Presentation is loading. Please wait.

Presentation is loading. Please wait.

Insider Access Behavior Team May 06 Brandon Reher Jake Gionet Steven Bromley Jon McKee Advisor Client Dr. Tom DanielsThe Boeing Company Contact Dr. Nick.

Published byMabel Beasley Modified over 9 years ago

Similar presentations

Presentation on theme: "Insider Access Behavior Team May 06 Brandon Reher Jake Gionet Steven Bromley Jon McKee Advisor Client Dr. Tom DanielsThe Boeing Company Contact Dr. Nick."— Presentation transcript:

1 Insider Access Behavior Team May 06 Brandon Reher Jake Gionet Steven Bromley Jon McKee Advisor Client Dr. Tom DanielsThe Boeing Company Contact Dr. Nick Multari

2 Original Description The goal of this project is to help students understand state-of-the-art techniques identifying malicious insider behavior. Our Scope Detect and identify users that are potentially leaking data to unknown outside sources. Research existing solutions and explain the advantages & disadvantages as they apply to the system Problem Statement

3 Implemented solution Log Parsing Systems generate logs for just about everything MySQL has the ability to log queries and / or "slow" queries Focus on MySQL logs o Connections o Database usage o Queries Proposed solutions System Tainting o Files & processes carry a contagious and traceable taint System Cloning o Duplicate systems for comparison of system calls Border watching File watermarks User baiting Possible Solutions

4 The Markov implementation uses time slices from the profile to create Markov chains For each new event processed a Markov chain is constructed, and the value is compared to the chain If the probability of a series of events is breaks an improbable threshold an alert is raised. Markov Implementation

5 Conceptual Sketch

6 Shall make use of pre-existing technologies Shall take input from a variety of sources and systems Shall correlate and filter relevant data Shall alert when malicious activity is discovered Shall have a system to provide notifications on alerts Shall contain an algorithm that decides whether an attack is being committed Functional Requirements

7 Shall have a low false-positive rate Shall be inconspicuous to the malicious user Shall provide alerts in a timely manner Shall abide by all licenses of open source software utilized Non-functional Requirements

8 The software shall be scalable to a large network The software shall alert within a reasonable amount of time Technical Constraints & Considerations

9 Operating Systems Red Hat Enterprise Linux - Version 6.0 NetBSD - Version 2.6.0 Software Platform Supporting Software MySQL Apache Web Server PHP Syslogd Application Software Java Runtime Environment Version 6 Update 24 The Java Runtime Environment allows our application to live on any platform that supports Java.

10 Application Servers These servers house the various applications that are to be monitored for unusual behavior. Log Storage Server The log storage server is used as a central repository to hold all the logs from the servers that are being monitored. Network configurations allow the server to remain inconspicuous to users accessing the application servers. Profiling Algorithm Server This server retrieves logs from the log storage server to be parsed by the profiling algorithm. Hardware Platform

11

12 Functional Decomposition

13 Profile Stores the learned information of user activity. Provides the expected actions over two time slices to the Decision Algorithm. Log Parser Parses incoming logs as they arrive Creates an event based off of the content of the log Decision Algorithm Determines if unusual activity is occuring. Makes decisions based on the current event and the time slices from the profile. Functional Modules

14 Initially, log files must be sent to a central location that is passed to the algorithm at the start. This is left to the administrator to configure The algorithm is packaged and executed as part of a jar file The algorithm is run in the background System Usage

15 The system interfaces with the user by: Allowing the administrator to launch the program via the command line. Alerting the administrator upon detection of a malicious activity. User Interface

16 Needed to incorporate profile generation as well as testing the alert algorithm Accomplished by simulating user traffic on an online forum Generates logged information in the MySQL database The forum software follows pattern, which makes predictable profile Breaking from the set profile indicates tampering in the system System should raise an alert Testing

17 Time Estimate Fall 2010 - Planning, Research Spring 2011 - Development, Implementation

18 ItemTeam HoursWithout LaborWith Labor Research1800$3,600 Dell PowerEdge T410 (x8) 10$6,392$6,592 Red Hat OS10$350$550 NetBSD OS70$140 Apache Install30$60 MySQL Install70$140 PHP Install30$60 Algorithm Development 300N/A$6,000 Totals520$6,742$17,142 Cost Analysis

19 Questions?

Download ppt "Insider Access Behavior Team May 06 Brandon Reher Jake Gionet Steven Bromley Jon McKee Advisor Client Dr. Tom DanielsThe Boeing Company Contact Dr. Nick."

Similar presentations

Database System Concepts and Architecture

Database System Concepts and Architecture
Companies can suffer numerous problems due to poor management of resources and careless decisions. In real-world decision- making, many organizations lack.

Companies can suffer numerous problems due to poor management of resources and careless decisions. In real-world decision- making, many organizations lack.
Project Management Methodology Procurement management.

Project Management Methodology Procurement management.
Toolbox Mirror -Overview Effective Distributed Learning.

Toolbox Mirror -Overview Effective Distributed Learning.
ManageEngine TM Applications Manager 8 Monitoring Custom Applications.

ManageEngine TM Applications Manager 8 Monitoring Custom Applications.
1 Rhode Island Transportation Information System. (RITIS) Spring, 2000.

1 Rhode Island Transportation Information System. (RITIS) Spring, 2000.
Presentation Outline  Project Aims  Introduction of Digital Video Library  Introduction of Our Work  Considerations and Approach  Design and Implementation.

Presentation Outline  Project Aims  Introduction of Digital Video Library  Introduction of Our Work  Considerations and Approach  Design and Implementation.
Background Info The UK Mirror Service provides mirror copies of data and programs from many sources all over the world. This enables users in the UK to.

Background Info The UK Mirror Service provides mirror copies of data and programs from many sources all over the world. This enables users in the UK to.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
V0.01 © 2009 Research In Motion Limited Introduction to Java Application Development for the BlackBerry Smartphone Trainer name Date.

V0.01 © 2009 Research In Motion Limited Introduction to Java Application Development for the BlackBerry Smartphone Trainer name Date.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Chapter 2 Database Environment Pearson Education © 2014.

Chapter 2 Database Environment Pearson Education © 2014.
8 Systems Analysis and Design in a Changing World, Fifth Edition.

8 Systems Analysis and Design in a Changing World, Fifth Edition.
Introduction to Systems Analysis and Design

Introduction to Systems Analysis and Design
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
October 30, 2008 Extensible Workflow Management for Simmod ESUG32, Frankfurt, Oct 30, 2008 Alexander Scharnweber (DLR) October 30, 2008 Slide 1 > Extensible.

October 30, 2008 Extensible Workflow Management for Simmod ESUG32, Frankfurt, Oct 30, 2008 Alexander Scharnweber (DLR) October 30, 2008 Slide 1 > Extensible.
Linux Operations and Administration

Linux Operations and Administration
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.

Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
WhatsUp Gold v15 – WhatsUp Companion 3.7 WhatsUp Companion Extended

WhatsUp Gold v15 – WhatsUp Companion 3.7 WhatsUp Companion Extended

Similar presentations

Ads by Google