Towards a Theory of Insider Threat Assessment

Chinchani, Ramkumar; Iyer, Anand; Ngo, Hung Q.; Upadhyaya, Shambhu

doi:10.1109/dsn.2005.94

Cited by 89 publications

(68 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…generalize this technique to generate all possible attack paths, thereby generating the entire attack graph [10]. Chinchani et al [3] present a variant of attack graphs called key-challenge graphs to represent insider attacks, and use model-checking to generate all possible insider attacks in a network. Insider attacks have been modeled at the operating system level by Probst et al [4].…”

Section: Functionmentioning

confidence: 99%

“…Before defending against insider attacks, we need a model for reasoning about insiders. Previous work has modeled insider attacks at the network and operating system (OS) levels using higher-level formalisms such as attack graphs [3] and process calculi [4], However, modeling application-level insider attacks requires 1 analysis o f the application's code as an insider has access to the application and can hence launch attacks on the application's implementation. Higher-level models are too coarse grained to enable reasoning about attacks that can be launched at the application code level.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Discovering Application-Level Insider Attacks Using Symbolic Execution

Pattabiraman

Nakka

Kalbarczyk

et al. 2009

Emerging Challenges for Security, Privacy and Trust

View full text Add to dashboard Cite

show abstract

Section: Functionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Discovering Application-Level Insider Attacks Using Symbolic Execution

Pattabiraman

Nakka

Kalbarczyk

et al. 2009

Emerging Challenges for Security, Privacy and Trust

View full text Add to dashboard Cite

show abstract

“…From the user's point of view, CAGs are more intuitive than attack graphs because they closely resemble the input network topology [5]. Although originally developed for insider threat modeling, CAGs are capable of modeling vulnerability-exploited privilege escalation, similar to attack graphs.…”

Section: Please Use the Following Format When Citing This Chaptermentioning

confidence: 99%

“…Capability acquisition graphs (CAGs) (formerly known as key challenge graphs (KCGs)) have been proposed as a modeling technique for insider threat analysis [4,5]. From the user's point of view, CAGs are more intuitive than attack graphs because they closely resemble the input network topology [5].…”

Section: Please Use the Following Format When Citing This Chaptermentioning

confidence: 99%

See 1 more Smart Citation

Insider Threat Analysis Using Information-Centric Modeling

Ha¹,

Upadhyaya

Ngo

et al.

IFIP — The International Federation for Information Processing

Self Cite

View full text Add to dashboard Cite

Capability acquisition graphs (CAGs) provide a powerful framework for modeling insider threats, network attacks and system vulnerabilities. However, CAG-based security modeling systems have yet to be deployed in practice. This paper demonstrates the feasibility of applying CAGs to insider threat analysis. In particular, it describes the design and operation of an information-centric, graphics-oriented tool called ICMAP. ICMAP enables an analyst without any theoretical background to apply CAGs to answer security questions about vulnerabilities and likely attack scenarios, as well as to monitor network nodes. This functionality makes the tool very useful for attack attribution and forensics.Keyv^ords: Insider threats, capability acquisition graphs, key challenge graphs IntroductionA comprehensive model is required for understanding, reducing and preventing enterprise network attacks, and for identifying and combating system vulnerabihties and insider threats. Attacks on enterprise networks are often complex, involving multiple sites, multiple stages and the exploitation of various vulnerabilities. As a consequence, security analysts must consider massive amounts of information about network topology, system configurations, software vulnerabilities, and even social information. Integrating and analyzing all this information is an overwhelming task.A security analyst has to determine how best to represent individual components and interactions when developing a model of a computing environment. Depending on the environment and task at hand, the analyst may deal with network traffic data [15]

show abstract

Attack modelling and security evaluation based on stochastic activity networks

Sedaghatbaf

Azgomi

2013

Security Comm. Networks

View full text Add to dashboard Cite

An appropriate model of attacker behaviour is a key requirement for quantitative security evaluation. Motivated by the fact that attacker behaviour is affected by some social factors such as monetary costs and benefits rather than merely the technical aspects of the target system, we proposed an attack modelling approach based on a hierarchical and coloured extension of stochastic activity networks (HCSANs). This approach is called HCSAN-based attack modelling. By using this approach, multistage attacks can be modelled following the attack tree paradigm. Also, attacker behaviour can be modelled as a strategic decision-making process that accounts for the following factors affecting the attacker's decisions: (1) the goals of attack; (2) the cost and risk associated with available strategies; and (3) the target system's possible responses. Furthermore, we put forward an analytic solution method to measure security attributes (i.e. confidentiality, integrity and availability) and estimated two important quantitative security measures, which are the mean time to security failure and attack success probability. Additionally, we introduce a parametric sensitivity analysis method, which can be used to determine the sensitivity of the evaluated measures to different model parameters and optimize the model accordingly. Finally, we demonstrated how this approach can be used for survivability enhancement of the system using a well-known risk assessment process.

show abstract

Towards a Theory of Insider Threat Assessment

Cited by 89 publications

References 12 publications

Discovering Application-Level Insider Attacks Using Symbolic Execution

Discovering Application-Level Insider Attacks Using Symbolic Execution

Insider Threat Analysis Using Information-Centric Modeling

Attack modelling and security evaluation based on stochastic activity networks

Contact Info

Product

Resources

About