefit employees get from access to troves of information, but exposes the organization to excessive risk. In this work we investigate how to build profiles of normal user activity on file repositories for uses in anomaly detection, insider threats, and risk mitigation. We illustrate how information derived from other users’ activity and the structure of the filesystem hierarchy can be used to detect abnormal access patterns. We evaluate our methods on real access logs from a commercial source code repository on tasks of user identification and users seeking to leak resources by accessing more than they have a need for.
Chapter PDF
Similar content being viewed by others
Keywords
References
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Bell, D.E., LaPadula, L.J.: Secure computer systems: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, Mitre Corporation (March 1976)
Park, J., Sandhu, R.: Originator control in usage control. In: Proceedings of the Third International Workshop on Policies for Distributed Systems and Networks 2002 (2002)
Horizontal integration: Broader access models for realizing information dominance, JASON Report JSR-04-132 (2004)
Salem, M., Hershkop, S., Stolfo, S.: A Survey of Insider Attack Detection Research. In: Insider Attack and Cyber Security, pp. 69–90 (2008)
Chen, Y., Malin, B.: Detection of anomalous insiders in collaborative environments via relational analysis of access logs. CODASPY 2011: Proceedings of the First ACM Conference on Data and Application Security and Privacy (February 2011)
Denning, D.E.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering SE-13(2), 222–232 (1987)
Apap, F., Honig, A., Hershkop, S., Eskin, E., Stolfo, S.J.: Detecting malicious software by monitoring anomalous windows registry accesses. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 36. Springer, Heidelberg (2002)
Senator, T.E., Goldberg, H.G., Memory, A., Young, W.T., Rees, B., Pierce, R., Huang, D., Reardon, M., Bader, D.A., Chow, E., Essa, I., Jones, J., Bettadapura, V., Chau, D.H., Green, O., Kaya, O., Zakrzewska, A., Briscoe, E., Mappus, R.I.L., McColl, R., Weiss, L., Dietterich, T.G., Fern, A., Wong, W.K., Das, S., Emmott, A., Irvine, J., Lee, J.Y., Koutra, D., Faloutsos, C., Corkill, D., Friedland, L., Gentzel, A., Jensen, D.: Detecting insider threats in a real corporate database of computer usage activity. In: KDD 2013: Proceedings of the 19th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, ACM Request Permissions (August 2013)
Stolfo, S.J., Hershkop, S., Bui, L.H., Ferster, R., Wang, K.: Anomaly detection in computer security and an application to file system accesses. In: Hacid, M.-S., Murray, N.V., Raś, Z.W., Tsumoto, S. (eds.) ISMIS 2005. LNCS (LNAI), vol. 3488, pp. 14–28. Springer, Heidelberg (2005)
Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy MLS: An Experiment on Quantified Risk-Adaptive Access Control. In: IEEE Symposium on Security and Privacy (2007)
Javitz, H.S., Valdes, A.: The SRI IDES Statistical Anomaly Detector. Research in Security and Privacy (1991)
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)
Sommer, R., Paxson, V.: Outside the closed world: On using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 305–316 (2010)
Mahoney, M.V., Chan, P.K.: Learning nonstationary models of normal network traffic for detecting novel attacks. In: KDD 2002: Proceedings of the Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM Request Permissions (July 2002)
Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, S&P 2001, pp. 130–143 (2001)
Lakhina, A., Crovella, M., Diot, C., Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions, vol. 35. ACM (October 2005)
Mathur, S., Coskun, B., Balakrishnan, S.: Detecting hidden enemy lines in IP address space. In: NSPW 2013: Proceedings of the 2013 Workshop on New Security Paradigms Workshop (December 2013)
Jamshed, M.A., Lee, J., Moon, S., Yun, I., Kim, D., Lee, S., Yi, Y., Park, K.: Kargus: a highly-scalable software-based intrusion detection system. In: CCS 2012: Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM Request Permissions (October 2012)
Huang, L., Wong, K.: Anomaly Detection by Monitoring Filesystem Activities. In: 2011 IEEE 19th International Conference on Program Comprehension (ICPC), pp. 221–222. IEEE (January 2011)
Bonwick, J.: Zfs end-to-end data integrity (December 2005)
Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds.) SecureComm 2009. LNICST, vol. 19, pp. 51–70. Springer, Heidelberg (2009)
Glovin, D., Harper, C.: Goldman trading-code investment put at risk by theft (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Gates, C., Li, N., Xu, Z., Chari, S.N., Molloy, I., Park, Y. (2014). Detecting Insider Information Theft Using Features from File Access Logs. In: Kutyłowski, M., Vaidya, J. (eds) Computer Security - ESORICS 2014. ESORICS 2014. Lecture Notes in Computer Science, vol 8713. Springer, Cham. https://doi.org/10.1007/978-3-319-11212-1_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-11212-1_22
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11211-4
Online ISBN: 978-3-319-11212-1
eBook Packages: Computer ScienceComputer Science (R0)