Insider Computer Fraud; An Indepth Framework for Detecting and Defending Against Insider IT Attacks
Insider Computer Fraud; An Indepth Framework for Detecting and Defending Against Insider IT Attacks
Proceedings of the 13th international conference on Architectural support for programming languages and operating systems
| Hi-index | 0.00 |
In recent years, organizations ranging from defense and other government institutions to commercial enterprises, research labs, etc., have witnessed an increasing amount of sophisticated insider attacks that manage to bypass existing security controls. Insider threats are staged by either disgruntled employees, or employees engaged in malicious activities such as industrial espionage. The objectives of such threats range from sabotage, e.g., in order to disrupt the completion of a project, to exfiltration of sensitive data such as trade secrets, patents, etc. Insiders are often skilled and motivated individuals with good knowledge of internal security measures in the organization. They devise effective and carefully planned attacks, prepared over long periods of time and customized to inflict maximum damage. Such attacks are difficult to detect and protect against, because insiders have the proper credentials to access services and systems within the organization, and possess knowledge that may allow them to deceive network defense controls. As a result, a large number of hosts may be taken over, allowing malicious insiders to maintain control over the network even after leaving the organization. The objective of this study is to identify a high-level architecture and mechanisms for early detection and protection against insider threats. One of the main aspects we focus on is preventing data exfiltration, which is known to cost billions of dollars in losses annually. The goal is to either (i) detect attacks as they occur and prevent insiders from gaining control over the network, or (ii) detect early hosts and services that are compromised such that malware is prevented from spreading/morphing, hence insiders are no longer able to control the network or to exfiltrate sensitive data. We envision a data-intensive approach that leverages large amounts of events collected from a diverse set of sources such as network sensors, intrusion detection systems, service logs, as well as known attack databases (e.g., virus signature collections, digital artifacts), security and service logs, etc. The proposed approach aims to study and understand the relationships and correlations between events, with the purpose of detecting anomalous and/or malicious behavior.