Difference between revisions of "Detecting Threatening Insiders with Lightweight Media Forensics"

From Simson Garfinkel
Jump to navigationJump to search
m
m
Line 1: Line 1:
This research uses machine learning and outlier analysis to detect potentially hostile insiders through the auto
This research uses machine learning and outlier analysis to detect potentially hostile insiders through the automated analysis of stored data on cell phones, laptops, and desktop computers belonging to members of an organization. Whereas other systems look for specific signatures associated with hostile insider activity, our system is based on the creation of a “storage profile” for each user and then an automated analysis of all the storage profiles in the organization, with the purpose of finding storage outliers.  
mated analysis of stored data on cell phones, laptops, and desktop computers belonging to members of an organization. Whereas other systems look for specific signatures associated with hostile
insider activity, our system is based on the creation of a “storage profile” for each user and then an automated analysis of all the storage profiles in the organization, with the purpose of finding
storage outliers.  


Our hypothesis is that malicious insiders will have specific data and concentrations of data that differ from their colleagues and coworkers. By exploiting these differences, we can identify potentially hostile insiders.
Our hypothesis is that malicious insiders will have specific data and concentrations of data that differ from their colleagues and coworkers. By exploiting these differences, we can identify potentially hostile insiders.

Revision as of 05:02, 7 April 2014

This research uses machine learning and outlier analysis to detect potentially hostile insiders through the automated analysis of stored data on cell phones, laptops, and desktop computers belonging to members of an organization. Whereas other systems look for specific signatures associated with hostile insider activity, our system is based on the creation of a “storage profile” for each user and then an automated analysis of all the storage profiles in the organization, with the purpose of finding storage outliers.

Our hypothesis is that malicious insiders will have specific data and concentrations of data that differ from their colleagues and coworkers. By exploiting these differences, we can identify potentially hostile insiders.

Our system is based on a combination of existing open source computer forensic tools and datamining algorithms. We modify these tools to perform a “lightweight” analysis based on statistical sampling over time. In this, our approach is both efficient and privacy sensitive. As a result, we can detect not just individuals that differ from their co-workers, but also insiders that differ from their historic norms. Accordingly, we should be able to detect insiders that have been “turned” by events or outside organizations. We should also be able to detect insider accounts that have been taken over by outsiders.

Project Status

Our project, now in its second year, is a three-year project funded by the Department of Homeland Security, Science and Technology Directorate, Cyber Security Division.

Publications and Presentations

  1. Garfinkel, Simson, Nicole Beebe, Lishu Liu, and Michele Maasberg, Detecting Threatening Insiders with Lightweight Media Forensics (slides), IEEE Technologies for Homeland Security (HST 2013), Nov 12-14, Waltham, MA. 2013
  2. Beebe, N.L.; Maddox, L.A.; Lishu Liu; Minghe Sun, "Sceadan: Using Concatenated N-Gram Vectors for Improved File and Data Type Classification," Information Forensics and Security, IEEE Transactions on , vol.8, no.9, pp.1519,1530, Sept. 2013
  3. Beebe, Nicole, SCEADAN v1.0: Systematic Classification Engine and Data ANalysis, DFRWS 2012 Challenge Winner, June 2012

Technology

Our system is based in part on:

  • bulk_extractor, a high-speed feature extractor
  • grr (Google's Rapid Response), an Incident Response Framework
  • SCEADAN, Systematic Classification Engine And Data ANalysis, a file fragment type classifier

Team

PIs
  • Simson Garfinkel, Associate Professor, Naval Postgraduate School, Arlington, VA
  • Nicole Beebe, Assistant Professor, University of Texas at San Antonio
Staff
  • Lishu Liu, Research Software Developer, The University of Texas at San Antonio

Acknowledgements and Disclaimers

  • This publication results from research supported by the Naval Postgraduate School Assistance Grant/Agreement No. N00244-13-1-0027 awarded by the NAVSUP Fleet Logistics Center San Diego (NAVSUP FLC San Diego). The views expressed in written materials or publications, and/or made by speakers, moderators, and presenters, do not necessarily reflect the official policies of the Naval Postgraduate School nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
  • This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Homeland Security Advanced Research Projects Agency, Cyber Security Division (DHS S&T/HSARPA/CSD) via BAA 11-02, and the Department of National Defence of Canada, Defence Research and Development Canada (DRDC).
  • The views expressed in this work are those of the authors and do not necessarily reflect the official policy or position of the Naval Postgraduate School; the Department of the Navy; the Department of Defense; the Department of Homeland Security; the U.S. Government; or the Department of National Defence of Canada, Defence Research and Development Canada (DRDC).