Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Undesirable Insider Behavior Joseph A. Calandrino* Princeton University Steven J. McKinney* North Carolina State University Frederick T. Sheldon.

Published byTerence McLaughlin Modified over 8 years ago

Similar presentations

Presentation on theme: "Detecting Undesirable Insider Behavior Joseph A. Calandrino* Princeton University Steven J. McKinney* North Carolina State University Frederick T. Sheldon."— Presentation transcript:

1 Detecting Undesirable Insider Behavior Joseph A. Calandrino* Princeton University Steven J. McKinney* North Carolina State University Frederick T. Sheldon Oak Ridge National Laboratory May 15, 2007 *This research was performed during an internship at ORNL

2 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY An Example  Enters false data  Receives promotions, bonuses, control  Financial impact: $500 million "[A bank] employee gained control over data after performing several preparatory actions, such as eliminating some monitoring... or convincing... personnel to take deliberately corrupted data from his... computer instead [of] from the official Reuters terminal." -From Anderson et al., 2004

3 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Insider Threats...  Result in ~29% of attacks against organizations (US Secret Service et al., 2004)‏  Can devastate an organization  Fundamentally differ previously addressed threats  May come from model employees  Are more than technical threats

4 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Undesirable Insider Behavior  Organizations and insiders  Insiders vs. outsiders  Undesirable insider behavior  Fuzziness of threat  Unexpected threats  Need to assist administrators

5 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Roadmap  Existing work  Our contributions  Mining approach  Evaluation  Discussion  Conclusion and Future Work

6 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Existing Work  Insider threat characterization  Intrusion detection  Machine learning / data mining  Statistical deviation (Anderson et al., 1995)‏  Real-time IDS (Lee et al., 1998; Lee et al., 2001)‏  MINDS (Ertöz et al., 2004; Chandola et al., 2006)‏

7 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Our Contributions  Designed a system to:  Monitor insider system and network activity  Perform rule-based (or other static) analysis  Mine compiled behavior for anomalies  Implemented the system

8 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Data Mining Component Role  Periodically extracts aggregate data  Analyzes data to isolate points of interest  Identifies novel threats  Generates new rules (future work)‏

9 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Characteristic Derivation  Daily data analysis  Per-user data  System-level events alone… for now  Seven characteristics (file accesses, hosts, logins)‏  Normalization using historical SD

10 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Mining Approach  Similar to MINDS (implementation differs):  Map data to vector space  Compute local outlier factor (Breunig et al., 2000)‏  “Neighborhood” outlier metric  Euclidean distance – not mandatory  Derive additional hints for administrators

11 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Local Outlier Factor Image Reproduced from Breunig et al. (2000)‏

12 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Local Outlier Factor Image Reproduced from Breunig et al. (2000)‏

13 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY LOF Scores  Could report to administrator  Supervisors may be preferable  Supervisors are most familiar with day-to-day tasks  Supervisors may be less technically literate  Consider impact of characteristics on outlier factor

14 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Evaluation  Generated 28 Days of artificial data  Presume patterns  No activity on weekends until final weekend day  Activity comes from distribution on weekdays  Is real behavior like this?

15 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Test Data  Graphically (scaled):

16 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Results Insufficient Data First Weekend Added Anomaly ??

17 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Results  What’s wrong?

18 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Results  Why guess? Look at hints for 2/17, 2/23…

19 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Discussion  Caught added anomaly  What about the four others?  All were “anomalous”  Hints allowed rapid analysis  Depend on parameters, administrator focus

20 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Conclusions  Insider threat – important problem  Data mining – helpful technique  New tool – promising results  TODO list – long

21 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Future Work  Additional aspects and characteristics  Issues: drift, deja vu  Better test data  Rule extraction

22 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY Thank You  Questions? Calandrino and McKinney performed this research while under appointment to the Department of Homeland Security (DHS) Scholarship and Fellowship Program, administered by the Oak Ridge Institute for Science and Education (ORISE) through an interagency agreement between the U.S. Department of Energy (DOE) and DHS. ORISE is managed by Oak Ridge Associated Universities (ORAU) under DOE contract number DE-AC05-06OR23100. All opinions expressed in this paper are the authors’ and do not necessarily reflect the policies and views of DHS, DOE, or ORAU/ORISE.

Download ppt "Detecting Undesirable Insider Behavior Joseph A. Calandrino* Princeton University Steven J. McKinney* North Carolina State University Frederick T. Sheldon."

Similar presentations

Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.

Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.
A Feedback and Continuous Improvement Tool to ACE Audit Readiness Keith S. Joy Quality Manager September 14, 2004.

A Feedback and Continuous Improvement Tool to ACE Audit Readiness Keith S. Joy Quality Manager September 14, 2004.
Weigh-in-Motion User Manual for WIM Integrated System Cindy Lopez City University of New York-York College Research Alliance in Math and Science (RAMS)

Weigh-in-Motion User Manual for WIM Integrated System Cindy Lopez City University of New York-York College Research Alliance in Math and Science (RAMS)
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Understanding Botnets: How Massive Internet Break-Ins Fuel an Underground Economy Jason Franklin and Vern Paxson.

Understanding Botnets: How Massive Internet Break-Ins Fuel an Underground Economy Jason Franklin and Vern Paxson.
High Power Hg Target Conceptual Design Review Hg Jet Nozzle Analysis M. W. Wendel Oak Ridge National Laboratory February 7-8, 2005.

High Power Hg Target Conceptual Design Review Hg Jet Nozzle Analysis M. W. Wendel Oak Ridge National Laboratory February 7-8, 2005.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
O AK R IDGE N ATIONAL L ABORATORY U.S. D EPARTMENT OF E NERGY 1 Identifying Regulatory Transcriptional Elements on Functional Gene Groups Using Computer-

O AK R IDGE N ATIONAL L ABORATORY U.S. D EPARTMENT OF E NERGY 1 Identifying Regulatory Transcriptional Elements on Functional Gene Groups Using Computer-
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023.

Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
O AK R IDGE N ATIONAL L ABORATORY U.S. D EPARTMENT OF E NERGY Cluster Computing Applications Project Parallelizing BLAST Research Alliance of Minorities.

O AK R IDGE N ATIONAL L ABORATORY U.S. D EPARTMENT OF E NERGY Cluster Computing Applications Project Parallelizing BLAST Research Alliance of Minorities.
seminar on Intrusion detection system

seminar on Intrusion detection system
Neural Technology and Fuzzy Systems in Network Security Project Progress Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023.

Neural Technology and Fuzzy Systems in Network Security Project Progress Group 2: Omar Ehtisham Anwar Aneela Laeeq
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
LLNL-PRES-671957 This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.

LLNL-PRES This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.

Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.

Similar presentations

Ads by Google