Insider Threat Detection Using Virtual Machine Introspection

Crawford, Martin; Peterson, Gilbert L.

doi:10.1109/hicss.2013.278

Cited by 10 publications

(3 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Legg et al [138] analyzed and explored device usage features using PCA, and Aditham et al [139] used a semi-supervised approach to investigate the multiple features of memory access. For insider threat detection, Crawford and Peterson [140], Meng et al [141], and Chiu et al [142] used a methodology that is dependent on scanning the memory of running virtual machines, a Bayesian inference-based trust mechanism, and a frequent pattern outlier factor, respectively. The works [143][144][145][146][147] highlighted correlation coefficient methods and kernel density estimation (KDE) to determine CPU usage, a medium access layer MAC based solution, design science research to detect USB usage, a fuzzy multi-criteria aggregation method, and the hidden Markov model (HMM) and Baum-Welch algorithm to model resource misuse, respectively.…”

Section: Cyber Activity Behaviormentioning

confidence: 99%

A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations

et al. 2020

View full text Add to dashboard Cite

Insider threat has become a widely accepted issue and one of the major challenges in cybersecurity. This phenomenon indicates that threats require special detection systems, methods, and tools, which entail the ability to facilitate accurate and fast detection of a malicious insider. Several studies on insider threat detection and related areas in dealing with this issue have been proposed. Various studies aimed to deepen the conceptual understanding of insider threats. However, there are many limitations, such as a lack of real cases, biases in making conclusions, which are a major concern and remain unclear, and the lack of a study that surveys insider threats from many different perspectives and focuses on the theoretical, technical, and statistical aspects of insider threats. The survey aims to present a taxonomy of contemporary insider types, access, level, motivation, insider profiling, effect security property, and methods used by attackers to conduct attacks and a review of notable recent works on insider threat detection, which covers the analyzed behaviors, machine-learning techniques, dataset, detection methodology, and evaluation metrics. Several real cases of insider threats have been analyzed to provide statistical information about insiders. In addition, this survey highlights the challenges faced by other researchers and provides recommendations to minimize obstacles.

show abstract

Section: Cyber Activity Behaviormentioning

confidence: 99%

A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations

et al. 2020

View full text Add to dashboard Cite

show abstract

“…In addition, some of the related insider threats such as an unresolved alarms threat, misconfiguration threat and incorrect setting threat [35] also can be the cause to interruption between the machines itself [46]. Additionally, insiders also might technically attempt to disable monitoring machine before being able to disrupt or shut down or undertaking the machine used on their workstation [47]. For example, the insider wants to take over a machine that containing binary information from MPLC (C).…”

Section: Framework Of Automated Manufacturing Execution Systemmentioning

confidence: 99%

An Insider Threat Categorization Framework for Automated Manufacturing Execution System

Mohammad

Yassin

Ahmad

et al. 2019

IJIES

View full text Add to dashboard Cite

Insider threats become one of the most dangerous threats in the cyber world as compared to outsider as the insiders have knowledge of assets. In addition, the threats itself considered in-visible and no one can predict what, when and how exactly the threat launched. Based on conducting literature, threat in Automated Manufacturing Execution Systems (AMESs) can be divided into three principle factors. Moreover, there is no standard framework to be referring which exist nowadays to categorize such factors in order to identify insider threats possible features. Therefore, from the conducted literature a standard theoretical categorization of insider threats framework for AMESs has been proposed. Hence, three principle factors, i.e. Human, Systems and Machine have considered as major categorization of insider threats. Consequently, the possible features for each factor identified based on previous researcher recommendations. Therefore, via identifying possible features and categorize it into principle factors or groups, a standard framework could be derived. These frameworks will contribute more benefit specifically in the manufacturing field as a reference to mitigate an insider threat. Keywords—automated manufacturing execution systems insider threats, factors and features, insider threat categorization framework.

show abstract

“…VMI emerges as a feasible method to provide insight into a VM [7], so it can acquire evidence with less contamination. VMI can be carried out basically by two methods as depicted in Fig.…”

Section: Virtualization and Vmimentioning

confidence: 99%

A Digital Forensic Framework for Cloud Based on VMI

Yang¹,

Ren²,

Bai³

et al. 2017

dtcse

View full text Add to dashboard Cite

Abstract. Traditional digital forensic methods become exceedingly feeble in cloud due to the fact that the basic infrastructure turns to virtualized environment. Leveraging properties of virtualization, virtual machine introspection has showed potential for cloud forensic. In this paper, we propose a novel framework, which contains a trustworthy independent agency, to provide memory digital forensic analysis (DFA) for virtual machines (VMs) in cloud. With the assistance of cloud platform, memory dump files can be obtained and transferred to the agency for further DFA, where information of VMs can be extracted using the proper tools. We described the constructional design of the framework. Test results showed the versatility of DFA and ability of malware detection. The framework indicates DFA can be purchased as a service only when there is a need in order to reduce the expenditures on maintaining exclusive facility and furnish standard procedure to multiple cloud platforms.

show abstract

Insider Threat Detection Using Virtual Machine Introspection

Cited by 10 publications

References 11 publications

A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations

A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations

An Insider Threat Categorization Framework for Automated Manufacturing Execution System

A Digital Forensic Framework for Cloud Based on VMI

Contact Info

Product

Resources

About