Detecting Undesirable Insider Behavior Joseph A. Calandrino* Princeton University Steven J. McKinney* North Carolina State University Frederick T. Sheldon.

Slides:

Advertisements

Similar presentations

Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.

Advertisements

A Feedback and Continuous Improvement Tool to ACE Audit Readiness Keith S. Joy Quality Manager September 14, 2004.

Weigh-in-Motion User Manual for WIM Integrated System Cindy Lopez City University of New York-York College Research Alliance in Math and Science (RAMS)

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Understanding Botnets: How Massive Internet Break-Ins Fuel an Underground Economy Jason Franklin and Vern Paxson.

High Power Hg Target Conceptual Design Review Hg Jet Nozzle Analysis M. W. Wendel Oak Ridge National Laboratory February 7-8, 2005.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

O AK R IDGE N ATIONAL L ABORATORY U.S. D EPARTMENT OF E NERGY 1 Identifying Regulatory Transcriptional Elements on Functional Gene Groups Using Computer-

Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

O AK R IDGE N ATIONAL L ABORATORY U.S. D EPARTMENT OF E NERGY Cluster Computing Applications Project Parallelizing BLAST Research Alliance of Minorities.

seminar on Intrusion detection system

Neural Technology and Fuzzy Systems in Network Security Project Progress Group 2: Omar Ehtisham Anwar Aneela Laeeq

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

LLNL-PRES This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.

Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Sustainable Design An Overview of the Sustainability Efforts at Oak Ridge National Laboratory.

Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)

Data Mining. 2 Models Created by Data Mining Linear Equations Rules Clusters Graphs Tree Structures Recurrent Patterns.

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 1.

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

Masquerade Detection Mark Stamp 1Masquerade Detection.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Intrusion Detection Adam Ashenfelter Nicholas J. Tyrrell.

Tennessee Technological University1 The Scientific Importance of Big Data Xia Li Tennessee Technological University.

O AK R IDGE N ATIONAL L ABORATORY U.S. D EPARTMENT OF E NERGY Nanoscale Electronics / Single-Electron Transport in Quantum Dot Arrays Dene Farrell SUNY.

INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION.

Outlier Detection Using k-Nearest Neighbour Graph Ville Hautamäki, Ismo Kärkkäinen and Pasi Fränti Department of Computer Science University of Joensuu,

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY RobustMap: A Fast and Robust Algorithm for Dimension Reduction and Clustering Lionel F.

Lionel F. Lovett, II Jackson State University Research Alliance in Math and Science Computer Science and Mathematics Division Mentors: George Ostrouchov.

Using Identity Credential Usage Logs to Detect Anomalous Service Accesses Daisuke Mashima Dr. Mustaque Ahamad College of Computing Georgia Institute of.

O AK R IDGE N ATIONAL L ABORATORY U.S. D EPARTMENT OF E NERGY 1 Parallel Solution of the 3-D Laplace Equation Using a Symmetric-Galerkin Boundary Integral.

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 1 Vegetation/Ecosystem Modeling and Analysis Project (VEMAP) Lessons Learned or How to Do.

Oak Ridge Regional Emergency Management Forum David Milan Manager, Emergency Preparedness Department Pollard Auditorium October 26, 2006 Oak Ridge National.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

O AK R IDGE N ATIONAL L ABORATORY U.S. D EPARTMENT OF E NERGY A Comparison of Methods for Aligning Genomic Sequences Ja’Nera Mitchom Fisk University Research.

An Overview of Intrusion Detection Using Soft Computing Archana Sapkota Palden Lama CS591 Fall 2009.

Fuzzy Network Profiling for Intrusion Detection Dickerson, J.E.; Dickerson, J.A. Fuzzy Information Processing Society, NAFIPS. 19th International.

Intrusion Control. CSCE Farkas2 Readings Lecture Notes Pfleeger: Chapter 7.5.

Kittiphan Techakittiroj (25/10/58 12:06 น. 25/10/58 12:06 น. 25/10/58 12:06 น.) Intrusion Detection System Kittiphan Techakittiroj

Anomaly Detection in Data Mining. Hybrid Approach between Filtering- and-refinement and DBSCAN Eng. Ştefan-Iulian Handra Prof. Dr. Eng. Horia Cioc ârlie.

Ted Fox Interim Associate Laboratory Director Energy and Engineering Sciences Oak Ridge, Tennessee March 21, 2006 Oak Ridge National Laboratory.

Computer Science 1 Mining Likely Properties of Access Control Policies via Association Rule Mining JeeHyun Hwang 1, Tao Xie 1, Vincent Hu 2 and Mine Altunay.

CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.

1 A Network Security Monitor Paper By: Heberlein et. al. Presentation By: Eric Hawkins.

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 1 Ideas on a Framework and Methods for Estimating the Benefits of Government- Sponsored.

Cryptography and Network Security Sixth Edition by William Stallings.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

232 Th EVALUATION IN THE RESOLVED RESONANCE RANGE FROM 0 to 4 keV Nuclear Data Group Nuclear Science and Technology Division Oak Ridge National Laboratory.

Emerging and Evolving Cyber Threats Require Sophisticated Response and Protection Capabilities  Advanced Algorithms  Cyber Attack Detection and Machine.

Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1, Augustin Soule 2, Jennifer Rexford.

Anomaly Detection. Network Intrusion Detection Techniques. Ştefan-Iulian Handra Dept. of Computer Science Polytechnic University of Timișoara June 2010.

Parallelization of a Non-Linear Analysis Code Lee Hively and Jim Nutaro (mentors) Computational Sciences and Engineering Travis Whitlow Research Alliance.

Approaches to Intrusion Detection statistical anomaly detection – threshold – profile based rule-based detection – anomaly – penetration identification.

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY A Systems Development and Implementation Study for 21st Century Software and Security Third.

1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.

Application Intrusion Detection

Intrusion Control.

Detection and Analysis of Threats to the Energy Sector (DATES)

Evaluating a Real-time Anomaly-based IDS

Intrusion Detection Systems

Data Mining & Machine Learning Lab

Modeling IDS using hybrid intelligent systems

Presentation transcript:

Detecting Undesirable Insider Behavior Joseph A. Calandrino* Princeton University Steven J. McKinney* North Carolina State University Frederick T. Sheldon Oak Ridge National Laboratory May 15, 2007 *This research was performed during an internship at ORNL

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY An Example  Enters false data  Receives promotions, bonuses, control  Financial impact: $500 million "[A bank] employee gained control over data after performing several preparatory actions, such as eliminating some monitoring... or convincing... personnel to take deliberately corrupted data from his... computer instead [of] from the official Reuters terminal." -From Anderson et al., 2004

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Insider Threats...  Result in ~29% of attacks against organizations (US Secret Service et al., 2004)‏  Can devastate an organization  Fundamentally differ previously addressed threats  May come from model employees  Are more than technical threats

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Undesirable Insider Behavior  Organizations and insiders  Insiders vs. outsiders  Undesirable insider behavior  Fuzziness of threat  Unexpected threats  Need to assist administrators

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Roadmap  Existing work  Our contributions  Mining approach  Evaluation  Discussion  Conclusion and Future Work

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Existing Work  Insider threat characterization  Intrusion detection  Machine learning / data mining  Statistical deviation (Anderson et al., 1995)‏  Real-time IDS (Lee et al., 1998; Lee et al., 2001)‏  MINDS (Ertöz et al., 2004; Chandola et al., 2006)‏

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Our Contributions  Designed a system to:  Monitor insider system and network activity  Perform rule-based (or other static) analysis  Mine compiled behavior for anomalies  Implemented the system

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Data Mining Component Role  Periodically extracts aggregate data  Analyzes data to isolate points of interest  Identifies novel threats  Generates new rules (future work)‏

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Characteristic Derivation  Daily data analysis  Per-user data  System-level events alone… for now  Seven characteristics (file accesses, hosts, logins)‏  Normalization using historical SD

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Mining Approach  Similar to MINDS (implementation differs):  Map data to vector space  Compute local outlier factor (Breunig et al., 2000)‏  “Neighborhood” outlier metric  Euclidean distance – not mandatory  Derive additional hints for administrators

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Local Outlier Factor Image Reproduced from Breunig et al. (2000)‏

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Local Outlier Factor Image Reproduced from Breunig et al. (2000)‏

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY LOF Scores  Could report to administrator  Supervisors may be preferable  Supervisors are most familiar with day-to-day tasks  Supervisors may be less technically literate  Consider impact of characteristics on outlier factor

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Evaluation  Generated 28 Days of artificial data  Presume patterns  No activity on weekends until final weekend day  Activity comes from distribution on weekdays  Is real behavior like this?

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Test Data  Graphically (scaled):

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Results Insufficient Data First Weekend Added Anomaly ??

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Results  What’s wrong?

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Results  Why guess? Look at hints for 2/17, 2/23…

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Discussion  Caught added anomaly  What about the four others?  All were “anomalous”  Hints allowed rapid analysis  Depend on parameters, administrator focus

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Conclusions  Insider threat – important problem  Data mining – helpful technique  New tool – promising results  TODO list – long

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Future Work  Additional aspects and characteristics  Issues: drift, deja vu  Better test data  Rule extraction

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Thank You  Questions? Calandrino and McKinney performed this research while under appointment to the Department of Homeland Security (DHS) Scholarship and Fellowship Program, administered by the Oak Ridge Institute for Science and Education (ORISE) through an interagency agreement between the U.S. Department of Energy (DOE) and DHS. ORISE is managed by Oak Ridge Associated Universities (ORAU) under DOE contract number DE-AC05-06OR All opinions expressed in this paper are the authors’ and do not necessarily reflect the policies and views of DHS, DOE, or ORAU/ORISE.