Abstract
Insider attacks are often subtle and slow, or preceded by behavioral indicators such as organizational rule-breaking which provide the potential for early warning of malicious intent; both these cases pose the problem of identifying attacks from limited evidence contained within a large volume of event data collected from multiple sources over a long period. This paper proposes a scalable solution to this problem by maintaining long-term estimates that individuals or nodes are attackers, rather than retaining event data for post-facto analysis. These estimates are then used as triggers for more detailed investigation. We identify essential attributes of event data, allowing the use of a wide range of indicators, and show how to apply Bayesian statistics to maintain incremental estimates without global updating. The paper provides a theoretical account of the process, a worked example, and a discussion of its practical implications. The work includes examples that identify subtle attack behaviour in subverted network nodes, but the process is not network-specific and is capable of integrating evidence from other sources, such as behavioral indicators, document access logs and financial records, in addition to events identified by network monitoring.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Bace, R., & Mell, P. (2001). Intrusion detection systems (IDS). Tech. Rep. SP 800-31, National Institute of Standards and Technology (NIST).
Band, S. R., Cappelli, D. M., Fischer, L. F., Moore, A. P., Shaw, E. D., & Trzeciak, R. F. (2006). Comparing insider it sabotage and espionage: A model-based analysis. Tech. rep., Carnegie Mellon Software Engineering Institute.
Brackney, R. C., & Anderson, R. H. (2004). Understanding the insider threat. Tech. Rep. Proceedings of March 2004 Workshop, RAND National Security Research Division.
Bradford, P. G., Brown, M., Perdue, J., & Self, B. (2004). Towards proactive computer-system forensics. In International conference on information technology: Coding and computing (ITCC 2004) (pp. 648–652). IEEE Computer Society.
Buford, J. F., Lewis, L., & Jakobson, G. (2008). Insider threat detection using situation-aware MAS. In 11th international conference on information fusion (pp. 1–8). Cologne, Germany: IEEE Xplore.
Caputo, D. D., Stephens, G. D., & Maloof, M. A. (2009). Detecting insider theft of trade secrets. IEEE Security & Privacy, 7(6), 14–21.
CERT Incident Note (1998). IN-98-05: Probes with spoofed IP addresses.
Chebrolua, S., Abrahama, A., & Thomas, J. P. (2004). Feature deduction and ensemble design of intrusion detection systems. Computers & Security, 24(4), 295–307.
Chivers, H., Nobles, P., Shaikh, S. A., Clark, J. A., & Chen, H. (2009). Accumulating evidence of insider attacks. In The 1st international workshop on managing insider security threats (MIST 2009) (In conjunction with IFIPTM 2009). CEUR Workshop Proceedings.
Colombe, J. B., & Stephens, G. (2004). Statistical profiling and visualization for detection of malicious insider attacks on computer networks. In The 2004 ACM workshop on visualization and data mining for computer security (pp. 138–142). ACM Press.
Eberle, W., & Holder, L. (2009). Insider threat detection using graph-based approaches. In Cybersecurity applications & technology conference for homeland security (CATCH) (pp. 237–241). IEEE Computer Society.
Goodin, D. (2007). TJX breach was twice as big as admitted, banks say. The Register.
Heberlein, T. (2002). Tactical operations and strategic intelligence: Sensor purpose and placement. Tech. Rep. TR-2002-04.02, Net Squared, Inc.
Herbig, K. L., & Wiskoff, M. F. (2002). Espionage against the united states by American citizens 1947–2001. Tech. Rep. 02-05, Defense Personnel Security Research Center (PERSEREC).
Nguyen, N., Reiher, P., & Kuenning, G. H. (2003). Detecting insider threats by monitoring system call activity. In 2003 IEEE Workshop on information assurance (pp. 18–20). IEEE Computer Society, United States Military Academy, West Point.
Randazzo, M.R., Cappelli, D., Keeney, M., Moore, A., & Kowalski, E. (2004). U.S. secret service and CERT coordination center/SEI insider threat study: Illicit cyber activity in the banking and finance sector. Tech. rep., Software Engineering Institute, Carnegie Mellon University.
Russell, S., & Norvig, P. (2010). Artificial intelligence (3rd ed.). Prentice Hall.
Spitzner, L. (2003). Honeypots: Catching the insider threat. In 19th annual computer security applications conference (ACSAC ’03) (pp. 170–179). IEEE Computer Society.
Staniford, S., Hoagland, J. A., & McAlerney, J. M. (2002). Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1/2), 105–136.
Wells, J. T. (2008). Principles of fraud examination (2nd ed.). Wiley.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Chivers, H., Clark, J.A., Nobles, P. et al. Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise. Inf Syst Front 15, 17–34 (2013). https://doi.org/10.1007/s10796-010-9268-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-010-9268-7