Insider abuse comprehension through capability acquisition graphs
- Resource Type
- Conference
- Authors
- Mathew, Sunu; Upadhyaya, Shambhu; Ha, Duc; Ngo, Hung Q.
- Source
- 2008 11th International Conference on Information Fusion Information Fusion, 2008 11th International Conference on. :1-8 Jun, 2008
- Subject
- Communication, Networking and Broadcast Technologies
Computing and Processing
Signal Processing and Analysis
Components, Circuits, Devices and Systems
Security
Analytical models
Sensors
Electronic mail
Databases
Fires
Electric potential
Capability Acquisition Graph
Insider threat
Situation awareness
- Language
Insider attacks constitute one of the most potent, yet difficult to detect threats to information security in the cyber-domain. Malicious actions perpetrated by privileged insiders usually circumvent intrusion detection systems (IDS) and other mechanisms designed to detect and prevent unauthorized activity. In this paper, we present an architectural framework and technique to aid in situation awareness of insider threats in a networked computing environment such as a corporate network. Individual actions by users are analyzed using a theoretical model called a Capability Acquisition Graph (CAG) to evaluate their cumulative effect and detect possible violations. Our approach is based on periodic evaluation of the privileges that users accumulate with respect to critical information assets during their workflow. A static analysis tool called Information-Centric Modeler and Auditor Program (ICMAP) is used to periodically construct CAGs which are then analyzed to uncover possible attacks. The process is demonstrated by considering an information process cycle from the real-world.