Insider Threat Detection on the Windows Operating System using Virtual Machine Introspection
Abstract
Existing insider threat defensive technologies focus on monitoring network traffic or events generated by activities on a user's workstation. This research develops a methodology for signaling potentially malicious insider behavior using virtual machine introspection (VMI). VMI provides a novel means to detect potential malicious insiders because the introspection tools remain transparent and inaccessible to the guest and are extremely difficult to subvert. This research develops a four step methodology for development and validation of malicious insider threat alerting using VMI. Six core use cases are developed along with eighteen supporting scenarios. A malicious attacker taxonomy is used to decompose each scenario to aid identification of observables for monitoring for potentially malicious actions. The effectiveness of the identified observables is validated through the use of two data sets, one containing simulated normal and malicious insider user behavior and the second from a computer network operations exercise. Compiled Memory Analysis Tool - Virtual (CMAT-V) and Xen hypervisor capabilities are leveraged to perform VMI and insider threat detection. Results of the research show the developed methodology is effective in detecting all defined malicious insider scenarios used in this research on Windows guests.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jun 14, 2012
- Accession Number
- ADA562792
Entities
People
- Martin H. Crawford
Organizations
- Air Force Institute of Technology