PANDDE:基于来源的数据泄露异常检测

Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy Pub Date : 2016-03-09 DOI:10.1145/2857705.2857710

Daren Fadolalkarim, Asmaa Sallam, E. Bertino

{"title":"PANDDE:基于来源的数据泄露异常检测","authors":"Daren Fadolalkarim, Asmaa Sallam, E. Bertino","doi":"10.1145/2857705.2857710","DOIUrl":null,"url":null,"abstract":"Preventing data exfiltration by insiders is a challenging process since insiders are users that have access permissions to the data. Existing mechanisms focus on tracking users' activities while they are connected to the database, and are unable to detect anomalous actions that the users perform on the data once they gain access to it. Being able to detect anomalous actions on the data is critical as these actions are often sign of attempts to misuse data. In this paper, we propose an approach to detect anomalous actions executed on data returned to the users from a database. The approach has been implemented as part of the Provenance-based ANomaly Detection of Data Exfiltration (PANDDE) tool. PANDDE leverages data provenance information captured at the operating system level. Such information is then used to create profiles of users' actions on the data once retrieved from the database. The profiles indicate actions that are consistent with the tasks of the users. Actions recorded in the profiles include data printing, emailing, and storage. Profiles are then used at run-time to detect anomalous actions.","PeriodicalId":377412,"journal":{"name":"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy","volume":"22 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-03-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"PANDDE: Provenance-based ANomaly Detection of Data Exfiltration\",\"authors\":\"Daren Fadolalkarim, Asmaa Sallam, E. Bertino\",\"doi\":\"10.1145/2857705.2857710\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Preventing data exfiltration by insiders is a challenging process since insiders are users that have access permissions to the data. Existing mechanisms focus on tracking users' activities while they are connected to the database, and are unable to detect anomalous actions that the users perform on the data once they gain access to it. Being able to detect anomalous actions on the data is critical as these actions are often sign of attempts to misuse data. In this paper, we propose an approach to detect anomalous actions executed on data returned to the users from a database. The approach has been implemented as part of the Provenance-based ANomaly Detection of Data Exfiltration (PANDDE) tool. PANDDE leverages data provenance information captured at the operating system level. Such information is then used to create profiles of users' actions on the data once retrieved from the database. The profiles indicate actions that are consistent with the tasks of the users. Actions recorded in the profiles include data printing, emailing, and storage. Profiles are then used at run-time to detect anomalous actions.\",\"PeriodicalId\":377412,\"journal\":{\"name\":\"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy\",\"volume\":\"22 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-03-09\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2857705.2857710\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2857705.2857710","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

摘要

防止内部人员泄露数据是一个具有挑战性的过程，因为内部人员是对数据具有访问权限的用户。现有机制侧重于在用户连接到数据库时跟踪用户的活动，并且无法检测用户在获得访问权限后对数据执行的异常操作。能够检测数据上的异常操作是至关重要的，因为这些操作通常是试图滥用数据的迹象。在本文中，我们提出了一种检测从数据库返回给用户的数据执行的异常操作的方法。该方法已作为基于来源的数据泄露异常检测(PANDDE)工具的一部分实现。PANDDE利用在操作系统级别捕获的数据来源信息。然后使用这些信息创建用户对从数据库中检索到的数据的操作的概要文件。概要文件指示与用户任务一致的操作。记录在配置文件中的操作包括数据打印、电子邮件和存储。然后在运行时使用配置文件来检测异常操作。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

PANDDE: Provenance-based ANomaly Detection of Data Exfiltration

Preventing data exfiltration by insiders is a challenging process since insiders are users that have access permissions to the data. Existing mechanisms focus on tracking users' activities while they are connected to the database, and are unable to detect anomalous actions that the users perform on the data once they gain access to it. Being able to detect anomalous actions on the data is critical as these actions are often sign of attempts to misuse data. In this paper, we propose an approach to detect anomalous actions executed on data returned to the users from a database. The approach has been implemented as part of the Provenance-based ANomaly Detection of Data Exfiltration (PANDDE) tool. PANDDE leverages data provenance information captured at the operating system level. Such information is then used to create profiles of users' actions on the data once retrieved from the database. The profiles indicate actions that are consistent with the tasks of the users. Actions recorded in the profiles include data printing, emailing, and storage. Profiles are then used at run-time to detect anomalous actions.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

自引率

0.00%

发文量