Ferret Workflow Anomaly Detection System
Abstract
The Ferret workflow anomaly detection system project 2003-2004 has provided validation and anomaly detection in accredited workflows in secure knowledge management systems through the use of continuous, automated audits. A workflow, process, or procedure, is the set of steps that need to be completed to accomplish a goal. Anomaly detection is the determination that a condition departs from the expected. The baseline behavior from which the anomaly is measured is usually derived via statistical sampling or through a reference specification. Ferret uses an accredited workflow specification to determine baseline behavior. An audit is an independent review of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and procedures. Ferret has attempted to address three key security problems in complex secure systems. First, Ferret has placed a single audit event into the larger workflow context in which it occurs, and has tracked the progress of the workflow to completion. Second, Ferret has provided a mid-level security policy language that fills some of the gap between high level, human language oriented and low-level computer oriented policies. Lastly, Ferret has attempted to mitigate the insider threat, that is, activity from authorized users who have abused their legitimate authority, through the corroboration of audit events.
Document Details
- Document Type
- Technical Report
- Publication Date
- Feb 28, 2005
- Accession Number
- ADA430829
Entities
People
- Stephany Bryant
- Timothy J. Smith