Chivers, Howard Robert orcid.org/0000-0001-7057-9650, Clark, John Andrew orcid.org/0000-0002-9230-9739, Nobles, Philip et al. (2 more authors) (2010) Knowing Who to Watch : identifying attackers whose actions are hidden within false alarms and background noise. Information Systems Frontiers. pp. 17-34. ISSN 1387-3326
Abstract
Insider attacks are often subtle and slow, or preceded by behavioral indicators such as organizational rulebreaking which provide the potential for early warning of malicious intent; both these cases pose the problem of identifying attacks from limited evidence contained within a large volume of event data collected from multiple sources over a long period. This paper proposes a scalable solution to this problem by maintaining long-term estimates that individuals or nodes are attackers, rather than retaining event data for post-facto analysis. These estimates are then used as triggers for more detailed investigation. We identify essential attributes of event data, allowing the use of a wide range of indicators, and show how to apply Bayesian statistics to maintain incremental estimates without global updating. The paper provides a theoretical account of the process, a worked example, and a discussion of its practical implications. The work includes examples that identify subtle attack behaviour in subverted network nodes, but the process is not network-specific and is capable of integrating evidence from other sources, such as behavioral indicators, document access logs and financial records, in addition to events identified by network monitoring.
Metadata
Authors/Creators: |
|
---|---|
Copyright, Publisher and Additional Information: | This extended journal paper was invited to the special edition of the journal. |
Dates: |
|
Institution: | The University of York |
Academic Units: | The University of York > Faculty of Sciences (York) > Computer Science (York) |
Depositing User: | Pure (York) |
Date Deposited: | 27 Jun 2013 00:14 |
Last Modified: | 06 Dec 2023 10:55 |
Published Version: | https://doi.org/10.1007/s10796-010-9268-7 |
Status: | Published |
Refereed: | Yes |
Identification Number: | https://doi.org/10.1007/s10796-010-9268-7 |
Related URLs: |
Download
Filename: Knowing_Who_to_Watch_Identifying_attackers_whose_actions_are_hidden.pdf
Description: Knowing Who to Watch: Efficiently Identifying Subtle Attackers