Detecting Early Signs of Insider Attack Using Role-Based Analysis and Classification Jeff Hinson, Fadi Mohsen, Joe Taylor CS 526 Spring 2009.

Slides:

Advertisements

Similar presentations

PhishZoo: Detecting Phishing Websites By Looking at Them

Advertisements

Attack Graphs for Proactive Digital Forensics Tara L. McQueen Delaware State University Louis P. Wilder Computational Sciences and Engineering Division.

Early Effort Estimation of Business Data-processing Enhancements CS 689 November 30, 2000 By Kurt Detamore.

© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Audible Magic Corporation 985 University Avenue #35 Los Gatos, CA USA x145 Tools to Help Universities.

Access Control Chapter 3 Part 5 Pages 248 to 252.

Overview of Joe B. Taylor CS 591 Fall Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.

ECML Group. RMIT2003 CECPyramid Search Method Genetic Programming Genetic programming (GP) is an automated method for creating a working computer program.

Esri International User Conference | San Diego, CA Technical Workshops | Road Ahead - Silverlight Rex Hansen Wednesday, July 13.

Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor

Data Mining and Intrusion Detection

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.

Insider Threats Stephen Helms Jen Hugg Matt McNealy.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.

CS 691Summer 2009Joe B. Taylor Covert Data Channels When Insiders Attack.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Lecture 11 Intrusion Detection (cont)

Network security policy: best practices

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Module 8: Implementing Administrative Templates and Audit Policy.

1 Firewalls Types of Firewalls  Screening router firewalls  Computer-based firewalls  Firewall appliances  Host firewalls (firewalls on clients and.

May 2014 Zimele Technologies Customer convenience through mobile MDMS applications.

Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.

Social Computing Group © 2006 IBM Corporation Towards Supple Enterprises Learning from N64’s Super Mario 64, Wii.

BotNet Detection Techniques By Shreyas Sali

Using Windows Firewall and Windows Defender

AtomPark Software is founded in The head office is located in Saint-Petersburg, Russia. Company is officially registered in the United States. AtomPark.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Honeypot and Intrusion Detection System

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

An Investigation of Facebook Grouping Robin Brewer Yael Mayer Lorrie Cranor Patrick Kelley facebook Home Profile Account Search.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

April 14, 2005Sergio Caltagirone The Essence of Sergio Caltagirone April 14, 2005 Active Response.

STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.

Module 11: Designing Security for Network Perimeters.

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Cryptography and Network Security Sixth Edition by William Stallings.

Learning Classifier Systems (Introduction) Muhammad Iqbal Evolutionary Computation Research Group School of Engineering and Computer Science Victoria University.

Security Issues in Distributed Sensor Networks Yi Sun Department of Computer Science and Electrical Engineering University of Maryland, Baltimore County.

© 2008 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Cyber Security and the National.

Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB.

Module 10: Implementing Administrative Templates and Audit Policy.

CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.

MARCH 2011 ATTACK AGAINST RSA By: K Brenner IST522 Spring 2013 AUTO RUN PRESENTATIONSOUND ENABLED.

A Blackboard-Based Learning Intrusion Detection System: A New Approach

1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.

ID8 TEAM 2012 Caroline Amaba Ryan Gavin Mike Hegadorn Greg McLeod John Scire Nirmal Rajan.

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

WEB BASED MONITORING AND CONTROLING OF INDUSTRIAL PROCESSES PRESENTED BY: Bhagyawant (3AE07EC018) Kushal (3AE07EC032) Mahantesh (3AE07EC034) Mallinath.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

Jason Ewing. What is an Intrusion Why Detecting Signs of Intrusion is Important? Types of Intrusion Detection Systems (IDS) Approaches for Detection Anomaly.

By: Taysha Johnson. What is an insider threat? 1.A current or former employee, contractor, or other business partner who has or had authorized access.

Overview of Joe B. Taylor CS 591 Fall Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.

AHED Automatic Human Emotion Detection

Protecting your mobile devices away from virus by a cloud-based approach Wei Wu.

Active Learning Intrusion Detection using k-Means Clustering Selection

Evaluating a Real-time Anomaly-based IDS

Forensics Week 11.

Cyber Security and the National Broadband Strategy

A 5-minute overview of ADAudit Plus

Intrusion Detection system

Protecting your data with Azure AD

The pitfalls of address randomization in wireless networks

Presentation transcript:

Detecting Early Signs of Insider Attack Using Role-Based Analysis and Classification Jeff Hinson, Fadi Mohsen, Joe Taylor CS 526 Spring 2009

Overview Insider Attacks Role-based Analysis Learning Classifier System Genetic Algorithm Gathering Data Design Problems Future Direction

Insider Attacks What is an Insider Attack? Insider attacks involve legitimate network users that have decided to act against the organization that employs them or formerly employed them.

Is this really a problem? Because the insider has an extra knowledge about the internal system procedures, servers, and data bases, the harm will be too risky. Studies and researches shows that the number of insider attacks is increasing. In some cases the lose was millions of dollars, and in other cases the lose couldn’t be estimated

What is currently being done about it? There are two main types of defense against insider attacks: Technical Means o Tools and programs that can track and restrict employee access, like IDS. Behavioral Means o Tools and programs that can track employee behavioral. This considered a new trend.

Role-Based Analysis Users classified into different groups based on needed privileges Every action compared to normal behavior withing user's group

Learning Classification System

Genetic Algorithm Reproduction Crossover Mutation

Gathering Information Windows Server 2008 o Types of information collected o Disallow local user accounts? Custom Local Monitoring Client o Registry Scan o Process Monitoring o Peer-to-Peer Communication

Problems with Design Any potential problems with Server 2008? o local accounts? o can admin(s) get around it?

Points of Future Interest Manually collect data (instead of Server 2008) o clients run program, pass data to other clients o each client passes data to server o server processes data and sends alerts when a user violates a rule Advantages o more control over what data is collected o difficult for admins to get around

References J.S. Park, J. Giordano, "Role-based profile analysis for scalable and accurate insider-anomaly detection," pcc, pp.62, 2006 IEEE International Performance Computing and Communications Conference, 2006 Liu, A.; Martin, C.; Hetherington, T.; Matzner, S., "A comparison of system call feature representations for insider threat detection," Information Assurance Workshop, IAW '05. Proceedings from the Sixth Annual IEEE SMC, vol., no., pp , June 2005 Butz, M. V., Kovacs, T., Lanzi, P. L., and Wilson, S. W. (2001). "How XCS Evolves Accurate Classifiers". In Spector, L., Goodman, E., Wu, A., Langdon, W., Voigt, H., Gen, M., Sen, S., Dorigo, M., Pezeshk, S., Garzon, M., and Burke, E., editors, Proceedings of the Genetic and Evolutionary Computation Conference (GECCO'2001), pages 927-–934. San Francisco, CA: Morgan Kaufmann. Bauer, L., Cranor, L. F., Reeder, R. W., Reiter, M. K., and Vaniea, K "Real life challenges in access-control management." In Proceedings of the 27th international Conference on Human Factors in Computing Systems (Boston, MA, USA, April , 2009). CHI '09. ACM, New York, NY, D.M. Cappelli, A.P. Moore, and T.J. Shimeall, "Common Sense Guide to Prevention/Detection of Insider Threats", tech. report, Carnegie Mellon Univ., CyLab and the Internet Security Alliance, July 2006;

Questions?