File Profiling for Insider Threats

Abstract

The goal of this project was to demonstrate that it is possible to detect insider misbehavior by careful examination of the file access characteristics of users. Our thesis was that ordinary user behavior would be characterized by types of file access behavior that were recognizably different than patterns exhibited by an insider attempting to gain improper privileges or making improper use of his existing privileges. As a proof-of-concept, we did not propose to build a deployable system, but instead to examine the idea carefully enough to determine if it was feasible. This research project has successfully demonstrated that a user's file access behavior can be analyzed to determine when he stops behaving properly and starts engaging in suspicious activity. The performance costs of gathering the data are acceptable, demonstrated by the fact that over a period of 2 years, we received no complaints about system slowness. (On previous projects where the experimental system was not sufficiently fast, our local users have never been reluctant to complain about the impact of testing on their work.) The amount of data we gathered was vast, but a real system need not keep all gathered data, and could probably reduce batches of traced records to model data frequently. Further, some of the data we traced has so far given us no advantage in detecting insider threats, so a real system would not need to gather this data. Demonstrating that our methods can be used in an experimental environment and actually making them work in a real environment are two different problems. We have only addressed the first. More research and development would be necessary to deal with the second.

Document Details

Document Type

Technical Report

Publication Date

Feb 01, 2002

Accession Number

ADA405498

Entities

Tags