TY - JOUR
T1 - Knowing Who to Watch
T2 - identifying attackers whose actions are hidden within false alarms and background noise
AU - Chivers, Howard Robert
AU - Clark, John Andrew
AU - Nobles, Philip
AU - Rabaiotti, JR
AU - Chen, H
N1 - This extended journal paper was invited to the special edition of the journal.
PY - 2010/9/23
Y1 - 2010/9/23
N2 - Insider attacks are often subtle and slow, or preceded by behavioral indicators such as organizational rulebreaking which provide the potential for early warning of malicious intent; both these cases pose the problem of identifying attacks from limited evidence contained within a large volume of event data collected from multiple sources over a long period. This paper proposes a scalable solution to this problem by maintaining long-term estimates that individuals or nodes are attackers, rather than retaining event data for post-facto analysis. These estimates are then used as triggers for more detailed investigation. We identify essential attributes of event data, allowing the use of a wide range of indicators, and show how to apply Bayesian statistics to maintain incremental estimates without global updating. The paper provides a theoretical account of the process, a worked example, and a discussion of its practical implications. The work includes examples that identify subtle attack behaviour in subverted network nodes, but the process is not network-specific and is capable of integrating evidence from other sources, such as behavioral indicators, document access logs and financial records, in addition to events identified by network monitoring.
AB - Insider attacks are often subtle and slow, or preceded by behavioral indicators such as organizational rulebreaking which provide the potential for early warning of malicious intent; both these cases pose the problem of identifying attacks from limited evidence contained within a large volume of event data collected from multiple sources over a long period. This paper proposes a scalable solution to this problem by maintaining long-term estimates that individuals or nodes are attackers, rather than retaining event data for post-facto analysis. These estimates are then used as triggers for more detailed investigation. We identify essential attributes of event data, allowing the use of a wide range of indicators, and show how to apply Bayesian statistics to maintain incremental estimates without global updating. The paper provides a theoretical account of the process, a worked example, and a discussion of its practical implications. The work includes examples that identify subtle attack behaviour in subverted network nodes, but the process is not network-specific and is capable of integrating evidence from other sources, such as behavioral indicators, document access logs and financial records, in addition to events identified by network monitoring.
UR - http://www.scopus.com/inward/record.url?scp=84874817369&partnerID=8YFLogxK
U2 - 10.1007/s10796-010-9268-7
DO - 10.1007/s10796-010-9268-7
M3 - Article
SN - 1387-3326
VL - 15
SP - 17
EP - 34
JO - Information Systems Frontiers
JF - Information Systems Frontiers
IS - 1
ER -