Subscribe
Issue No.03 - May/June (2012 vol.9)
pp: 414-428
Amir Harel , Ben Gurion University of the Negev, Beer-Sheva
Asaf Shabtai , Ben Gurion University of the Negev, Beer-Sheva
Lior Rokach , Ben Gurion University of the Negev, Beer-Sheva
Yuval Elovici , Ben Gurion University of the Negev, Beer-Sheva
ABSTRACT
Detecting and preventing data leakage and data misuse poses a serious challenge for organizations, especially when dealing with insiders with legitimate permissions to access the organization's systems and its critical data. In this paper, we present a new concept, Misuseability Weight, for estimating the risk emanating from data exposed to insiders. This concept focuses on assigning a score that represents the sensitivity level of the data exposed to the user and by that predicts the ability of the user to maliciously exploit this data. Then, we propose a new measure, the M-score, which assigns a misuseability weight to tabular data, discuss some of its properties, and demonstrate its usefulness in several leakage scenarios. One of the main challenges in applying the M-score measure is in acquiring the required knowledge from a domain expert. Therefore, we present and evaluate two approaches toward eliciting misuseability conceptions from the domain expert.
INDEX TERMS
Data leakage, data misuse, security measures, misuseability weight.
CITATION
Amir Harel, Asaf Shabtai, Lior Rokach, Yuval Elovici, "M-Score: A Misuseability Weight Measure", IEEE Transactions on Dependable and Secure Computing, vol.9, no. 3, pp. 414-428, May/June 2012, doi:10.1109/TDSC.2012.17
REFERENCES
 [1] 2010 CyberSecurity Watch Survey, http://www.cert.org/ archive/pdfecrimesummary10.pdf , 2012. [2] A. Kamra, E. Terzi, and E. Bertino, "Detecting Anomalous Access Patterns in Relational Databases," Int'l J. Very Large Databases, vol. 17, no. 5, pp. 1063-1077, 2008. [3] S. Mathew, M. Petropoulos, H.Q. Ngo, and S. Upadhyaya, "Data-Centric Approach to Insider Attack Detection in Database Systems," Proc. 13th Conf. Recent Advances in Intrusion Detection, 2010. [4] L. Sweeney, "k-Anonymity: A Model for Protecting Privacy," Int'l J. Uncertainty, Fuzziness and Knowledge Based Systems, vol. 10, no. 5, pp. 571-588, 2002. [5] A. Machanavajjhala et al., "L-Diversity: Privacy Beyond K-Anonymity," ACM Trans. Knowledge Discovery from Data, vol. 1, no.1,article 1, 2007. [6] R.C. Wong, L. Jiuyong, A.W. Fu, and W. Ke, "(α,k)-Anonymity: An Enhanced k-Anonymity Model for Privacy-Preserving Data Publishing," Proc. 12th ACM SIGKDD Int'l Conf. Knowledge Discovery and Data Mining, 2006. [7] E. Celikel et al., "A Risk Management Approach to RBAC," Risk and Decision Analysis, vol. 1, no. 2, pp. 21-33, 2009. [8] B. Carminati, E. Ferrari, J. Cao, and K. Lee Tan, "A Framework to Enforce Access Control over Data Streams," ACM Trans. Information Systems Security, vol. 13, no. 3, pp. 1-31, 2010. [9] Q. Yaseen and B. Panda, "Knowledge Acquisition and Insider Threat Prediction in Relational Database Systems," Proc. Int'l Conf. Computational Science and Eng., pp. 450-455, 2009. [10] G.B. Magklaras and S.M. Furnell, "Insider Threat Prediction Tool: Evaluating the Probability of IT Misuse," Computers and Security, vol. 21, no. 1, pp. 62-73, 2002. [11] M. Bishop and C. Gates, "Defining the Insider Threat," Proc. Ann. Workshop Cyber Security and Information Intelligence Research, pp. 1-3, 2008. [12] C.M. Fung, K. Wang, R. Chen, and P.S. Yu, "Privacy-Preserving Data Publishing: A Survey on Recent Developments," ACM Computing Surveys, vol. 42, no. 4, pp. 1-53, 2010. [13] A. Friedman and A. Schuster, "Data Mining with Differential Privacy," Proc. 16th ACM SIGKDD Int'l Conf. Knowledge Discovery and Data Mining, pp. 493-502, 2010. [14] C. Dwork, "Differential Privacy: A Survey of Results," Proc. Fifth Int'l Conf. Theory and Applications of Models of Computation, pp. 1-19, 2008. [15] T. Dalenius, "Finding a Needle in a Haystack or Identifying Anonymous Census Records," J. Official Statistics, vol. 2, no. 3, pp. 329-336, 1986. [16] B. Berendt, O. Günther, and S. Spiekermann, "Privacy in e-Commerce: Stated Preferences vs. Actual Behavior," Comm. ACM, vol. 48, no. 4, pp. 101-106, 2005. [17] A. Barth, A. Datta, J.C. Mitchell, and H. Nissenbaum, "Privacy and Contextual Integrity: Framework and Applications," Proc. IEEE Symp. Security and Privacy, pp. 184-198, 2006. [18] M.E. Nergiz et al., "Multirelational k-Anonymity," IEEE Trans. Knowledge and Data Eng., vol. 21, no. 8, pp. 1104-1117, Aug. 2009. [19] E. Bertino and R. Sandhu, "Database Security-Concepts, Approaches, and Challenges," IEEE Trans. Dependable and Secure Computing, vol. 2, no. 1, pp. 2-19, Jan.-Mar. 2005. [20] X. Xiao and Y. Tao, "Personalized Privacy Preservation," Proc. ACM SIGMOD Int'l Conf. Management of Data, pp. 229-240, 2006. [21] L. Sweeney, "Achieving $k$ -Anonymity Privacy Protection Using Generalization and Suppression," Int'l J. Uncertainty, Fuzziness and Knowledge-Based Systems, vol. 10, no. 5, pp. 571-588, 2002. [22] Y. Yuan et al., "Evolution of Privacy-Preserving Data Publishing," Proc. IEEE Int'l Anti Counterfeiting Security and Identification, pp. 34-37, 2011. [23] K. LeFevre, D. DeWitt, and R. Ramakrishnan, "Workload-Aware Anonymity," Proc. 12th ACM SIGKDD Int'l Conf. Knowledge Discovery and Data Mining, pp. 277-286, 2006. [24] A.S. Hedayat, N.J.A. Sloane, and J. Stufken, Orthogonal Arrays—Theory and Applications. Springer-Verlag, 1999. [25] L. Breiman et al., Classification and Regression Trees. Wadsworth and Brooks, 1984. [26] R: http:/www.R-project.org, 2010. [27] T. Satty, Multicriteria Decision Making. McGraw-Hill, 1980. [28] M. Lapata, "Automatic Evaluation of Information Ordering: Kendall's Tau," Computational Linguistics, vol. 32, no. 4, pp. 471-484, 2006. [29] S. Rosset, E. Neumann, U. Eick, N. Vatnik, and Y. Idan, "Customer Lifetime Value Modeling and Its Use for Customer Retention Planning," Proc. Eighth ACM SIGKDD Int'l Knowledge Discovery and Data Mining, 2002.