Skip to main content
SpringerLink
Log in

Surveillance of anomaly and misuse in critical networks to counter insider threats using computational intelligence

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

The Insider threat is minimally addressed by current information security practices, yet the insider poses the most serious threat to organization through various malicious activities. Forensic investigation is a technique used to prove the presence of malicious insider with digital evidence. The proposed surveillance mechanism for countering insider threats operates in two phases. In phase one, the network has to be monitored for incoming and outgoing packets. The information is transferred using packets, and these packets are monitored and captured and the important features are extracted. By performing investigation on the captured packets, information related to suspicious activities can be obtained. In phase two, we mine various log files which are considered to posses vital traces of information when insider attack has been performed. The analysis of the log files is performed in order to extract the key pattern from files. The extracted patterns from log files are further processed. The suspicious data patterns are grouped into clusters to trace the anomaly. They are classified as legal and anomaly pattern with the help of KNN classifier .If anomaly is traced, the user’s past activities are referred and a cross check is made with the features of captured packets the computational intelligence based on Dempster–Shafer theory is applied to prove with digital evidence, the presence of malicious insider in the critical networks with utmost accuracy.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16

Similar content being viewed by others

References

  1. Santos Jr, E., Nguyen, H., Yu, F., Kim, K.J., Li, D., Wilkinson, J.T., Olson, A., Russell, J., Clark, B.: Intelligence analyses and the insider threat. IEEE Trans. Syst. Man Cybern. 42(2), 331–347 (2012)

    Article  Google Scholar 

  2. Schonlau, M., DuMouchel, W., Ju, W.-H., Karr, A.F.: Computer intrusion: detecting masquerades. Stat. Sci. 16(1), 58–74 (2001)

    Article  MATH  MathSciNet  Google Scholar 

  3. Chebrolu, S., Abraham, A., Thomas, J.P.: Feature deduction and ensemble design of intrusion detection systems. Comput. Secur. 24(4), 295–307 (2005)

    Article  Google Scholar 

  4. Li, Y., Xia, J., Zhang, S., Yan, J., Ai, X., Dai, K.: An efficient intrusion detection system based on support vector machines and gradually feature removal method. Expert Syst. Appl. 39, 424–430 (2012)

    Article  Google Scholar 

  5. Axelsson, S.: Intrusion detection systems: a survey and taxonomy. Department of Computer Engineering, Chalmers University of Technology, Tech. Rep. 2000

  6. Snort. http://www.snort.org

  7. Tripwire. http://www.tripwire.com/

  8. Venema, W.: Tcp wrapper: network monitoring, access control, and booby traps. In: Proceedings of the 3rd USENIX UNIX Security Symposium, 14–16, 85–92 September 1992

  9. Chen, Y., Nyemba, S., Malin, B.: Detecting anomalous insiders in collaborative information systems. IEEE Trans. Dependable Secur. Comput. 9(3), 332–344 (2012)

    Article  Google Scholar 

  10. Chen, Y. Malin, B. : Detection of anomalous insiders in collaborative environments via relational analysis of access logs. In: Proceedings of the First ACM Conference on Data and Application Security Security and Privacy, 63–74 Nov 2011

  11. Zhu, Ying: Attack pattern discovery in forensic investigation of network attacks. IEEE J. Sel. Areas Commun. 29(7), 1349–1357 (2011)

    Article  Google Scholar 

  12. Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435–2463 (1999)

    Article  Google Scholar 

  13. Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the Thirteenth Systems Administration Conference (LISA 1999), Seattle, 7–12 Nov 1999

  14. Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: Proceedings of the SIGCOMM’05, Philadelphia, 21–26 Aug 2005

  15. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th Symposium on Operating Systems Design and Implementation (OSDI’04). USENIX, San Fransisco, 2004

  16. Liu, A., Martin, C., Hetherington, T., Matzner, S.: A comparison of system call feature representations for insider threat detection. In: Proceedings from the 6th Annual IEEE SMC IAW, 340–347 June 2005

  17. Liu, A., Martin, C., Hetherington, T., Matzner, S.: AI lessons learned from experiments in insider threat detection. In: Proceedings of the AAAI Spring Symposium, 49–55 March 2006

  18. Kirkpatrick, M., Bertino, E., Sheldon, F.: An architecture for contextual insider threat detection. cspurdueedu. 1–11 (2009)

  19. Yang, Y. Tzi-cker, C.: Display-only file server: a solution against information theft due to insider attack. In: Proceedings of the ACM Workshop on Digital Rights, 31–39 2004

  20. Suranjan, P., Vidyaraman, S., Shambhu, U.: Security policies to mitigate insider threat in the document control domain. In: Proceedings of the Computer Security Applications Conference, 304–313 2004

  21. Maloof, M., Stephens, G. D.: ELICIT: a system for detecting insiders who violate need-to-know. In: Proceedings of the Recent Advances in Intrusion Detection, 146–166 Sept 2007

  22. Natarajan, A., Hossain, L.: Towards a social network approach for monitoring insider threats to information security. In: Proceedings of the 2nd NSF/NIJ Symposium on Intelligence and Security Informatics, Tucson, 501–507 June 2004

  23. Symonenko, S., Liddy, E. D., Yilmazel, O., Del Zoppo, R., Brown, E., Downey, M.: Semantic analysis for monitoring insider threats. In: Proceedings of the 2nd NSF/NIJ Symposium on Intelligence and Security Informatics, Tucson, 492–500 June 2004

  24. Yilmazel, O., Symonenko, S., Balasubramanian, N., Liddy, E.D.: Terrorism informatics. Leveraging One-Class SVM and Semantic Analysis to Detect Anomalous Content. Springer, New York (2008)

    Google Scholar 

  25. Pfleeger, C.P.:Reflections on the insider threat. In: Insider Attack and Cyber Security: Beyond the Hacker, pp. 5–16. Springer, New York (2008)

  26. Hunker, J., Probst, C.W.: Insiders and insider threats—an overview of definitions and mitigation techniques. J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl. 2(1), 4–27 (2011)

    Google Scholar 

  27. Nguyen, H., Santos, E. Jr., Zhao, Q., Wang, H.: Capturing user intent for information retrieval. In: Proceedings of the 48th Annual Meeting HFES, New Orleans, 371–375 Sept 2004

  28. Santos, E. Jr., Zhao, Q., Nguyen, H., Wang, H.: Impacts of user modeling on personalization of information retrieval: an evaluation with human intelligence analysts. In: Proceedings of the 4th Workshop on the Evaluation of Adaptive Systems, Conjunction With UM, 27–36 July 2005

  29. Nguyen, H.: Capturing user intent for information. Dissertation, Ph.D., University of Connecticut (2005)

  30. Probst, C., Hansen, R.R., Nielson, F.: Where can an insider attack? In: Proceedings of the Workshop Formal Aspects in Security and Trust, 127–142 March 2006

  31. Schultz, E.: A framework for understanding and predicting insider attacks. Comput. Secur. 21(6), 526–531 (2002)

    Article  Google Scholar 

  32. Stolfo, S., Bellovin, S., Hershkop, S., Keromytis, A., Sinclair, S., Smith, S.W.: Insider Attack and Cyber Security: Beyond the Hacker. Springer, New York (2008)

    Book  Google Scholar 

  33. Tuglular, T., Spafford, E.: A framework for characterization of insider computer misuse. Unpublished paper, 1997

  34. Georgiadis, C., Mavridis, I., Pangalos, G., Thomas, R. :Flexible team-based access control using contexts. In: Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies, 21–27 May 2001

  35. Park, J., Sandhu, R., Ahn, G.: Role-based access control on the web. ACM Trans. Inf. Syst. Secur. 4(1), 37–71 (2001)

    Article  Google Scholar 

  36. Thomas, R., Sandhu, S.: Task-based authorization controls (TBAC): a family of models for active and enterprise-oriented authorization management. In: Proceedings of the IFIP 11th International Conference on Database Securty, 166–181 Aug 1997

  37. Peleg, M., Beimel, D., Dori, D., Denekamp, Y.: Situation-based access control: privacy management via modeling of patient data access scenarios. J. Biomed. Inform. 41(6), 1028–1040 (2008)

    Article  Google Scholar 

  38. Casey, E.: Network traffic as a source of evidence: tool strengths, weaknesses, and future needs. Elsevier J. Digit. Investig. 1, 28–43 (2004)

    Article  Google Scholar 

  39. Corey, V.: Network forensics analysis. IEEE Internet Comput. 6(6), 60–66 (2002)

    Article  Google Scholar 

  40. Berghel, H.: The discipline of internet forensics. Commun. ACM 46(8), 15–20 (2003)

    Article  Google Scholar 

  41. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)

    Google Scholar 

  42. Kang, D.-K., Fuller, D., Honavar, V.: Learning classifiers for misuse detection using a bag of system calls representation. In: Proceedings from the 6th Annual IEEE SMC IAW, 118–125 June 2005

  43. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, 120–128 May 1996

  44. Mutz, D., Robertson, W., Vigna, G., Kemmerer, R.: Exploiting execution context for the detection of anomalous system calls. In: Proceedings of the International Symposium on RAID, Gold Coast, 1–20 Sept 2007

  45. Sharif, M. S., Singh, K., Giffin, J., Lee, W.: Understanding precision in host based intrusion detection. In: Proceedings of the International Symposium on RAID, 21–41 Sept 2007

  46. Mukherjee, B., Heberlein, L.T., Levitt, K.N.: Network intrusion detection. IEEE Netw. 8(3), 26–41 (1994)

    Article  Google Scholar 

  47. Ko, C. : Execution monitoring of security-critical programs in distributed systems: a specification-based approach. In: Proceedings of the IEEE Symposium on Security and Privacy, 175–187 April 1997

  48. Liao, Y., Vemuri, V.R.: Use of k-nearest neighbor classifier for intrusion detection. J. Comput. Secur. 21(5), 439–448 (2002)

    Article  Google Scholar 

  49. Pokrajac, D., Lazarevic, A., Latecki, L.: Incremental local outlier detection for data streams. In Proceedings of the IEEE Symposium on Computational Intelligence and Data Mining, 504–515 April 2007

  50. Sun, J., Qu, H., Chakrabarti, D., Faloutsos, C.: Neighborhood formation and anomaly detection in bipartite graph. In Proceedings of the IEEE Fifth International Conference on Data Mining, 418–425 Nov 2005.

  51. Tang, J., Chen, Z., Fu, A., Cheung, D.: Enhancing effectiveness of outlier detections for low density patterns. In: Proceedings of the Sixth Pacific-Asia Conference on Knowledge Discovery and Data Mining, 535–7548 May 2002

  52. Netdetector. http://www.niksun.com/product.php?id=4

  53. Networkminer. http://networkminer.wiki.sourceforge.net/NetworkMiner

  54. Netintercept. http://sandstorm.net/products/netintercept

  55. Wireshark. http://www.wireshark.org

  56. Pouget, F. Dacier, M. :Honeypot-based forensics. In: Proceedings AusCERT2004, Brisbane, 23–27 May 2004

  57. Pouget, F., Dacier, M., Zimmerman, J., Clark, A., Mohay, G.: Internet attack knowledge discovery via clusters and cliques of attack traces. J. Inf. Assur. Secur. 1, 21–32 (2006)

    Google Scholar 

  58. Thonnard, O., Dacier, M.: A framework for attack patterns’ discovery in honeynet data. Digit. Investig. 8, S128–S139 (2008)

    Article  Google Scholar 

  59. Jin, H., de Vel, O., Zhang, K., Liu, N.: Knowledge discovery from honeypot data for monitoring malicious attacks. In: Proceedings 21st Australian Joint Conference on Artificial Intelligence: Advances in Artificial Intelligence, Auckland, 470–481 Dec 2008

  60. Yegneswaran, V., Barford, P., Paxson, V.: Using honeypots for internet situational awareness. In Fourth ACM SIGCOMM Workshop on Hot Topics in Networking (Hotnets IV), College Park, Nov 2005

  61. Estan, C. Savage, S. Varghese, G. : Automatically inferring patterns of resource consumption in network traffic. In: Proceeedings of the SIGCOMM’03, Karlsruhe, 25–29 Aug 2003

  62. Karagiannis, T. Papagiannaki, K., Faloutsos, M.: Blinc: multilevel traffic classification in the dark. In: Proceedings of the SIGCOMM’05, Philadelphia, 21–26 Aug 2005

  63. Kannan, J., Jung, J., Paxson, V., Koksal, C.: Semi-automated discovery of application session structure. In: Proceedings of the Sixth ACM SIGCOMM Conference on Internet Measurement (IMC’06), Rio de Janeiro, 119–132 Oct 2006

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Government College of Engineering, Tirunelveli, India

    D. Shalini Punithavathani

  2. Government College of Engineering, Tirunelveli, India

    K. Sujatha

  3. Anna University, Chennai, India

    J. Mark Jain

Authors
  1. D. Shalini Punithavathani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. K. Sujatha
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. J. Mark Jain
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to K. Sujatha.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Punithavathani, D.S., Sujatha, K. & Jain, J.M. Surveillance of anomaly and misuse in critical networks to counter insider threats using computational intelligence. Cluster Comput 18, 435–451 (2015). https://doi.org/10.1007/s10586-014-0403-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-014-0403-y

Keywords

Search

Navigation