Dynamical System approach to insider threat detection

2011 IEEE International Systems Conference Pub Date : 2011-04-04 DOI:10.1109/SYSCON.2011.5929116

Nitin Kanaskar, J. Bian, R. Seker, Mais Nijim, N. Yilmazer

{"title":"Dynamical System approach to insider threat detection","authors":"Nitin Kanaskar, J. Bian, R. Seker, Mais Nijim, N. Yilmazer","doi":"10.1109/SYSCON.2011.5929116","DOIUrl":null,"url":null,"abstract":"Insider attacks have the potential to inflict severe damage to an organizations reputation, intellectual property and financial assets. The primary difference between the external intrusions and the insider intrusions is that an insider wields power of knowledge about the information system resources, their environment, policies. We present an approach to detecting abnormal behavior of an insider by applying Dynamical System Theory to the insiders computer usage pattern. This is because abnormal system usage pattern is one of the necessary precursors to actual execution of an attack. A base profile of system usage pattern for an insider is created via applying dynamical system theory measures. A continuous monitoring of the insiders system usage and its comparison with this base profile is performed to identify considerable deviations. A sample system usage in terms of application system calls is collected, analyzed, and graphical results of the analysis are presented. Our results indicate that dynamical system theory has the potential of detecting suspicious insider behavior occurring prior to the actual attack execution.","PeriodicalId":109868,"journal":{"name":"2011 IEEE International Systems Conference","volume":"30 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-04-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 IEEE International Systems Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SYSCON.2011.5929116","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

Insider attacks have the potential to inflict severe damage to an organizations reputation, intellectual property and financial assets. The primary difference between the external intrusions and the insider intrusions is that an insider wields power of knowledge about the information system resources, their environment, policies. We present an approach to detecting abnormal behavior of an insider by applying Dynamical System Theory to the insiders computer usage pattern. This is because abnormal system usage pattern is one of the necessary precursors to actual execution of an attack. A base profile of system usage pattern for an insider is created via applying dynamical system theory measures. A continuous monitoring of the insiders system usage and its comparison with this base profile is performed to identify considerable deviations. A sample system usage in terms of application system calls is collected, analyzed, and graphical results of the analysis are presented. Our results indicate that dynamical system theory has the potential of detecting suspicious insider behavior occurring prior to the actual attack execution.

查看原文本刊更多论文

内部威胁检测的动态系统方法

内部攻击有可能对组织的声誉、知识产权和金融资产造成严重损害。外部入侵和内部入侵的主要区别在于，内部人员掌握信息系统资源、环境和政策的知识。我们将动力系统理论应用于内部人员的计算机使用模式，提出了一种检测内部人员异常行为的方法。这是因为异常的系统使用模式是实际执行攻击的必要前兆之一。通过应用动力系统理论方法，建立了内部人员系统使用模式的基本轮廓。对内部系统的使用情况进行持续监测，并将其与基本配置文件进行比较，以确定相当大的偏差。从应用程序系统调用的角度收集和分析了一个示例系统使用情况，并给出了分析的图形结果。我们的研究结果表明，动态系统理论具有在实际攻击执行之前检测可疑内部行为的潜力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2011 IEEE International Systems Conference

自引率

0.00%

发文量