Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Early Signs of Insider Attack Using Role-Based Analysis and Classification Jeff Hinson, Fadi Mohsen, Joe Taylor CS 526 Spring 2009.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting Early Signs of Insider Attack Using Role-Based Analysis and Classification Jeff Hinson, Fadi Mohsen, Joe Taylor CS 526 Spring 2009."— Presentation transcript:

1 Detecting Early Signs of Insider Attack Using Role-Based Analysis and Classification Jeff Hinson, Fadi Mohsen, Joe Taylor CS 526 Spring 2009

2 Overview Insider Attacks Role-based Analysis Learning Classifier System Genetic Algorithm Gathering Data Design Problems Future Direction

3 Insider Attacks What is an Insider Attack? Insider attacks involve legitimate network users that have decided to act against the organization that employs them or formerly employed them.

4 Is this really a problem? Because the insider has an extra knowledge about the internal system procedures, servers, and data bases, the harm will be too risky. Studies and researches shows that the number of insider attacks is increasing. In some cases the lose was millions of dollars, and in other cases the lose couldn’t be estimated

5 What is currently being done about it? There are two main types of defense against insider attacks: Technical Means o Tools and programs that can track and restrict employee access, like IDS. Behavioral Means o Tools and programs that can track employee behavioral. This considered a new trend.

6 Role-Based Analysis Users classified into different groups based on needed privileges Every action compared to normal behavior withing user's group

7 Learning Classification System

8 Genetic Algorithm Reproduction Crossover Mutation

9 Gathering Information Windows Server 2008 o Types of information collected o Disallow local user accounts? Custom Local Monitoring Client o Registry Scan o Process Monitoring o Peer-to-Peer Communication

10 Problems with Design Any potential problems with Server 2008? o local accounts? o can admin(s) get around it?

11 Points of Future Interest Manually collect data (instead of Server 2008) o clients run program, pass data to other clients o each client passes data to server o server processes data and sends alerts when a user violates a rule Advantages o more control over what data is collected o difficult for admins to get around

12 References J.S. Park, J. Giordano, "Role-based profile analysis for scalable and accurate insider-anomaly detection," pcc, pp.62, 2006 IEEE International Performance Computing and Communications Conference, 2006 Liu, A.; Martin, C.; Hetherington, T.; Matzner, S., "A comparison of system call feature representations for insider threat detection," Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC, vol., no., pp. 340-347, 15-17 June 2005 Butz, M. V., Kovacs, T., Lanzi, P. L., and Wilson, S. W. (2001). "How XCS Evolves Accurate Classifiers". In Spector, L., Goodman, E., Wu, A., Langdon, W., Voigt, H., Gen, M., Sen, S., Dorigo, M., Pezeshk, S., Garzon, M., and Burke, E., editors, Proceedings of the Genetic and Evolutionary Computation Conference (GECCO'2001), pages 927-–934. San Francisco, CA: Morgan Kaufmann. Bauer, L., Cranor, L. F., Reeder, R. W., Reiter, M. K., and Vaniea, K. 2009. "Real life challenges in access-control management." In Proceedings of the 27th international Conference on Human Factors in Computing Systems (Boston, MA, USA, April 04 - 09, 2009). CHI '09. ACM, New York, NY, 899-908. D.M. Cappelli, A.P. Moore, and T.J. Shimeall, "Common Sense Guide to Prevention/Detection of Insider Threats", tech. report, Carnegie Mellon Univ., CyLab and the Internet Security Alliance, July 2006; www.cert.org/archive/pdf/CommonSenseInsiderThreatsV2.1-1-070118.pdf.

13 Questions?

Download ppt "Detecting Early Signs of Insider Attack Using Role-Based Analysis and Classification Jeff Hinson, Fadi Mohsen, Joe Taylor CS 526 Spring 2009."

Similar presentations

PhishZoo: Detecting Phishing Websites By Looking at Them

PhishZoo: Detecting Phishing Websites By Looking at Them
Attack Graphs for Proactive Digital Forensics Tara L. McQueen Delaware State University Louis P. Wilder Computational Sciences and Engineering Division.

Attack Graphs for Proactive Digital Forensics Tara L. McQueen Delaware State University Louis P. Wilder Computational Sciences and Engineering Division.
Early Effort Estimation of Business Data-processing Enhancements CS 689 November 30, 2000 By Kurt Detamore.

Early Effort Estimation of Business Data-processing Enhancements CS 689 November 30, 2000 By Kurt Detamore.
© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008.

© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Www.audiblemagic.com Audible Magic Corporation 985 University Avenue #35 Los Gatos, CA 95032 USA 408.399.6405 x145 www.audiblemagic.com Tools to Help Universities.

Audible Magic Corporation 985 University Avenue #35 Los Gatos, CA USA x145 Tools to Help Universities.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
Overview of Joe B. Taylor CS 591 Fall 2008. Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.

Overview of Joe B. Taylor CS 591 Fall Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.
1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.

1. AGENDA History. WHAT’S AN IDS? Security and Roles Types of Violations. Types of Detection Types of IDS. IDS issues. Application.
ECML Group. RMIT2003 CECPyramid Search Method Genetic Programming Genetic programming (GP) is an automated method for creating a working computer program.

ECML Group. RMIT2003 CECPyramid Search Method Genetic Programming Genetic programming (GP) is an automated method for creating a working computer program.
Esri International User Conference | San Diego, CA Technical Workshops | Road Ahead - Silverlight Rex Hansen Wednesday, July 13.

Esri International User Conference | San Diego, CA Technical Workshops | Road Ahead - Silverlight Rex Hansen Wednesday, July 13.
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor

Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
Data Mining and Intrusion Detection

Data Mining and Intrusion Detection
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.
Insider Threats Stephen Helms Jen Hugg Matt McNealy.

Insider Threats Stephen Helms Jen Hugg Matt McNealy.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
CS 691Summer 2009Joe B. Taylor Covert Data Channels When Insiders Attack.

CS 691Summer 2009Joe B. Taylor Covert Data Channels When Insiders Attack.

Similar presentations

Ads by Google