Insider Threat Detection using Virtual Machine Introspection

This paper presents a methodology for signaling potentially malicious insider behavior using virtual machine introspection (VMI). VMI provides a novel means to detect potential malicious insiders because the introspection tools remain transparent and inaccessible to the guest and are extremely difficult to subvert. This research develops a four step methodology for development and validation of malicious insider threat alerting using VMI. A malicious attacker taxonomy is used to decompose each scenario to aid identification of observables for monitoring for potentially malicious actions. The effectiveness of the identified observables is validated using two data sets. Results of the research show the developed methodology is effective in detecting the malicious insider scenarios on Windows guests

Identifying Common Characteristics of Malicious Insiders

Malicious insiders account for large proportion of security breaches or other kinds of loss for organizations and have drawn attention of both academics and practitioners. Although methods and mechanism have been developed to monitor potential insider via electronic data monitoring, few studies focus on predicting potential malicious insiders. Based on the theory of planned behavior, certain cues should be observed or expressed when an individual performs as a malicious insider. Using text mining to analyze various media content of existing insider cases, we strive to develop a method to identify crucial and common indicators that an individual might be a malicious insider. Keywords: malicious insider, insider threat, the theory of planned behavior, text minin

Insider Threat Detection on the Windows Operating System using Virtual Machine Introspection

Existing insider threat defensive technologies focus on monitoring network traffic or events generated by activities on a user\u27s workstation. This research develops a methodology for signaling potentially malicious insider behavior using virtual machine introspection (VMI). VMI provides a novel means to detect potential malicious insiders because the introspection tools remain transparent and inaccessible to the guest and are extremely difficult to subvert. This research develops a four step methodology for development and validation of malicious insider threat alerting using VMI. Six core use cases are developed along with eighteen supporting scenarios. A malicious attacker taxonomy is used to decompose each scenario to aid identification of observables for monitoring for potentially malicious actions. The effectiveness of the identified observables is validated through the use of two data sets, one containing simulated normal and malicious insider user behavior and the second from a computer network operations exercise. Compiled Memory Analysis Tool - Virtual (CMAT-V) and Xen hypervisor capabilities are leveraged to perform VMI and insider threat detection. Results of the research show the developed methodology is effective in detecting all defined malicious insider scenarios used in this research on Windows guests

Dealing with the Malicious Insider

This paper looks at a number of issues relating to the malicious insider and the nature of motivation, loyalty and the type of attacks that occur. The paper also examines the changing environmental, social, cultural and business issues that have resulted in an increased exposure to the insider threat. The paper then discusses a range of measures that can be taken to reduce both the likelihood of an attack and the impact that such an attack may have. These measures should be driven by focused and effective risk management processes

A probabilistic analysis framework for malicious insider threats

Malicious insider threats are difficult to detect and to mitigate. Many approaches for explaining behaviour exist, but there is little work to relate them to formal approaches to insider threat detection. In this work we present a general formal framework to perform analysis for malicious insider threats, based on probabilistic modelling, verification, and synthesis techniques. The framework first identifies insiders' intention to perform an inside attack, using Bayesian networks, and in a second phase computes the probability of success for an inside attack by this actor, using probabilistic model checking

A probabilistic analysis framework for malicious insider threats

Malicious insider threats are difficult to detect and to mitigate. Many approaches for explaining behaviour exist, but there is little work to relate them to formal approaches to insider threat detection. In this work we present a general formal framework to perform analysis for malicious insider threats, based on probabilistic modelling, verification, and synthesis techniques. The framework first identifies insiders' intention to perform an inside attack, using Bayesian networks, and in a second phase computes the probability of success for an inside attack by this actor, using probabilistic model checking

A Multidiscipline Approach to Mitigating the Insider Threat

Preventing and detecting the malicious insider is an inherently difficult problem that expands across many areas of expertise such as social, behavioral and technical disciplines. Unfortunately, current methodologies to combat the insider threat have had limited success primarily because techniques have focused on these areas in isolation. The technology community is searching for technical solutions such as anomaly detection systems, data mining and honeypots. The law enforcement and counterintelligence communities, however, have tended to focus on human behavioral characteristics to identify suspicious activities. These independent methods have limited effectiveness because of the unique dynamics associated with the insider threat. The solution requires a multidisciplinary approach with a clearly defined methodology that attacks the problem in an organized and consistent manner. The purpose of this paper is to present a framework that provides a systematic way to identify the malicious insider and describe a methodology to counter the threat. Our model, the Multidiscipline Approach to Mitigating the Insider Threat (MAMIT), introduces a novel process for addressing this challenge. MAMIT focuses on the collaboration of information from the relative disciplines and uses indicators to produce a consolidated matrix demonstrating the likelihood of an individual being a malicious insider. The well-known espionage case study involving Robert Hanssen is used to illustrate the effectiveness of the framework

Defense for Advanced Persistent Threat with Inadvertent or Malicious Insider Threats

In this paper, we propose a game-theoretical framework to investigate advanced persistent threat problems with two types of insider threats: malicious and inadvertent. Within this framework, a unified three-player game is established and Nash equilibria are obtained in response to different insiders. By analyzing Nash equilibria, we provide quantitative solutions to the advanced persistent threat problems with insider threats. Furthermore, optimal defense strategy and defender's cost comparisons between two insider threats have been performed. The findings suggest that the defender should employ more active defense strategies against inadvertent insider threats than against malicious insider threats, despite the fact that malicious insider threats cost the defender more. Our theoretical analysis is validated by numerical results, including an additional examination of the conditions of the risky strategies adopted by different insiders. This may help the defender in determining monitoring intensities and defensive strategies