impossible for ideas to compete in the marketplace if no forum for
Insider Attack Detection Using Cyber Sensor Fusion
The Network is Never Quiet..…
Itâ€™s about 3am and you couldnâ€™t sleep, so you figured you might as well get an early start on the day. As the network manager, it not unusual that you either canâ€™t sleep or you occasionally go in at about 3am. So, you decide to check the usage and anomaly reports and see if you can get ahead of the usual tidal wave of information that crosses your screen every day. You use your striped badge to open the outside door, pick up a soda and head straight for your office. The system has a robust firewall and a good password process of alphanumeric-mixed, case-not-in-the-dictionary string. Once again, tonight, you see that same marketing guy logged on. He must also be a night owl, since this makes three straight nights. And judging by the amount of email being sent this week, he must be close to making another huge sale. What you missed was that he is being a night owl, but it is on a business trip to the West Coast. Heâ€™s not even in town. And itâ€™s not really him thatâ€™s logged onto the network.
What is the Reality?
By any way you want to measure it, the number one threat for any information system is the insider attack. Cited across the board, from government to military to businesses to warfare attacks for any system, military or otherwise, is the insider attack. So, where are we on the detection of attacks? Up until now the premise has been that adequate perimeter defenses can keep unauthorized users from entering the system through the IP connection. Usually sitting right behind the firewall is an intrusion detection system. But both these entities are looking for the outsider trying to get in, not looking at the insider trying to cause a problem. Insider attacks transcend and redefine access control and intruder detection. Addressing the issue of the insider attack has been more of a post-mortem analysis conducted after the damage has been done.
The approach to defending a system from a perimeter standpoint does not adequately address internal system anomalies. The vast majority of available perimeter security tools is geared towards controlling unauthorized premises or logon access and, as such, do not look for or expect intentional insider intrusions. There are some commercially available security products that can be used, but these tend to consist of electronic entry mechanisms, user ID/passwords, biometrics or access ID cards and are still only perimeter defenses.
The issue and the challenge centers on finding ways to decide, in real time, if there is an insider attack in progress.
What Are We Doing About It?
Northrop Grumman Information Technology has been investigating this issue and is working data fusion concepts for real time insider attack detection using selected cyber sensor fusion. There are many measures of system use that offer new and creative methods to profile system users. But, by themselves, these profilers cannot identify with certainty a given user.
At Northrop Grumman IT, we believe that there are other available measurements that exist that when viewed in their entirety can potentially declare an insider attack and can perform that analysis in real time. Measures of user activity can be fused in real-time with, for example, timecard, premises, and other sensor authentication information that is available in real time, to augment the declaration process and offer fidelity and certainty into the accuracy of the prediction. This implies that additional and empirical measures can be taken and used as “cyber evidence”.
Concept of Cyber Sensor Fusion
By way of an example, consider an excessive amount of read-write cycle activity along with a high amount of copy commands, all being done from a user workstation that has profiled that workstations users. This might generate an alert, but by itself this is not conclusive. The user, who normally only generates text files and is now accessing substantial graphics files may be legitimately working on a presentation, so further filtering and checks are needed. This is where the fusion adds additional identification information. Letâ€™s add in three other sensors. These are three sensors you probably have available right now. They are premises entry systems, the timecard/attendance system and the network system logons. Now the other three systems are queried. It turns out that the premises entry system reports that the administrator is on site, and a record of which entry was used is recorded. The timecard system shows that the administrator is not currently on vacation and the logon system shows that the administrator is currently on that workstation. Fusing this information shows that the administrator was most likely a legitimate user. But, for example, the timecard system shows the administrator on vacation, premises entry has no record of entry but the logon system shows that the administrator is logged on, and then an alert with a fair degree of certainty can be sounded. And most importantly, that alert can be sounded in real time.
What Can We Conclude?
Cyber sensor fusion will offer an additional level of real-time intrusion detection that is performance based. This concept offers a great deal of promise not only in the development of a unique approach for insider detection, but also in the transition of this technology to applications within systems. This is primarily because the additional filtering components are commercially available and are operationally accepted. By being able to distinguish between legitimate system resources use and misuse, we can now maintain electronic fingerprints and relate those fingerprints to all users in the system. When those fingerprint events get out of range, the additional real-time checks are used to decide if a “triggered response” is warranted.
Courses of action can now include a number of real-time choices: closing
off the system to the intruder, gathering forensic evidence on the intruder
and/or employing deception against the intruder.
Search the ENTIRE Business
Forum site. Search includes the Business