Adaptive Intrusion Detection: A Data Mining Approach
Artificial Intelligence Review - Issues on the application of data mining
Position: "insider" is relative
NSPW '05 Proceedings of the 2005 workshop on New security paradigms
| Hi-index | 0.00 |
Insider threat has been the major Information Security issue for business houses for long time. But, Information Security Managers of academic campuses are yet to pay similar attention to this challenge. As direct financial losses resulting due to this are not of similar magnitude. However, universities and colleges have sensitive academic and personal records. Also, many institutes are engaged in advanced research and creating valuable intellectual property, which need to be protected. Monitoring insider threats in academic campuses is particularly difficult because of complexity of networks, diverse mix of systems and resistance for strict restrictions. Major challenges include, less disciplined users compared to industry users, sharing of terminals, inadequate budgets and fast turnover of student population. There are almost thirty percent new enrollments every year. Existing monitoring and control methods are inadequate for two reasons: they are able to trace source IP addresses but fail to identify the precise user, performing suspicious or non-sanctioned activities. Secondly, they do not provide real-time actions, as user profile is not known. Given these security challenges and the complexity of protecting information assets across diverse servers, applications, and heterogeneous environment, a new approach is proposed. Identity issue is addressed by capturing detailed network user actions across most major applications and correlating it with directory context to track and enforce institutional policies. This is different from existing approaches, where a traffic oriented view of user activity is provided. The proposed approach provides a low cost and quickly deployable solution as no network changes are required. Proposed real-time tracking and alerting mechanism ensures early warning and also proactively stops transactions in progress without degrading performance. It also facilitates audit automation using rule engine, which is constantly updated by an Intelligent Rule Builder.