Abstract
The Insider threat is minimally addressed by current information security practices, yet the insider poses the most serious threat to organization through various malicious activities. Forensic investigation is a technique used to prove the presence of malicious insider with digital evidence. The proposed surveillance mechanism for countering insider threats operates in two phases. In phase one, the network has to be monitored for incoming and outgoing packets. The information is transferred using packets, and these packets are monitored and captured and the important features are extracted. By performing investigation on the captured packets, information related to suspicious activities can be obtained. In phase two, we mine various log files which are considered to posses vital traces of information when insider attack has been performed. The analysis of the log files is performed in order to extract the key pattern from files. The extracted patterns from log files are further processed. The suspicious data patterns are grouped into clusters to trace the anomaly. They are classified as legal and anomaly pattern with the help of KNN classifier .If anomaly is traced, the user’s past activities are referred and a cross check is made with the features of captured packets the computational intelligence based on Dempster–Shafer theory is applied to prove with digital evidence, the presence of malicious insider in the critical networks with utmost accuracy.
Similar content being viewed by others
References
Santos Jr, E., Nguyen, H., Yu, F., Kim, K.J., Li, D., Wilkinson, J.T., Olson, A., Russell, J., Clark, B.: Intelligence analyses and the insider threat. IEEE Trans. Syst. Man Cybern. 42(2), 331–347 (2012)
Schonlau, M., DuMouchel, W., Ju, W.-H., Karr, A.F.: Computer intrusion: detecting masquerades. Stat. Sci. 16(1), 58–74 (2001)
Chebrolu, S., Abraham, A., Thomas, J.P.: Feature deduction and ensemble design of intrusion detection systems. Comput. Secur. 24(4), 295–307 (2005)
Li, Y., Xia, J., Zhang, S., Yan, J., Ai, X., Dai, K.: An efficient intrusion detection system based on support vector machines and gradually feature removal method. Expert Syst. Appl. 39, 424–430 (2012)
Axelsson, S.: Intrusion detection systems: a survey and taxonomy. Department of Computer Engineering, Chalmers University of Technology, Tech. Rep. 2000
Snort. http://www.snort.org
Tripwire. http://www.tripwire.com/
Venema, W.: Tcp wrapper: network monitoring, access control, and booby traps. In: Proceedings of the 3rd USENIX UNIX Security Symposium, 14–16, 85–92 September 1992
Chen, Y., Nyemba, S., Malin, B.: Detecting anomalous insiders in collaborative information systems. IEEE Trans. Dependable Secur. Comput. 9(3), 332–344 (2012)
Chen, Y. Malin, B. : Detection of anomalous insiders in collaborative environments via relational analysis of access logs. In: Proceedings of the First ACM Conference on Data and Application Security Security and Privacy, 63–74 Nov 2011
Zhu, Ying: Attack pattern discovery in forensic investigation of network attacks. IEEE J. Sel. Areas Commun. 29(7), 1349–1357 (2011)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435–2463 (1999)
Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the Thirteenth Systems Administration Conference (LISA 1999), Seattle, 7–12 Nov 1999
Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: Proceedings of the SIGCOMM’05, Philadelphia, 21–26 Aug 2005
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th Symposium on Operating Systems Design and Implementation (OSDI’04). USENIX, San Fransisco, 2004
Liu, A., Martin, C., Hetherington, T., Matzner, S.: A comparison of system call feature representations for insider threat detection. In: Proceedings from the 6th Annual IEEE SMC IAW, 340–347 June 2005
Liu, A., Martin, C., Hetherington, T., Matzner, S.: AI lessons learned from experiments in insider threat detection. In: Proceedings of the AAAI Spring Symposium, 49–55 March 2006
Kirkpatrick, M., Bertino, E., Sheldon, F.: An architecture for contextual insider threat detection. cspurdueedu. 1–11 (2009)
Yang, Y. Tzi-cker, C.: Display-only file server: a solution against information theft due to insider attack. In: Proceedings of the ACM Workshop on Digital Rights, 31–39 2004
Suranjan, P., Vidyaraman, S., Shambhu, U.: Security policies to mitigate insider threat in the document control domain. In: Proceedings of the Computer Security Applications Conference, 304–313 2004
Maloof, M., Stephens, G. D.: ELICIT: a system for detecting insiders who violate need-to-know. In: Proceedings of the Recent Advances in Intrusion Detection, 146–166 Sept 2007
Natarajan, A., Hossain, L.: Towards a social network approach for monitoring insider threats to information security. In: Proceedings of the 2nd NSF/NIJ Symposium on Intelligence and Security Informatics, Tucson, 501–507 June 2004
Symonenko, S., Liddy, E. D., Yilmazel, O., Del Zoppo, R., Brown, E., Downey, M.: Semantic analysis for monitoring insider threats. In: Proceedings of the 2nd NSF/NIJ Symposium on Intelligence and Security Informatics, Tucson, 492–500 June 2004
Yilmazel, O., Symonenko, S., Balasubramanian, N., Liddy, E.D.: Terrorism informatics. Leveraging One-Class SVM and Semantic Analysis to Detect Anomalous Content. Springer, New York (2008)
Pfleeger, C.P.:Reflections on the insider threat. In: Insider Attack and Cyber Security: Beyond the Hacker, pp. 5–16. Springer, New York (2008)
Hunker, J., Probst, C.W.: Insiders and insider threats—an overview of definitions and mitigation techniques. J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl. 2(1), 4–27 (2011)
Nguyen, H., Santos, E. Jr., Zhao, Q., Wang, H.: Capturing user intent for information retrieval. In: Proceedings of the 48th Annual Meeting HFES, New Orleans, 371–375 Sept 2004
Santos, E. Jr., Zhao, Q., Nguyen, H., Wang, H.: Impacts of user modeling on personalization of information retrieval: an evaluation with human intelligence analysts. In: Proceedings of the 4th Workshop on the Evaluation of Adaptive Systems, Conjunction With UM, 27–36 July 2005
Nguyen, H.: Capturing user intent for information. Dissertation, Ph.D., University of Connecticut (2005)
Probst, C., Hansen, R.R., Nielson, F.: Where can an insider attack? In: Proceedings of the Workshop Formal Aspects in Security and Trust, 127–142 March 2006
Schultz, E.: A framework for understanding and predicting insider attacks. Comput. Secur. 21(6), 526–531 (2002)
Stolfo, S., Bellovin, S., Hershkop, S., Keromytis, A., Sinclair, S., Smith, S.W.: Insider Attack and Cyber Security: Beyond the Hacker. Springer, New York (2008)
Tuglular, T., Spafford, E.: A framework for characterization of insider computer misuse. Unpublished paper, 1997
Georgiadis, C., Mavridis, I., Pangalos, G., Thomas, R. :Flexible team-based access control using contexts. In: Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies, 21–27 May 2001
Park, J., Sandhu, R., Ahn, G.: Role-based access control on the web. ACM Trans. Inf. Syst. Secur. 4(1), 37–71 (2001)
Thomas, R., Sandhu, S.: Task-based authorization controls (TBAC): a family of models for active and enterprise-oriented authorization management. In: Proceedings of the IFIP 11th International Conference on Database Securty, 166–181 Aug 1997
Peleg, M., Beimel, D., Dori, D., Denekamp, Y.: Situation-based access control: privacy management via modeling of patient data access scenarios. J. Biomed. Inform. 41(6), 1028–1040 (2008)
Casey, E.: Network traffic as a source of evidence: tool strengths, weaknesses, and future needs. Elsevier J. Digit. Investig. 1, 28–43 (2004)
Corey, V.: Network forensics analysis. IEEE Internet Comput. 6(6), 60–66 (2002)
Berghel, H.: The discipline of internet forensics. Commun. ACM 46(8), 15–20 (2003)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151–180 (1998)
Kang, D.-K., Fuller, D., Honavar, V.: Learning classifiers for misuse detection using a bag of system calls representation. In: Proceedings from the 6th Annual IEEE SMC IAW, 118–125 June 2005
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, 120–128 May 1996
Mutz, D., Robertson, W., Vigna, G., Kemmerer, R.: Exploiting execution context for the detection of anomalous system calls. In: Proceedings of the International Symposium on RAID, Gold Coast, 1–20 Sept 2007
Sharif, M. S., Singh, K., Giffin, J., Lee, W.: Understanding precision in host based intrusion detection. In: Proceedings of the International Symposium on RAID, 21–41 Sept 2007
Mukherjee, B., Heberlein, L.T., Levitt, K.N.: Network intrusion detection. IEEE Netw. 8(3), 26–41 (1994)
Ko, C. : Execution monitoring of security-critical programs in distributed systems: a specification-based approach. In: Proceedings of the IEEE Symposium on Security and Privacy, 175–187 April 1997
Liao, Y., Vemuri, V.R.: Use of k-nearest neighbor classifier for intrusion detection. J. Comput. Secur. 21(5), 439–448 (2002)
Pokrajac, D., Lazarevic, A., Latecki, L.: Incremental local outlier detection for data streams. In Proceedings of the IEEE Symposium on Computational Intelligence and Data Mining, 504–515 April 2007
Sun, J., Qu, H., Chakrabarti, D., Faloutsos, C.: Neighborhood formation and anomaly detection in bipartite graph. In Proceedings of the IEEE Fifth International Conference on Data Mining, 418–425 Nov 2005.
Tang, J., Chen, Z., Fu, A., Cheung, D.: Enhancing effectiveness of outlier detections for low density patterns. In: Proceedings of the Sixth Pacific-Asia Conference on Knowledge Discovery and Data Mining, 535–7548 May 2002
Netdetector. http://www.niksun.com/product.php?id=4
Networkminer. http://networkminer.wiki.sourceforge.net/NetworkMiner
Netintercept. http://sandstorm.net/products/netintercept
Wireshark. http://www.wireshark.org
Pouget, F. Dacier, M. :Honeypot-based forensics. In: Proceedings AusCERT2004, Brisbane, 23–27 May 2004
Pouget, F., Dacier, M., Zimmerman, J., Clark, A., Mohay, G.: Internet attack knowledge discovery via clusters and cliques of attack traces. J. Inf. Assur. Secur. 1, 21–32 (2006)
Thonnard, O., Dacier, M.: A framework for attack patterns’ discovery in honeynet data. Digit. Investig. 8, S128–S139 (2008)
Jin, H., de Vel, O., Zhang, K., Liu, N.: Knowledge discovery from honeypot data for monitoring malicious attacks. In: Proceedings 21st Australian Joint Conference on Artificial Intelligence: Advances in Artificial Intelligence, Auckland, 470–481 Dec 2008
Yegneswaran, V., Barford, P., Paxson, V.: Using honeypots for internet situational awareness. In Fourth ACM SIGCOMM Workshop on Hot Topics in Networking (Hotnets IV), College Park, Nov 2005
Estan, C. Savage, S. Varghese, G. : Automatically inferring patterns of resource consumption in network traffic. In: Proceeedings of the SIGCOMM’03, Karlsruhe, 25–29 Aug 2003
Karagiannis, T. Papagiannaki, K., Faloutsos, M.: Blinc: multilevel traffic classification in the dark. In: Proceedings of the SIGCOMM’05, Philadelphia, 21–26 Aug 2005
Kannan, J., Jung, J., Paxson, V., Koksal, C.: Semi-automated discovery of application session structure. In: Proceedings of the Sixth ACM SIGCOMM Conference on Internet Measurement (IMC’06), Rio de Janeiro, 119–132 Oct 2006
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Punithavathani, D.S., Sujatha, K. & Jain, J.M. Surveillance of anomaly and misuse in critical networks to counter insider threats using computational intelligence. Cluster Comput 18, 435–451 (2015). https://doi.org/10.1007/s10586-014-0403-y
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10586-014-0403-y