Anomaly Detection Based on Discrete Wavelet Transformation for Insider Threat Classification

Unlike external attacks, insider threats arise from legitimate users who belong to the organization. These individuals may be a potential threat for hostile behavior depending on their motives. For insider detection, many intrusion detection systems learn and prevent known scenarios, but because malicious behavior has similar patterns to normal behavior, in reality, these systems can be evaded. Furthermore, because insider threats share a feature space similar to normal behavior, identifying them by detecting anomalies has limitations. This study proposes an improved anomaly detection methodology for insider threats that occur in cybersecurity in which a discrete wavelet transformation technique is applied to classify normal vs. malicious users. The discrete wavelet transformation technique easily discovers new patterns or decomposes synthesized data, making it possible to distinguish between shared characteristics. To verify the efficacy of the proposed methodology, experiments were conducted in which normal users and malicious users were classified based on insider threat scenarios provided in Carnegie Mellon University’s Computer Emergency Response Team (CERT) dataset. The experimental results indicate that the proposed methodology with discrete wavelet transformation reduced the false-positive rate by 82% to 98% compared to the case with no wavelet applied. Thus, the proposed methodology has high potential for application to similar feature spaces.     

Assessing insider threats to information security using technical,behavioural and organisational measures

The UK government took a bruising in the headlines (Sep 2008) after a Home Office contractor lost a USB stick containing unencrypted data on all 84,000 prisoners in England and Wales. As a result, the Home Office terminated the £1.5 million contract with the management consultancy firm.The world woke up to the largest attempted bank fraud ever when the UK’s National Hi-Tech Crime Unit foiled the world’s largest potential bank robbery in March 2005. With the help of the security supervisor, thieves masquerading as cleaning staff installed hardware keystroke loggers on computers within the London branch of a Japanese bank, to steal £220m.It is indeed sobering to imagine that any organisation could fall victim to such events and the damage an insider can do. The consulting firm lost the contract worth £1.5 million due to a small mistake by an employee. The London branch of the Japanese Bank would have lost £220 million had not the crime been foiled.Insider threat is a reality. Insiders commit fraud or steal sensitive information when motivated by money or revenge. Well-meaning employees can compromise the security of an organisation with their overzealousness in getting their job done. Every organisation has a varied mix of employees, consultants, management, partners and complex infrastructure and that makes handling insider threats a daunting challenge. With insider attacks, organisations face potential damage through loss of revenue, loss of reputation, loss of intellectual property or even loss of human life.The insider threat problem is more elusive and perplexing than any other threat. Assessing the insider threat is the first step to determine the likelihood of any insider attack. Technical solutions do not suffice since insider threats are fundamentally a people issue. Therefore, a three-pronged approach - technological, behavioural and organisational assessment is essential in facilitating the prediction of insider threats and pre-empt any insider attack thus improving the organization’s security, survivability, and resiliency in light of insider threats.     

内部威胁检测研究

近年来,以系统破坏、信息窃取以及电子欺诈为主的内部攻击因为隐蔽性强、破坏性大的特点对个人与企业,甚至国家安全造成了严重威胁。因此十分有必要关注内部威胁已有的研究成果与发展趋势。本文分析了内部威胁的特征,提出基于信任理论的形式化定义。同时将当前内部威胁研究热点归结为内部威胁模型研究、主观要素研究、客观要素研究及其它研究四个领域,分别介绍各个领域的研究状况,并对每个领域的研究进展进行归纳和分析。通过分析内部威胁已有案例以及当前研究进展,针对现有研究不足提出新型内部威胁检测系统,并展望未来的关键技术。     

利用蜜罐技术捕捉来自内部的威胁

近几年来人们对蜜罐技术进行了广泛的研究,但对蜜罐的研究主要集中在对来自网络外部威胁的检测与信息收集,很少有利用蜜罐对来自内网的威胁研究。本文论述了如何利用蜜罐技术来检测、标识及收集来自内部威胁的信息。     

Insider Attack Detection Using Deep Belief Neural Network in Cloud Computing

Cloud computing is a high network infrastructure where users, owners, third users, authorized users, and customers can access and store their information quickly. The use of cloud computing has realized the rapid increase of information in every field and the need for a centralized location for processing efficiently. This cloud is nowadays highly affected by internal threats of the user. Sensitive applications such as banking, hospital, and business are more likely affected by real user threats. An intruder is presented as a user and set as a member of the network. After becoming an insider in the network, they will try to attack or steal sensitive data during information sharing or conversation. The major issue in today's technological development is identifying the insider threat in the cloud network. When data are lost, compromising cloud users is difficult. Privacy and security are not ensured, and then, the usage of the cloud is not trusted. Several solutions are available for the external security of the cloud network. However, insider or internal threats need to be addressed. In this research work, we focus on a solution for identifying an insider attack using the artificial intelligence technique. An insider attack is possible by using nodes of weak users’ systems. They will log in using a weak user id, connect to a network, and pretend to be a trusted node. Then, they can easily attack and hack information as an insider, and identifying them is very difficult. These types of attacks need intelligent solutions. A machine learning approach is widely used for security issues. To date, the existing lags can classify the attackers accurately. This information hijacking process is very absurd, which motivates young researchers to provide a solution for internal threats. In our proposed work, we track the attackers using a user interaction behavior pattern and deep learning technique. The usage of mouse movements and clicks and keystrokes of the real user is stored in a database. The deep belief neural network is designed using a restricted Boltzmann machine (RBM) so that the layer of RBM communicates with the previous and subsequent layers. The result is evaluated using a Cooja simulator based on the cloud environment. The accuracy and F-measure are highly improved compared with when using the existing long short-term memory and support vector machine.     

Insider threat mitigation: preventing unauthorized knowledge acquisition

This paper investigates insider threat in relational database systems. It discusses the problem of inferring unauthorized information by insiders and proposes methods to prevent such threats. The paper defines various types of dependencies as well as constraints on dependencies that may be used by insiders to infer unauthorized information. It introduces the constraint and dependency graph (CDG) that represents dependencies and constraints. In addition, CDG shows the paths that insiders can follow to acquire unauthorized knowledge. Moreover, the paper presents the knowledge graph (KG) that demonstrates the knowledgebase of an insider and the amount of information that the insider has about data items. To predict and prevent insider threat, the paper defines and uses the threat prediction graph (TPG). A TPG shows the threat prediction value (TPV) of each data item in insiders’ KG, where TPV is used to raise an alert when an insider threat occurs. The paper provides solutions to prevent insider threat without limiting the availability of data items. Algorithms, theorems, proofs and experiments are provided to show the soundness, the completeness and the effectiveness of the proposed approaches.     

The Cyber Threat to National Critical Infrastructures: Beyond Theory

ABSTRACT

Adversary threats to critical infrastructures have always existed during times of conflict, but threat scenarios now include peacetime attacks from anonymous computer hackers. Current events, including examples from Israel and Estonia, prove that a certain level of real-world disorder can be achieved from hostile data packets alone. The astonishing achievements of cyber crime and cyber espionage – to which law enforcement and counterintelligence have found little answer – hint that more serious cyber attacks on critical infrastructures are only a matter of time. Still, national security planners should address all threats with method and objectivity. As dependence on IT and the Internet grow, governments should make proportional investments in network security, incident response, technical training, and international collaboration.     

A comprehensive security analysis of LEACH++ clustering protocol for wireless sensor networks

Wireless sensor networks (WSNs) will play a major role in future technologies in the development of the cyber-physical society. Studies show that WSNs are vulnerable to various insider attacks that may degrade its performance and affect the application services. Various intrusion detection system-based solutions have been proposed for WSNs to secure them from such attacks; however, these solutions have certain limitations with respect to completeness and evaluation. Recently, we proposed an intrusion detection framework to secure WSNs from insider attacks and proposed a protocol called LEACH++. In this paper, we perform a detailed security analysis of LEACH++ against black-hole, sink-hole and selective forwarding attacks by launching a number of attacks with different patterns. The results of our experiments performed in network simulator-2 show that the proposed scheme is highly efficient and achieves higher accuracy and detection rates with very low false-positive rate when compared to an anomaly based detection scheme.

     

MASPTA-O: Multiagent System Planning to Avoid Threats Optimally

ABSTRACT

Extensive use of modern technologies with expanding connectivity has created high risk threats requiring innovative strategies to counter them. In the literature, multiagent system planning has been used for threat avoidance where agents are employed in all the identified attack paths to avert the threat. This paper presents the two-level optimal approach MASPTA-O, or Multiagent System Planning to Avoid Threats Optimally. The first level identifies optimum number of threats to be mitigated using the Layered Threat Elimination model. At the second level, each identified threat is optimally mitigated by generating various mitigation plans using Mitigation Plan Generation algorithm and selecting minimum number of paths to avoid the threat. Agents are then inducted in these minimum number of attacker's paths to mitigate the threats. In the proposed work, a Master Agent has been introduced to continuously monitor the performance of the active agents for any abnormality and provides an alert signal to save the system from being compromised. Experimental study using the Java Agent Development Environment (JADE) has been conducted to test the proposed approach.     

Practical management of malicious insider threat – An enterprise CSIRT perspective

Communication and Information Systems (CIS) now form the primary information store, exchange and data analysis for all modern military and are crucial to command and control. The ubiquitousness of CIS within the military not only means that there is a complete reliance on CIS, but also presents new avenues of attack by malicious insiders. Military sources say that the insider threat is their number one security concern. This paper presents a case study of the technical counter measures and processes used to deter, detect and mitigate malicious insider threats that the author has researched, using non-classified anonymous interview and the analysis of anonymised qualitative field data, within a specific military organisation. It is not the intention of the author that this paper be viewed as an analysis of the “current state of play” of threats and countermeasures that generically exist across all military and defence organisations – rather it presents the technological and organisational processes utilised and challenges encountered at one organisation. A short discussion of the Computer Security Incident Response Team (CSIRT) structure adopted to successfully manage insider and other CIS security threats is presented, followed by a more detailed overview of existing and emerging technical efforts to deter, detect and mitigate such malicious insider threats within the military environment under study. Emphasis will be on the emerging technologies such as anomaly detection using real-time e-discovery, enterprise forensics and profiling users “cyber” behaviour and how these integrate into CSIRT technologies and processes. The technical advantages and challenges that such technologies present within a military alliance will be discussed. The success of such technologies in combating current malicious insider threat environment will be briefly compared with those put forward as challenges in the “Research on mitigating the insider threat to information systems #2” workgroup which took place in 2000 (Anderson et al., 2000.). In closing the author introduce the concept of Stateful Object Use Consequence Analysis as a way of managing the insider threat.     

内部威胁检测中用户属性画像方法与应用

随着信息技术与互联网技术在企业组织中的广泛应用,企业安全面临着前所未有的挑战。大多数企业既面临着企业外部的攻击,也面临着内部人员的内部攻击。由于缺乏及时有效的检测手段,内部攻击对企业和组织造成的损害在一定程度上比外部攻击更加严重。在组织和企业内部,“人”是实施破坏行为的主体,是内部威胁检测中的主要研究对象。针对现有内部威胁检测中对内部员工完全隔离监管方法的相似威胁检测关联性低、检测效率低等问题,文中把研究重点从发现诱因转移到相似用户的聚类和监管上,以组织内的用户作为研究主体,提出了内部威胁检测中用户属性画像方法。该方法首先定义了画像相似度计算方法;然后,从用户性格、人格、过往经历、工作状态、遭遇的挫折等多方面着手,利用本体理论、标签式画像方法将多因素整合;最后,通过改进的K-Means算法实现用户聚类与分组管理,实现了潜在恶意用户共同监管的目的,减少了相似破坏多次发生的可能性。实验结果证明了所提方法的可行性,其为组织预防内部威胁提供了思路和方法。     

Corporate Expectations of the IT Department in an Age of Terrorism: Ensuring “Battle Readiness”

ABSTRACT

Contemporary businesses face many new and unprecedented challenges including the threat of terrorism. The impact of a terrorist attack can undermine an organization's success and survival. A significant area of organizational vulnerability to acts of terrorism involves the information systems infrastructure of the organization. This article discusses the mission-critical expectations that corporate executives have for their information technology departments with respect to securing and protecting these essential resources.     

A Novel Watermarking Scheme for Secure Relational Databases

ABSTRACT

Digital watermarking for relational databases emerged as a candidate solution to provide copyright protection and tamper detection and to maintain the integrity of data. Sectors such as defense, finance, and human resources require reliable schemes, especially for data alteration and integrity checking. Many watermarking techniques have been proposed in the literature to address the above-mentioned problems subject to their limitations on numeric attributes. However, these techniques do not yield satisfactory results in the case of small numeric values. To overcome these limitations, we have proposed a watermarking scheme in which the third most significant bit of numeric and nonnumeric attributes is replaced with the watermark bit without loss of originality. The proposed scheme must be suitable for the above-mentioned sectors, including commercial banks where fraud and forgery cases are common.     

Advanced Authentication Mechanisms for Identity and Access Management in Cloud Computing

Identity management is based on the creation and management of user identities for granting access to the cloud resources based on the user attributes. The cloud identity and access management (IAM) grants the authorization to the end-users to perform different actions on the specified cloud resources. The authorizations in the IAM are grouped into roles instead of granting them directly to the end-users. Due to the multiplicity of cloud locations where data resides and due to the lack of a centralized user authority for granting or denying cloud user requests, there must be several security strategies and models to overcome these issues. Another major concern in IAM services is the excessive or the lack of access level to different users with previously granted authorizations. This paper proposes a comprehensive review of security services and threats. Based on the presented services and threats, advanced frameworks for IAM that provide authentication mechanisms in public and private cloud platforms. A threat model has been applied to validate the proposed authentication frameworks with different security threats. The proposed models proved high efficiency in protecting cloud platforms from insider attacks, single sign-on failure, brute force attacks, denial of service, user privacy threats, and data privacy threats.     

网络信息系统的内部威胁模型研究

网络信息系统内部攻击构成了十分危险的安全威胁,这样的认识已逐渐被人们广泛接受。但是,对内部攻击的深入研究却相对比较少。该文从网络系统的使用者这一角度,而不是技术本身,阐述了内部攻击的图示模型,剖析了内部攻击的成因,并针对内部攻击的一些细节进行了详细的系统论述。     

Organization Security Metrics: Can Organizations Protect Themselves?

ABSTRACT

Organizations normally do not possess a way to communicate those needs back to the rest of an organization. This paper demonstrates that organizations are vigilant to activity within their environment, so this research project will focus on process improvement to better organizations through internal processes. Prior to this project, Company X was unable to communicate and address threats to their organization. Prior to this project, each employee was not trained on security. However, each employee understood the norms and values of company processes on an individual level. Each employee was able to contribute details of security issues as they perceived them to make a comprehensive security model. This Security Working Group (SWG) project describes the steps necessary to create a self-educating, self-perpetuating process that spurns co-generative learning among an entire organization. Security training prepared each employee to be more attentive to risks to potential security issues. The result of this research proves that employees can detect threats in an organization with relatively little training.     

基于机器学习的用户与实体行为分析技术综述

随着网络安全技术的更新迭代,新型攻击手段日益增加,企业面临未知威胁难以识别的问题。用户与实体行为分析是识别用户和实体行为中潜在威胁事件的一种异常检测技术,广泛应用于企业内部威胁分析和外部入侵检测等任务。基于机器学习方法对用户和实体的行为进行模型建立与风险点识别,可以有效解决未知威胁难以检测的问题,增强企业网络安全防护能力。回顾用户与实体行为分析的发展历程,重点讨论用户与实体行为分析技术在统计学习、深度学习、强化学习等3个方面的应用情况,研究具有代表性的用户与实体行为分析算法并对算法性能进行对比分析。介绍4种常用的公共数据集及特征工程方法,总结两种增强行为表述准确性的特征处理方式。在此基础上,阐述归纳典型异常检测算法的优劣势,指出内部威胁分析与外部入侵检测的局限性,并对用户与实体行为分析技术未来的发展方向进行展望。     

Classification of Clickjacking Attacks and Detection Techniques

ABSTRACT

Among many existing security threats, clickjacking attacks are the least understood and one of the common emerging security threats on the Web. A clickjacking attack lures users to click on objects transparently placed in malicious Web pages that may lead to unwanted operations on the legitimate Websites without the knowledge of the users. In particular, victims can be tricked to click on objects from various Websites such as social networks (Facebook, Twitter), shopping (Amazon), and online banking. Therefore, clickjacking attacks need to be addressed to mitigate these unwanted consequences. To combat the clickjacking attacks, it is necessary to understand how clickjacking attacks occur in the real world along with the comparative performance of the state-of-the art solutions.

In this article, we discuss various basic and advanced clickjacking attacks. We then discuss a number of client, server, and proxy-level approaches that can be employed to combat clickjacking attacks. We also highlight the advantages and disadvantages along with attack type coverage information. The findings should enable security practitioners to be aware of the most recent development in this area and choose the appropriate defense mechanism based on their needs.     

Recovery From A Data Center Fire

Abstract

Peer-to-peer (P2P) applications have been one of the hottest things on the market for home users in the past few years. Unfortunately, there are many security risks associated with P2P programs, such as Kazaa and eDonkey. Even if a corporation has a policy against P2P applications, it is at an increased risk due to the popularity of such programs and abuse by employees and contractors. This report provides an overview of some of the common threats introduced by P2P applications.     

Mitigating Risks Associated with Transitive Trust in Service-Based Identity Propagation

ABSTRACT

Over the past 20 years, software has evolved from monolithic, stove-piped applications to services that communicate with other distributed components over communications networks. The rise in popularity of Service-oriented Architecture (SOA) and web services has presented unique challenges for securely conveying the identity of end users at every point, especially when mashups, Web service composition and orchestration solutions combine multiple distributed components throughout a network, and where each component may need to know the identity of the end user. Over the past decade, many U.S. government projects have embraced SOA, have identified security risks with certain types of identity propagation, and have built solutions for mitigating the risks. This paper focuses on identity propagation in Web service transactions and describes how several early SOA-based projects utilized “transitive trust” approaches. We categorize the security risks found and describe how these projects minimized or mitigated the risks. Finally, we discuss approaches used in current projects and provide guidance for future implementations.