An Insider Misuse Threat Detection and Prediction Language

Numerous studies indicate that amongst the various types of security threats, the problem of insider misuse of IT systems can have serious consequences for the health of computing infrastructures. Although incidents of external origin are also dangerous, the insider IT misuse problem is difficult to address for a number of reasons. A fundamental reason that makes the problem mitigation difficult relates to the level of trust legitimate users possess inside the organization. The trust factor makes it difficult to detect threats originating from the actions and credentials of individual users. An equally important difficulty in the process of mitigating insider IT threats is based on the variability of the problem. The nature of Insider IT misuse varies amongst organizations. Hence, the problem of expressing what constitutes a threat, as well as the process of detecting and predicting it are non trivial tasks that add up to the multi- factorial nature of insider IT misuse. This thesis is concerned with the process of systematizing the specification of insider threats, focusing on their system-level detection and prediction. The design of suitable user audit mechanisms and semantics form a Domain Specific Language to detect and predict insider misuse incidents. As a result, the thesis proposes in detail ways to construct standardized descriptions (signatures) of insider threat incidents, as means of aiding researchers and IT system experts mitigate the problem of insider IT misuse. The produced audit engine (LUARM – Logging User Actions in Relational Mode) and the Insider Threat Prediction and Specification Language (ITPSL) are two utilities that can be added to the IT insider misuse mitigation arsenal. LUARM is a novel audit engine designed specifically to address the needs of monitoring insider actions. These needs cannot be met by traditional open source audit utilities. ITPSL is an XML based markup that can standardize the description of incidents and threats and thus make use of the LUARM audit data. Its novelty lies on the fact that it can be used to detect as well as predict instances of threats, a task that has not been achieved to this date by a domain specific language to address threats. The research project evaluated the produced language using a cyber-misuse experiment approach derived from real world misuse incident data. The results of the experiment showed that the ITPSL and its associated audit engine LUARM provide a good foundation for insider threat specification and prediction. Some language deficiencies relate to the fact that the insider threat specification process requires a good knowledge of the software applications used in a computer system. As the language is easily expandable, future developments to improve the language towards this direction are suggested

Superclusteroid: a Web tool dedicated to data processing of protein-protein interaction networks

The study of proteins and the interactions between them, known as Protein-Protein Interactions (PPI), is extremely important in interpreting all biological cellular functions. In this article, a new web tool called Superclusteroid is presented which can analyse PPI data, in order to detect protein complexes or characterise the functionality of unknown proteins. The tool is essentially an intuitive PPI data processing pipeline. It supports various input file formats and provides services such as clustering, PPI network visualisation and protein cluster function prediction. Each Superclusteroid service can be used in a sequential manner or on an individual basis. In order to assess the reliability of our tool to infer PPIs, the results of the tool were compared to already known MIPS database complexes and a case scenario is presented where a known protein complex is predicted and the functionality of some of its proteins is revealed

Πολιτικο-στρατιωτική συνεργασία στην αντιμετώπιση εκτάκτων αναγκών. Αξιολόγηση της ποιότητας παροχής υπηρεσιών των δομών που στελεχώθηκαν από το λόχο CIMIC στην προσφυγική κρίση της Ελλάδας, 2014 – 2016

Η προσφυγική κρίση, είναι πολυδιάστατο πρόβλημα και χρίζει διεπιστημονικής διερεύνησης. Στην εργασία αυτή, αξιολογούνται οι παρεμβάσεις τμημάτων των Ενόπλων Δυνάμεων, ειδικά εκπαιδευμένων στην πολιτικο-στρατιωτική συνεργασία (CIMIC), στην οργάνωση και διαχείριση προσφυγικών δομών. Μελετήθηκαν, μέσω συνεντεύξεων, δύο γειτνιάζουσες και διοικητικά παρόμοιες ανοιχτές δομές φιλοξενίας προσφύγων και μεταναστών στην περιοχή της Θεσσαλονίκης. Αξιολογήθηκαν ποιοτικά παράμετροι που σχετίζονται με την ποιότητα ζωής των προσφύγων και συσχετίσθηκαν με την εκπαίδευση ή όχι του προσωπικού που στελέχωνε τις δομές. Η ανάλυση των δεδομένων έδειξε ότι οι περισσότεροι παράμετροι σχετίζονταν θετικά με την κατάρτιση του προσωπικού σε θέματα CIMIC, ενώ ορισμένοι παράμετροι δεν μας επέτρεψαν την εξαγωγή στατιστικά σημαντικών συμπερασμάτων. Από το σύνολο των δεδομένων προκύπτει ότι η γνώση και εφαρμογή των πρακτικών των πρωτοκόλλων CIMIC, επηρεάζει θετικά την ποιότητα των παρεχόμενων υπηρεσιών αλλά και τη γενική διεύθυνση και ομαλή λειτουργία μιας ανοιχτής δομής φιλοξενίας.The refugee crisis is a multi-dimensional problem and requires cross-scientific research. In this study we evaluate the interventions of specially trained units of the Military, in civil-military cooperation (CIMIC), for the organization and the management of refugee camps. Through interviews, we studied two neighbouring and administratively similar camps for hosting refugees and immigrants, in the area of Thessaloniki. A qualitative evaluation was conducted on parameters connected to the quality of life of the refugees, which were then associated with the existence or not of prior training of the staff that manned the camps. Analysis of the data showed that most of the parameters where positively associated with the training of the staff on CIMIC, while certain parameters did not allow the derivation of scientifically significant conclusions. The ensemble of the data indicates that the knowledge and the application of practices according to the CIMIC protocol, affected positively the quality of the provided services, as well as the overall management and normal function of the camps

A preliminary model of end user sophistication for insider threat prediction in IT systems

Abstract The dangers that originate from acts of IT system misuse by legitimate users constitute a separate category of threats with well documented consequences for the integrity, privacy and availability of computer systems and networks. Amongst the various properties of malicious legitimate users one of the most notable ones is the level of his/her sophistication. Various studies indicate that user sophistication and the potential to misuse IT systems are properties that are strongly related. This paper presents a methodology that automates the process of gauging end user sophistication. The establishment of suitable metrics to characterize end user sophistication is discussed followed by an experimental verification of the metrics on a sample of 60 legitimate users, using the UNIX Operating System. The results indicate that a combination of application execution audits and computational resource utilization metrics could be used to characterize the level of IT sophistication of an end user. Although additional testing in a greater variety of computational environments is required in order to validate the derived preliminary scheme, it is considered that the derived methodology could serve as a component of experimental insider threat prediction processes, or any other model that requires a procedure to measure the level of IT knowledge of a legitimate user base.

Improving the Information Security Model by using TFI

In the context of information systems and information technology, information security is a concept that is becoming widely used. The European Network of Excellence INTEROP classifies information security as a nonfunctional aspect of interoperability and as such it is an integral part of the design process for interoperable systems. In the last decade, academics and practitioners have shown their interest in information security, for example by developing security models for evaluating products and setting up security specifications in order to safeguard the confidentiality, integrity, availability and accountability of data. Earlier research has shown that measures to achieve information security in the administrative or organisational level are missing or inadequate. Therefore, there is a need to improve information security models by including vital elements of information security. In this paper, we introduce a holistic view of information security based on a Swedish model combined with a literature survey. Furthermore we suggest extending this model using concepts based on semiotic theory and adopting the view of an information system as constituted of the technical, formal and informal (TFI) parts. The aim is to increase the understanding of the information security domain in order to develop a well-founded theoretical framework, which can be used both in the analysis and the design phase of interoperable systems. Finally, we describe and apply the Information Security (InfoSec) model to the results of three different case studies in the healthcare domain. Limits of the model will be highlighted and an extension will be proposed.In the context of information systems and information technology, information security is a concept that is becoming widely used. The European Network of Excellence INTEROP classifies information security as a nonfunctional aspect of interoperability and as such it is an integral part of the design process for interoperable systems. In the last decade, academics and practitioners have shown their interest in information security, for example by developing security models for evaluating products and setting up security specifications in order to safeguard the confidentiality, integrity, availability and accountability of data. Earlier research has shown that measures to achieve information security in the administrative or organisational level are missing or inadequate. Therefore, there is a need to improve information security models by including vital elements of information security. In this paper, we introduce a holistic view of information security based on a Swedish model combined with a literature survey. Furthermore we suggest extending this model using concepts based on semiotic theory and adopting the view of an information system as constituted of the technical, formal and informal (TFI) parts. The aim is to increase the understanding of the information security domain in order to develop a well-founded theoretical framework, which can be used both in the analysis and the design phase of interoperable systems. Finally, we describe and apply the Information Security (InfoSec) model to the results of three different case studies in the healthcare domain. Limits of the model will be highlighted and an extension will be proposed.Monograph's chapter

Biometrically linking document leakage to the individuals responsible

Insider threats are a significant security issue. The last decade has witnessed countless instances of data loss and exposure in which data has become publicly available and easily accessible. Losing or disclosing sensitive data or confidential information may cause substantial financial and reputational damage to a company. Whilst more recent research has specifically focused on the insider misuse problem, it has tended to focus on the information itself – either through its protection or approaches to detect leakage. In contrast, this paper presents a proactive approach to the attribution of misuse via information leakage using biometrics and a locality-sensitive hashing scheme. The hash digest of the object (e.g. a document) is mapped with the given biometric information of the person who interacted with it and generates a digital imprint file that represents the correlation between the two parties. The proposed approach does not directly store or preserve any explicit biometric information nor document copy in a repository. It is only the established correlation (imprint) is kept for the purpose of reconstructing the mapped information once an incident occurred. Comprehensive experiments for the proposed approach have shown that it is highly possible to establish this correlation even when the original version has undergone significant file modification. In many scenarios, such as changing the file format r removing parts of the document, including words and sentences, it was possible to extract and reconstruct the correlated biometric information out of a modified document (e.g. 100 words were deleted) with an average success rate of 89.31%

Upper Crossed Syndrome

FyzioterapieFaculty of Physical Education and SportFakulta tělesné výchovy a sport

An Architecture for Insider Misuse Threat Prediction in IT Systems

The ever increasing computerization of business processes and mission critical applications, combined with the rising number of Internet technologies, has created new security threats for computer systems and networks. Numerous studies indicate that amongst the various types of security threats, the ones that originate from legitimate user actions can have serious consequences for the health of IT infrastructures. Although incidents of external origin are also dangerous, the insider IT misuse problem is difficult to address for a number of different reasons. This thesis is concerned with the systematic study of the nature of Insider IT misuse problems, as well as the development of experimental insider IT misuse prediction techniques. The systematic study of legitimate user misuse actions is necessary due to the composite and variable nature of Insider IT misuse. The thesis contains the results of a small scale survey that highlighted many important aspects of insider misuse actions. The results formed the basis for a suitable Insider Misuse Threat Prediction Factor Taxonomy, the end product of the systematic examination of the insider IT misuse phenomenon. The taxonomy was then used to construct a systems architecture that facilitates legitimate user threat prediction. Although the proposed experimental architecture is far from the quality of a production-level utility, it constitutes a novel Insider Threat Prediction Model, which at the time of writing is unique in terms of its comprehensive design. It is considered that the predictive techniques could be taken forward in future research, in order to enhance the capability of existing Intrusion Detection Systems and aid IT professionals to mitigate Insider threats effectively. Various aspects of the proposed threat prediction model, the Insider IT misuse survey, as well as the proposed Threat Prediction Taxonomy have been published in conference proceedings and journals