An analytical framework for reasoning about intrusions

Upadhyaya, Shambhu; Chinchani, Ramkumar; Kwiat, Kevin

doi:10.1109/reldis.2001.969760

Cited by 15 publications

(12 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [14,15,16] the authors propose CIDS, a host-based concurrent intrusion detection scheme. The system is based on user work profiling [5].…”

Section: Background and Related Workmentioning

confidence: 99%

“…The basic scheme [16] described above is improved upon by the authors in a later work [14]. In particular, the authors adopt the notion of reasonableness check to address One drawback of this work is that the authors do not address the scenario when a user does not deviate in any manner from the SPRINT plan, but still is able to launch an attack.…”

Section: Background and Related Workmentioning

confidence: 99%

“…Our work uses the user-intent analysis approach proposed earlier by Upadhyaya et al [2,14,15,16]. Upadhyaya et al's approach consists of ensuring that during a particular session a user remains reasonably within the scope of a previously declared set of activities.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Using Attack Trees to Identify Malicious Attacks from Authorized Insiders

Ray

Poolsapassit

2005

Computer Security – ESORICS 2005

108

View full text Add to dashboard Cite

Abstract.A major concern for computer systems security is the threat from malicious insiders who execute perfectly legitimate operations to compromise system security. Unfortunately, most currently available intrusion detection systems (which include anomaly and misuse detection systems) fail to address this problem in a comprehensive manner. In this work we propose a framework that uses an attack tree to identify malicious activities from authorized insiders. We develop algorithms to generate minimal forms of attack tree customized for each user such that it can be used efficiently to monitor the user's activities. If the user's activities progress sufficiently up along the branches of the attack tree towards the goal of system compromise, we generate an alarm. Our system is not intended to replace existing intrusion detection and prevention technology, but rather is intended to complement current and future technology.

show abstract

“…In [14,15,16] the authors propose CIDS, a host-based concurrent intrusion detection scheme. The system is based on user work profiling [5].…”

Section: Background and Related Workmentioning

confidence: 99%

Section: Background and Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Using Attack Trees to Identify Malicious Attacks from Authorized Insiders

Ray

Poolsapassit

2005

Computer Security – ESORICS 2005

108

View full text Add to dashboard Cite

show abstract

“…While some projects have addressed these dimensions individually, most research appears to be focused on cyber threat and cyber security. When semantics has been utilized, it is applied to describe the role-based access policy of an organization (RAND, 1999;Upadhyaya et al, 2001). In related work, a research project by Raskin et al (2002) aims to use a natural language-based ontology to scan texts for indicators of possible intellectual property leakage.…”

Section: Related Workmentioning

confidence: 99%

Semantic Analysis for Monitoring Insider Threats

Symonenko

Liddy

Yılmazel

et al. 2004

Intelligence and Security Informatics

View full text Add to dashboard Cite

Malicious insiders' difficult-to-detect activities pose serious threats to the intelligence community (IC) when these activities go undetected. A novel approach that integrates the results of social network analysis, role-based access monitoring, and semantic analysis of insiders' communications as evidence for evaluation by a risk assessor is being tested on an IC simulation. A semantic analysis, by our proven Natural Language Processing (NLP) system, of the insider's text-based communications produces conceptual representations that are clustered and compared on the expected vs. observed scope. The determined risk level produces an input to a risk analysis algorithm that is merged with outputs from the system's social network analysis and role-based monitoring modules.

show abstract

“…Probably the most often cited is the statistical approach used in NIDES [1]. More recently, many other approaches have been investigated as reported in [23], [19], [13], [11], [18], [24], and [20], to mention a few. In these approaches, different measures are monitored to model user behavior: frequencies and sequences of Unix shell commands or system calls, temporal parameters of user actions and temporal intervals between them, etc.…”

Section: Masquerader Detectionmentioning

confidence: 99%

Characteristics and Measures for Mobile-Masquerader Detection

Mazhelis

Puuronen

Security Management, Integrity, and Internal Control in Information Systems

View full text Add to dashboard Cite

Personal mobile devices, as mobile phones, smartphones, and communicators can be easily lost or stolen. Due to the functional abilities of these devices, their use by an unintended person may result in a severe security incident concerning private or corporate data and services. Organizations develop their security policy and mobilize preventive techniques against unauthorized use. Current solutions, however, are still breakable and there still exists strong need for means to detect user substitution when it happens. A crucial issue in designing such means is to define what measures to monitor. In this paper, an attempt is made to identify suitable characteristics and measures for mobile-user substitution detection. Our approach is based on the idea that aspects of user behavior and environment reflect user's personality in a recognizable way. The paper provides a tentative list of individual behavioral and environmental aspects, along with characteristics and measures to represent them.

show abstract

An analytical framework for reasoning about intrusions

Cited by 15 publications

References 5 publications

Using Attack Trees to Identify Malicious Attacks from Authorized Insiders

Using Attack Trees to Identify Malicious Attacks from Authorized Insiders

Semantic Analysis for Monitoring Insider Threats

Characteristics and Measures for Mobile-Masquerader Detection

Contact Info

Product

Resources

About