Usage Monitoring and Insider Threats - overview
Attacks such as the leakage, theft, or malicious modification of highly sensitive data by authorized insiders are not a result of shortcomings in access control systems: typically the attackers are fully privileged to the content. Rather, the problem is one of detecting anomalous access by authorized users, as access cannot be denied outright. Existing solutions, such as mandatory access control which was designed to prevent such attacks, do not work in practice and often require rigid, difficult to define rules, and assume complete system control. A more promising approach is to learn and model what constitutes normal access behavior so that we can discover possible deviations. The key challenge is the issue of false positives since each alert raised consumes investigative resources which are very limited.
In this project, we aim to detect the theft, leakage, or illegal modification by a malicious authorized insider. We are mainly concerned with detection mechanisms based on the cyber-observables of such malicious activity. Malicious activity may come in the form of a compromised user's credentials that are stolen and abused by malware, or a malicious insider attempting to abuse their privileges and internal knowledge. In this research we are also investigating the detection of infiltration and collusion of multiple users through social networks and other communication channels.