More Related Content
Automatic Insider Threat Detection in E-mail System using N-gram Technique Anomaly Threat Detection System using User and Role-Based Profile Assessment System Dynamics Based Insider Threats Modeling Insider Threat Detection Recommendations Insider Threats Detection in Cloud using UEBA ch20uejdudyujdhjeo8jshbrujsjuukpsnnue.ppt IQ4 Final Presentation (1) Similar to Machine Introduce for Beginner 5000-1222.ppt (20)
Assessing Quality in Cyber Risk Forecasting SplunkLive! Stockholm 2015 breakout - Analytics based security SplunkLive! Amsterdam 2015 - Analytics based security breakout CNIT 50: 9. NSM Operations Presented at the University of Louisville Cyber Securitys Day,.docx Ch11 NetSec5e_Intruders and intruderssss [Bucharest] Attack is easy, let's talk defence SplunkLive Wellington 2015 - Splunk for Security SplunkLive Auckland 2015 - Splunk for Security The Insider Threat January.pptx Chapter No 20- Network and Security-by-MIT.ppt Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack 3.IS@Mohsin.pptx,.,,........,............. Firewalls in cryptography ASIS NYC InT Presentation Recently uploaded (20)
Categorization of Factors Affecting Classification Algorithms Selection Artificial Superintelligence (ASI) Alliance Vision Paper.pdf M Tech Sem 1 Civil Engineering Environmental Sciences.pptx Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4... UNIT 4 Total Quality Management .pptx introduction to datamining and warehousing Current and future trends in Computer Vision.pptx A SYSTEMATIC REVIEW OF APPLICATIONS IN FRAUD DETECTION PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx BIO-INSPIRED HORMONAL MODULATION AND ADAPTIVE ORCHESTRATION IN S-AI-GPT Introduction, IoT Design Methodology, Case Study on IoT System for Weather Mo... 6ME3A-Unit-II-Sensors and Actuators_Handouts.pptx Safety Seminar civil to be ensured for safe working. Automation-in-Manufacturing-Chapter-Introduction.pdf Project quality management in manufacturing Fundamentals of Mechanical Engineering.pptx Mitigating Risks through Effective Management for Enhancing Organizational Pe... Level 2 – IBM Data and AI Fundamentals (1)_v1.1.PDF Machine Introduce for Beginner 5000-1222.ppt
- 1. www.syrres.com
Copyright © 2004
A Multi-Disciplinary Approach for
A Multi-Disciplinary Approach for
Countering Insider Threats
Countering Insider Threats
Secure Knowledge Management
(SKM 2004)
September 23-24, 2004
Marriott Buffalo-Niagara
Amherst, NY USA
Robert DelZoppo, Eric Brown, Matt Downey: Syracuse Research Corporation
Michael D’Eredita, Elizabeth D. Liddy, Joon S. Park, Anand Natarajan, Svetlana Symonenko,
Shuyuan M. Ho : Syracuse University
- 2. www.syrres.com
2
Copyright © 2004
Insider Threat
Mission-critical information = High-value target
Threatens US Intelligence Community (IC), other Government
organizations and large corporations
Probability is low, but impact is severe
Types of Threat posed by malicious insiders
• Denial of service
• Compromise of confidentiality
• Compromise of integrity
High complexity of problem
• Increase in sharing of information, knowledge
• Increased availability of corporate knowledge online
• “Low and Slow” nature of malicious insiders
- 3. www.syrres.com
3
Copyright © 2004
Brian Patrick Regan: (1999-2001)
•Compromise: Removed and hid over 800 pages of classified material, email contact to
leaders in Iraq, Libya, and China
•Impact:
•Suspected acquisition of classified imagery and reports to Iraq
•Cyber Activities:
•Frequent need-to-know “violations”
•High volume printing; Encrypted emails
Robert Hanson: (1985-2001)
•Compromise: Exfiltrated over 6000 pages of classified material
•Impact:
•Divulged Intel capabilities of FBI and other agencies
•Identified three Soviet double agents (1 imprisoned, 2 killed)
•Cyber Activities:
•Frequent need-to-know “violations”
•Frequent queries looking for signs of an investigation targeting him
Malicious Insider, examples
- 4. www.syrres.com
4
Copyright © 2004
Characteristics of Malicious Insider
Behavior (current, projected)
Technically competent to highly-skilled
Attempts to cover up, destroy evidence
Sophisticated search / query techniques
Abuses security clearance to gain access to information
(violates “need to know”)
Downloads data to new devices (e.g., USB thumb drive)
Encrypts data
Changes system logs to hide activity
Uses “stealthy” techniques to communicate with handlers (e.g.,
encrypted email)
- 5. www.syrres.com
5
Copyright © 2004
Approach
Staged: Detect anomalies in user behavior from cyber
observables and, based on these anomalies, assess the risk of
malicious insider behavior
Multi-Perspective: Detect anomalies in user behavior
considering user-to-user, user-to-content, user-to-resource
relationships
Multi-Disciplinary:
• Social Network Analysis (SNA) - Apply concepts from SNA to detect
anomalies in social behavior [user-to-user]
• Semantic Analysis (SA)- Leverage Natural Language Processing (NLP)
and machine learning techniques to analyze the textual data associated with
insiders at a semantic (conceptual) level [user-to-content]
• Composite, Role-based Monitoring (CRBM) – Analyze insider activity
based on the organizational, application and operating system roles. [user-
to-resource]
- 6. www.syrres.com
6
Copyright © 2004
Research Objectives
Advance the state-of-art in Insider Threat Countermeasures by
developing techniques to:
• Model behavior of insiders operating in an IC-based context
• Distinguish between expected and anomalous user behavior
• Detect indicators of malicious insider behavior (MIB)
• Assess indicators of MIB for potential threat to the confidentiality and integrity
of information.
To reduce the overall effort in countering threat from malicious
insiders:
• Reduce the size of the problem space to a manageable number of indicators a
system security / assurance administrator would need to look at
• Provide early awareness of risk elevating situations
- 7. www.syrres.com
7
Copyright © 2004
Research Objectives, cont’d
Has Breadth Incorporates a wide range of observable types and can assess
multiple types of risk
Has depth Can analyze observables at fine-grained levels (e.g., semantics)
Is scalable Can model behavior at multiple levels (e.g., insider, role) and is
minimally impacted as # of insiders increases
Is extensible Can be extended to incorporate new threat scenarios and other
sources of indicators (e.g., anomaly detectors)
Is reusable Modules could be reused in another system or context
To provide a robust solution which:
- 8. www.syrres.com
8
Copyright © 2004
Assumptions
Insiders with similar roles, goals and tasks will have
similar behavior.
Malicious insider behavior will differ, to a measurable
degree, from behavior of typical insiders.
Insiders’ actual behavior will be discernable through
cyber-observations from sensors which currently exist
or could be constructed.
Anomaly-based or signature-based methods, by
themselves, are insufficient for identification of Insider
Threats.
- 9. www.syrres.com
9
Copyright © 2004
Approach/Methodology
Expected Behavior Model
communicate -
Analyst
search -
information
container
consume -
information
instance
Analyst
send information
instance -
Analyst
Insider
receive collaboration
request - Analyst
communicate -
Analyst
search -
information
container
consume -
information
instance
Linguist
send information
instance -
Analyst
receive collaboration
request - Analyst
communicate -
Analyst
search -
information
container
consume -
information
instance
Subject
Matter
Expert
send information
instance -
Analyst
receive collaboration
request - Analyst
•Hierarchically organized
by role/goal/task (RGT)
•Allows for computation
of non-deterministic
behavior (e.g.,
multitasking)
•Provides scoping
mechanism
•Can be used for both
pattern matching and
data generation
Analyze
Collect
communicate -
SME
receive collection
request - CRM
launch -
search
application
launch -
search application
launch –
analysis
application
search -
information
container
communicate -
collection
manager
consume -
information
instance
communicate -
senior reporter
communicate -
senior reporter
effect - $doc:
information
instance
search -
information
container
communicate -
SME
communicate -
linguist
Report
Analyst
communicate -
senior reporter
communicate -
senior reporter
communicate -
senior reporter
Collect
Analyze
Question
communicate -
SME
communicate -
CRM
send
collaboration
request - SME
receive collection
request - CRM
launch -
search
application
search -
information
container
search -
information
container
communicate -
collection
manager
request
collection -
collection
manager
communicate -
collection manager
consume -
information
instance
consume -
information
instance
Review
Available
Data
Request
Collection
- 10. www.syrres.com
10
Copyright © 2004
Approach/Methodology:
Risk Assessment
Observables
Anomalies
Indicators
Risk
“collector” behavior pattern
Confidentiality compromise (High)
atypical access to system
high-degree of off-topic consumption
low-degree of expected interaction
Risk is identified as indicators are asserted; indicators
are asserted from the anomalies detected
- 11. www.syrres.com
11
Copyright © 2004
System Overview
Expected
Behavior
Model
Observable
Activity Risks & Alerts
Risk
Assessor
Social
Network
Analysis
Semantic
Analysis
Composite
Role-Based
Analysis
Anomaly Detectors
black boxed sensor
input such as:
•web logs
•print logs
•email monitors
•phone logs
•system access logs
•Host sensor logs
•card key readers
•etc.
- 12. www.syrres.com
12
Copyright © 2004
Current Work: Relational Matrix Analysis Tool
(user-to-user, user-to-resource)
Generate
Relational
Matrices
• Based on insider
(constrained by
RGT) versus a
hierarchy of
resources, goals, and
interaction methods
• Comparison level:
specific (explicit
resource) or generic
(resource type)
Perform Outlier
Analysis
Relational
Matrix Analysis
Tool
Insider
Restrictions:
role, TOI,
AOI, task
Resource
Restrictions:
TOI, AOI,
task
Method
Restrictions
Insider vs. Resource
Matrix
Outlier Indicators
and Analysis
Observables (from Scenario)
<Observable>
<Name>Terry</Name>
<Role>analyst</Role>
<Toi>Biological Weapons</Toi>
<Aoi>Russia</Aoi>
<Task>Report</Task>
<Method>leave VM</Method>
<ResourceLabel>Smith</ResourceLabel>
<ResourceType>senior
reporter</ResourceType>
<Time>1071032734</Time>
</Observable>
Given:
Observables
Method
Restrictions
Insider
Restrictions
Resource
Restrictions
- 15. www.syrres.com
15
Copyright © 2004
System Architecture
Observable
Archive
Expected
Behavior
Model
Risk Assessor
XML interface
COTS R&D Leverage ARDA
Risk
Policy
Scenario
Generator
CPN Tools
IC Workflow
Model
Social Network
Monitor
JUNG
Semantic Analysis
Monitor
CNLP Technology
Composite Role-based
Monitor
Risk Assessment
Display
i2 Analyst Notebook
MS Excel
Controller / Rule Engine
JESS
Document
Collection
Document
Collection
Role-based Research
- 16. www.syrres.com
16
Copyright © 2004
Scalability of Solution
High Scalability / Extensibility
• Other anomaly detectors can be added to provide additional
indicators
• Risk Assessment Policy provides a means for writing new rules and
sets of rules
Generalizability
• Methodology provides abstraction mechanisms for managing
complexity
• Approach can be generalized to other domains
Reusability / Interoperability
• Anomaly detectors can provide indicators to other types of systems
• XML-based interfaces – provide “loose” couplings between
modules
- 17. www.syrres.com
17
Copyright © 2004
Limitations/Vulnerabilities
Non-cyber activities
• Mitigation: Security Administrator Application for entering / managing non-cyber
indicators
Undetected cyber observables:
• Most non-textual media (Images, Audio, Video)
» Example: Communications analyst inappropriately retrieving images
unrelated to task
» Mitigation: Analyze image meta-data to provide basic analysis of
image content
• Anonymous user behavior – Guest, and other potentially anonymous
activities such as access through web-based applications
» Mitigation: Can still monitor to identify risk
• Account “masquerading”
» Mitigation: Focus on individual insiders; detect shifts in behavior
- 18. www.syrres.com
18
Copyright © 2004
Summary
Currently under experimentation using controlled simulation with
synthetic data sets (scenarios):
• Baseline scenario – observables under normal conditions
• “Threat” scenarios – baseline scenario with anomaly injection
• Includes supporting UNCLASSIFIED document collections on a
variety of topics (e.g., Terrorism/WMD)
Preliminary results indicate
• Role-Goal-Task-orientation of Expected Behavior Model provides
a basis for modeling context-dependent behavior
• Relational Matrix approach very well suited to anomaly detection
in entity-to-entity interaction
• Semantic Analysis approach works well to identify off-topic
information access
- 19. www.syrres.com
19
Copyright © 2004
Acknowledgements
Advanced Research and Development Activity (ARDA)
Advanced Countermeasures for Insider Threat (ACIT) Program
(sponsor)
Other ARDA Programs
• Cyber Indications & Warning (CIW) Workshop (MITRE, Aug 03)
• Advanced Question & Answering for Intelligence (AQUAINT)
• Novel Intelligence from Massive Data (NIMD)
Mitigating the Insider Threat to Information Systems - #2;
Workshop Proceedings (RAND, Aug 00)
![www.syrres.com
5
Copyright © 2004
Approach
Staged: Detect anomalies in user behavior from cyber
observables and, based on these anomalies, assess the risk of
malicious insider behavior
Multi-Perspective: Detect anomalies in user behavior
considering user-to-user, user-to-content, user-to-resource
relationships
Multi-Disciplinary:
• Social Network Analysis (SNA) - Apply concepts from SNA to detect
anomalies in social behavior [user-to-user]
• Semantic Analysis (SA)- Leverage Natural Language Processing (NLP)
and machine learning techniques to analyze the textual data associated with
insiders at a semantic (conceptual) level [user-to-content]
• Composite, Role-based Monitoring (CRBM) – Analyze insider activity
based on the organizational, application and operating system roles. [user-
to-resource]](https://image.slidesharecdn.com/5b-01-delzoppoc010305-250618051457-66196229/85/Machine-Introduce-for-Beginner-5000-1222-ppt-5-320.jpg)
