Defeating the insider threat via autonomic network capabilities

Abstract

There has been a constant growing security concern on insider attacks on network accessible computer systems. Users with power credentials can do almost anything they want with the systems they own with very little control or oversight. Most breaches occurring nowadays by power users are considered legitimate access and not necessarily intrusions. Developing a solution for such a problem is challenging because power users need flexible requirements to administer or maintain their systems. The increased usage of virtual environments, virtual systems, teleworking, and remote usage has made network access the preferred method for system administration. This paper presents (1) the Autonomic Violation Prevention System (AVPS), a framework that provides a solution to this problem and meet the above mentioned challenges, and (2) a proof-of-concept prototype that embeds self-protection capabilities into traditional Network Intrusion Prevention Systems (NIPS). AVPS focuses on self-protection against security policy violations instead of malware, vulnerability, or exploit intrusions. AVPS heavily enforces separation of duties, promotes scalability, ease of use and manageability. The proof-of-concept prototype uses Snort in-line NIPS with our own customizations.