An Organizational Role-based Extrusion Detection Model with Profile Migration
DOI:
https://doi.org/10.14738/tnc.25.473Keywords:
Extrusion detection, Role-based profile modeling, Profile migrationAbstract
Intrusion detection and prevention systems play a crucial role in the overall information security implementation of today’s organizations. Traditionally, signature-based and anomaly-based detections have been the two main methods of detection and prevention techniques. Signature-based intrusion detection systems are excellent in detection and performance, but they are vulnerable to unknown threats like zero-day attacks. Extensive research have been conducted on anomaly detection and prevention based on users’ behavior profiling. However, as insider attacks increase, it has become equally important to monitor and analyze extrusion attempts. Behavior-based profile creation has a promising future in extrusion monitoring. However, profiling individual behavior has its limitations in that it tends to incorporate unintended behavior into the normal profile. In this study, user's organizational role has been integrated into profile creation further reducing number of false positives. A prototype of the model is tested with three users belonging to three different roles. A profile migration scheme is proposed to import user profiles at various login location.References
Park, J. S., & Giordano, J., “Role-Based Profile Analysis for Scalable and Accurate Insider-Anomaly Detection”, 25th IEEE International Performance, Computing, and Communications Conference, pp. 463-470, 2006.
Wang, S., Schlobach, S. & Klein, M. C. A., “What Is Concept Drift and How to Measure It”, In P. Cimiano & H. S. Pinto (eds.), EKAW , pp. 241-256, : Springer, 2010.
Kim, J. Y., Gantenbein, R. E., & Sung, C. O., “Dynamic Normal Profiling for Anomaly Detection Systems”, in Proc. 3rd Int. 3rd International Conference on Convergence Technology and Information Convergence, pp. 27-32, 2008.
Kishimoto, K., Yamaki, H., & Takakura, H., “Improving Performance of Anomaly-based IDS by Combining Multiple Classifiers”, in Proc. IEEE/IPSJ International Symposium on Applications and the Internet, pp. 366-371, IEEE Computer Society, 2011.
Pannell, G., & Ashman, H., “Anomaly Detection over User Profiles for Intrusion Detection”, Australian Information Security Management Conference, Perth, Australia, 2010.
Joglekar, S. P., & Tate, S. R., “ProtoMon: Embedded Monitors for Cryptographic Protocol Intrusion Detection and Prevention”, in Proc. International Conference on Information Technology: Coding and Computing, pp. 81- 88, 2004.
Ferraiolo, D. F., & Kuhn, D. R., “Role-Based Access Controls”, in Proc. 15th National Computer Security Conference, pp. 554 - 563, 1992.
Al-Nashif, Y., Kumar, A. A., Hariri, S., Luo, Y., Szidarovsky, F., & Qu, G., “Multi-Level Intrusion Detection System (ML-IDS)”, in Proc. International Conference on Autonomic Computing, pp. 131-140, 2008.
Zhang, H., Banick, W., Yao, D., & Ramakrishnan, N., “User Intention-Based Traffic Dependence Analysis for Anomaly Detection”, in Proc. IEEE Symposium on Security and Privacy Workshop, pp. 104-112, 2012.
Park, J. S., & Ho, S. M., “Composite Role-Based Monitoring (CRBM) for Countering Insider Threats”, in Proc. Second Symposium on Intelligence and Security Informatics, pp. 201-213, Heidelberg, Germany, 2004.
Kamra, A., Terzi, E., & Bertino, E., “Detecting Anomalous Access Patterns in Relational Databases”, The VLDB Journal — The International Journal on Very Large Data Bases, vol 17(5), pp. 1063-1077, August 2008.
Kullback, S., Leibler, R. A., “On Information and Sufficiency”, The Annals of Mathematical Statistics, vol 22(1), pp. 79-86, March 1951.
Afgani, M., Sinanovic, S., & Haas, H., “Anomaly Detection using the Kullback-Leibler Divergence Metric”, in Proc of the 1st International Symposium on Applied Sciences in Biomedical and Communication Technologies (ISABEL 08), 2008.
Yadav, S., Reddy, A. K. K., Reddy, A. L. N. & Ranjan, S., “Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis”, IEEE/ACM Trans. Netw., 20, pp. 1663-1677, 2012.
Zhang , W., Wang , L., Fu , X., & Teng, S., “Research on Communication Mechanism Among Cooperating Multi-Intrusion Detection Agents”, ICCI '06 Proceedings of the 2006 5th IEEE International Conference on Cognitive Informatics, pp. 743-748, 2006.
Feinstein, B., & Matthews, G., “RFC4767 The Intrusion Detection Exchange Protocol (IDXP)”, retrieved from http://www.ietf.org/rfc/rfc4767.txt, March 2007.