The Business Forum

"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."         Thomas Mann, 1896

Insider Attack Detection Using Cyber Sensor Fusion

Author: Dennis H. McCallam
Contributed by: Northrop Grumman Information Technology


The Network is Never Quiet..…

It’s about 3am and you couldn’t sleep, so you figured you might as well get an early start on the day.  As the network manager, it not unusual that you either can’t sleep or you occasionally go in at about 3am.   So, you decide to check the usage and anomaly reports and see if you can get ahead of the usual tidal wave of information that crosses your screen every day.  You use your striped badge to open the outside door, pick up a soda and head straight for your office.   The system has a robust firewall and a good password process of alphanumeric-mixed, case-not-in-the-dictionary string.  Once again, tonight, you see that same marketing guy logged on.  He must also be a night owl, since this makes three straight nights.  And judging by the amount of email being sent this week, he must be close to making another huge sale.  What you missed was that he is being a night owl, but it is on a business trip to the West Coast.  He’s not even in town.  And it’s not really him that’s logged onto the network.

What is the Reality?

By any way you want to measure it, the number one threat for any information system is the insider attack.  Cited across the board, from government to military to businesses to warfare attacks for any system, military or otherwise, is the insider attack.  So, where are we on the detection of attacks?  Up until now the premise has been that adequate perimeter defenses can keep unauthorized users from entering the system through the IP connection. Usually sitting right behind the firewall is an intrusion detection system.  But both these entities are looking for the outsider trying to get in, not looking at the insider trying to cause a problem. Insider attacks transcend and redefine access control and intruder detection. Addressing the issue of the insider attack has been more of a post-mortem analysis conducted after the damage has been done.

The approach to defending a system from a perimeter standpoint does not adequately address internal system anomalies. The vast majority of available perimeter security tools is geared towards controlling unauthorized premises or logon access and, as such, do not look for or expect intentional insider intrusions.  There are some commercially available security products that can be used, but these tend to consist of electronic entry mechanisms, user ID/passwords, biometrics or access ID cards and are still only perimeter defenses.

The issue and the challenge centers on finding ways to decide, in real time, if there is an insider attack in progress.

What Are We Doing About It?

Northrop Grumman Information Technology has been investigating this issue and is working data fusion concepts for real time insider attack detection using selected cyber sensor fusion. There are many measures of system use that offer new and creative methods to profile system users.  But, by themselves, these profilers cannot identify with certainty a given user.

At Northrop Grumman IT, we believe that there are other available measurements that exist that when viewed in their entirety can potentially declare an insider attack and can perform that analysis in real time.  Measures of user activity can be fused in real-time with, for example, timecard, premises, and other sensor authentication information that is available in real time, to augment the declaration process and offer fidelity and certainty into the accuracy of the prediction.  This implies that additional and empirical measures can be taken and used as “cyber evidence”.

The Concept of Cyber Sensor Fusion

By way of an example, consider an excessive amount of read-write cycle activity along with a high amount of copy commands, all being done from a user workstation that has profiled that workstations users.  This might generate an alert, but by itself this is not conclusive.  The user, who normally only generates text files and is now accessing substantial graphics files may be legitimately working on a presentation, so further filtering and checks are needed.  This is where the fusion adds additional identification information.  Let’s add in three other sensors. These are three sensors you probably have available right now. They are premises entry systems, the timecard/attendance system and the network system logons.  Now the other three systems are queried.  It turns out that the premises entry system reports that the administrator is on site, and a record of which entry was used is recorded.  The timecard system shows that the administrator is not currently on vacation and the logon system shows that the administrator is currently on that workstation.  Fusing this information shows that the administrator was most likely a legitimate user.   But, for example, the timecard system shows the administrator on vacation, premises entry has no record of entry but the logon system shows that the administrator is logged on, and then an alert with a fair degree of certainty can be sounded.  And most importantly, that alert can be sounded in real time.

What Can We Conclude?

Cyber sensor fusion will offer an additional level of real-time intrusion detection that is performance based.  This concept offers a great deal of promise not only in the development of a unique approach for insider detection, but also in the transition of this technology to applications within systems.  This is primarily because the additional filtering components are commercially available and are operationally accepted.   By being able to distinguish between legitimate system resources use and misuse, we can now maintain electronic fingerprints and relate those fingerprints to all users in the system.  When those fingerprint events get out of range, the additional real-time checks are used to decide if a “triggered response” is warranted.

Courses of action can now include a number of real-time choices: closing off the system to the intruder, gathering forensic evidence on the intruder and/or employing deception against the intruder.

Search Our Site

Search the ENTIRE Business Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.

Editorial PolicyNothing you read in The Business Forum Journal should ever be construed to be the opinion of, statements condoned by, or advice from, The Business Forum Institute, its staff, workers, officers, members, directors, sponsors or shareholders. We pass no opinion whatsoever on the content of what we publish, nor do we accept any responsibility for the claims, or any of the statements made, within anything published herein.  We merely aim to provide an academic forum and an information sourcing vehicle for the benefit of the business and the academic communities of the Pacific States of America and the World. Therefore, readers must always determine for themselves where the statistics, comments, statements and advice that are published herein are gained from and act, or not act, upon such entirely and always at their own risk.  We accept absolutely no liability whatsoever, nor take any responsibility for what anyone does, or does not do, based upon what is published herein, or information gained through the use of links to other web sites included herein.                                                                            Please refer to our:  legal disclaimer

Home    Calendar    The Business Forum Journal    Features
Concept     History     Library    Formats    Guest Testimonials
Client Testimonials      Search      News Wire     Why Sponsor
Tell-A-Friend     Join    Experts   Contact The Business Forum

The Business Forum
Beverly Hills, California United States of America

Email:  [email protected]
Graphics by DawsonDesign

Copyright The Business Forum Institute - 1982 - 2012 All rights reserved.
The Business Forum Institute is not responsible for  the content of external sites.
Read more