Molehunt: near-line semantic activity tracing

Abstract

This paper discusses threats posed by low granularity in access to confidential (classified) data typically found at lower protection levels, namely direct access beyond need to know and the correlation of materials yielding more sensitive aggregate data by both insider threats and malware, an area of particular concern for intelligence analysis. It is argued that while active security controls at both the procedural and technical level are currently not pragmatically feasible, near-line semantic monitoring particularly at the file system but also at the network level can provide capabilities to detect anomalous and also directed malicious activity. A mechanism for implementing the tracing and monitoring mechanism on an COTS operating system is described.