Designing Host and Network Sensors to Mitigate the Insider Threat

Bowen, Brian M.; Salem, Malek Ben; Hershkop, Shlomo; Keromytis, Angelos D.; Stolfo, Salvatore J.

doi:10.1109/msp.2009.109

Cited by 47 publications

(31 citation statements)

References 7 publications

(3 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…For instance, regarding the SMTP traffic, we plan to increase the number and diversity of the innocuous email messages that we currently use, and also create new variations based on message templates. Some of the messages could also contain "bait" documents [10] that would ping back to our system in case someone opened them. We can also use some of the techniques described by Bowen et al [9] to generate even more realistic decoy traffic.…”

Section: Decoy Traffic Credibilitymentioning

confidence: 99%

“…These systems, widely known as honeypots [25,30], have no production value other than being compromised, and subsequently track the actions of the attacker. Honeypots have been extensively used for modeling, logging, and analyzing attacks originating from sources external to an organization [17,36], as well as internal attacks launched from within its perimeter [10].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Detecting Traffic Snooping in Tor Using Decoys

Chakravarty

Portokalidis

Polychronakis

et al. 2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Anonymous communication networks like Tor partially protect the confidentiality of their users' traffic by encrypting all intraoverlay communication. However, when the relayed traffic reaches the boundaries of the overlay network towards its actual destination, the original user traffic is inevitably exposed. At this point, unless end-toend encryption is used, sensitive user data can be snooped by a malicious or compromised exit node, or by any other rogue network entity on the path towards the actual destination. We explore the use of decoy traffic for the detection of traffic interception on anonymous proxying systems. Our approach is based on the injection of traffic that exposes bait credentials for decoy services that require user authentication. Our aim is to entice prospective eavesdroppers to access decoy accounts on servers under our control using the intercepted credentials. We have deployed our prototype implementation in the Tor network using decoy IMAP and SMTP servers. During the course of ten months, our system detected ten cases of traffic interception that involved ten different Tor exit nodes. We provide a detailed analysis of the detected incidents, discuss potential improvements to our system, and outline how our approach can be extended for the detection of HTTP session hijacking attacks.

show abstract

Section: Decoy Traffic Credibilitymentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Detecting Traffic Snooping in Tor Using Decoys

Chakravarty

Portokalidis

Polychronakis

et al. 2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Indeed in many cases, formal security policies are incomplete and implicit or they are purposely ignored in order to get business goals accomplished. Even most recent studies estimate that no mechanism exists to prevent insider abuse [11]. According to [12], there seems to be little design and technology available to address the insider threat problem.…”

Section: Risks Related With Treatment Process and Data Analysis: The mentioning

confidence: 99%

Reduce Threats in Competitive Intelligence System: A Generic Information Fusion Access Control Model

Haddadi

Hatim

Dousset³

et al. 2011

IJDMS

View full text Add to dashboard Cite

Information fusion is a cornerstone of competitive intelligence activity that aims at supporting decision making by collecting, analyzing and disseminating information. This information comes from heterogeneous data sources. In this paper we present an approach of access control. This approach is focused both on the information that must be bring to decision-makers and the privacy of individuals whose data is used to extract this information. This model is based on the standard "Role Based Access Control" (RBAC) and is implemented within the entire life cycle of Xplor Every Where (Web service of Tetralogie), it follows methodologies tailored to design privacy-aware systems to be compliant with data protection regulations.

show abstract

“…., 100. It is observed that the bulks of the self 2 Note that such sequences are not by any means actual attacks. However, our emphasis here is not on the consequences of the adversary's actions in a real setting, but rather on the assumpion that attacks are anomalous events which nonetheless might be conveniently camouflaged to avoid detection.…”

Section: ) Attack Generationmentioning

confidence: 99%

“…Research on this area has been in place for the last 20 years and, to some extent, has proliferated lately (see e.g. [33], [3], [2], [7] for a few examples of recently reported research initiatives).…”

Section: Introductionmentioning

confidence: 99%

Information-Theoretic Detection of Masquerade Mimicry Attacks

Tapiador

Clark

2010

2010 Fourth International Conference on Network and System Security

View full text Add to dashboard Cite

Abstract-In a masquerade attack, an adversary who has stolen a legitimate user's credentials attempts to impersonate him to carry out malicious actions. Automatic detection of such attacks is often undertaken constructing models of normal behaviour of each user and then measuring significant departures from them. One potential vulnerability of this approach is that anomaly detection algorithms are generally susceptible of being deceived. In this paper, we first investigate how a resourceful masquerader can successfully evade detection while still accomplishing his goals. We then propose an algorithm based on the Kullback-Leibler divergence which attempts to identify if a sufficiently anomalous attack is present within an apparently normal request. Our experimental results indicate that the proposed scheme achieves considerably better detection quality than adversarial-unaware approaches.

show abstract

Designing Host and Network Sensors to Mitigate the Insider Threat

Cited by 47 publications

References 7 publications

Detecting Traffic Snooping in Tor Using Decoys

Detecting Traffic Snooping in Tor Using Decoys

Reduce Threats in Competitive Intelligence System: A Generic Information Fusion Access Control Model

Information-Theoretic Detection of Masquerade Mimicry Attacks

Contact Info

Product

Resources

About