The Community for Technology Leaders
RSS Icon
Issue No.06 - November/December (2009 vol.7)
pp: 22-29
Brian Bowen , Columbia University, New York
Malek Ben Salem , Columbia University, New York City
Shlomo Hershkop , Columbia University, New York
Angelos Keromytis , Columbia University, New York City
Salvatore Stolfo , Columbia University, New York City
Insider attacks—that is, attacks by users with privileged knowledge about a system—are a growing problem for many organizations. To address this threat, the authors propose a design for insider threat detection that combines an array of complementary techniques that aims to detect evasive adversaries. The authors' work-in-progress combines host-based user event monitoring sensors with trap-based decoys and remote network detectors to track and correlate insider activity. They identify several challenges in scaling up, deploying, and validating this architecture in real environments.
insider attacks, network sensors, decoys, host-based sensors
Brian Bowen, Malek Ben Salem, Shlomo Hershkop, Angelos Keromytis, Salvatore Stolfo, "Designing Host and Network Sensors to Mitigate the Insider Threat", IEEE Security & Privacy, vol.7, no. 6, pp. 22-29, November/December 2009, doi:10.1109/MSP.2009.109
1. R. Richardson, CSI Computer Crime and Security Survey, Computer Security Inst., 2008.
2. D. Llet, "Trojan Attacks Microsoft's Anti-Spyware," CNET News,9 Feb. 2005.
3. B.M. Bowen et al., Baiting Inside Attackers Using Decoy Documents, tech. report CUCS-016-09, Dept. of Computer Science, Columbia Univ., 2009.
4. J. Yuill et al., "Honeyfiles: Deceptive Files for Intrusion Detection," Proc. IEEE Workshop on Information Assurance, IEEE CS Press, 2004, pp. 116–122.
5. L. Spitzner, "Honeytokens: The Other Honeypot," Security Focus,17 July 2003;
6. J. Katz and L. Yehuda, Introduction to Modern Cryptography, Chapman and Hall CRC Press, 2007.
7. W. Li et al., "A Study of Malcode-Bearing Documents," Proc. Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 07), LNCS 4579, Springer, 2007, pp. 231–250.
8. W. Lee et al., "Toward Cost-Sensitive Modeling for Intrusion Detection and Response," J. Computer Security, vol. 10, nos. 1–2, 2002, pp. 5–22.
9. X. Jiang and X. Wang, "Out-of-the-Box Monitoring of VM-Based High-Interaction Honeypots," Recent Advances in Intrusion Detection (RAID), LNCS 4637, Springer, 2007, pp. 198–218.
10. M. Ben Salem and S.J. Stolfo, Masquerade Attack Detection using a Search-Behavior Modeling Approach, tech. report CUCS-027-09, Dept. of Computer Science, Columbia Univ., 2009.
408 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool