| Title | Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions |
| Author | Eric A. Fischer Senior Specialist in Science and Technology |
| Year | |
| Keyword | |
| Abstract |
| Title | Ten National Cyber Security Strategies: A Comparison |
| Author | H.A.M. Luiijf, Kim Besseling, Maartje Spoelstra, and Patrick de Graaf |
| Year | 2009 |
| Keyword | cyber security, strategy, policy, critical infrastructure, national security. |
| Abstract | A number of nations developed and published a national cyber security strategy (NCSS). Most of them were published in the period 2009 2011. Despite the fact that each of these NCSS intends to address the cyber security threat, large differences exist between the NCSS approaches. This paper analyses and compares the NCSS of Australia, Canada, Czech Republic, France, Germany, Japan, The Netherlands, New Zealand, the United Kingdom, and the United States. Thirteen observations lead to a set of conclusions which nations with an NCSS and developers of future NCSS may use to their advantage. |
| Title | An Assessment of U.S. Legislation on Cybersecurity |
| Author | Acklyn Murray, Sherali Zeadally |
| Year | 1996 |
| Keyword | cyberattack; cybercrime; cybersecurity; legislation |
| Abstract | Cybercrime continues to be on the rise and cybercriminals are launching increasingly sophisticated cyberattacks aimed at disrupting businesses through denial of service attacks and stealing personal information all with serious economic consequences. Law and policy makers are under increasing pressure to develop timely legislations to address cybercrime issues and provide effective measures to prosecute cybercriminals. We present a comprehensive review of the various laws that are currently available in the Unites States to control cybercrime and support cybersecurity. We also discuss proposed bills in light of how they address cybersecurity challenges in current legislations. Finally, we briefly present recent regulations and proposed bills related to cybersecurity in a few other countries which have set up various government initiatives in this area. |
| Title | Traveling the Silk Road: A Measurement Analysis of a Large Anonymous Online Marketplace |
| Author | Nicolas Christin Carnegie Mellon INI/CyLab |
| Year | 2013 |
| Keyword | Online crime, anonymity, electronic commerce |
| Abstract | We perform a comprehensive measurement analysis of Silk Road, an anonymous, international online marketplace that operates as a Tor hidden service and uses Bitcoin as its exchange currency. We gather and analyze data over eight months between the end of 2011 and 2012, including daily crawls of the marketplace for nearly six months in 2012. We obtain a detailed picture of the type of goods sold on Silk Road, and of the revenues made both by sellers and Silk Road operators. Through examining over 24,400 separate items sold on the site, we show that Silk Road is overwhelmingly used as a market for controlled substances and narcotics, and that most items sold are available for less than three weeks. The majority of sellers disappears within roughly three months of their arrival, but a core of 112 sellers has been present throughout our measurement interval. We evaluate the total revenue made by all sellers, from public listings, to slightly over USD 1.2 million per month; this corresponds to about USD 92,000 per month in commissions for the Silk Road operators. We further show that the marketplace has been operating steadily, with daily sales and number of sellers overall increasing over our measurement interval. We discuss economic and policy implications of our analysis and results, including ethical considerations for future research in this area. |
| Title | Computer Forensics: An Overview |
| Author | By Frederick Gallegos, CISA, CDE, CGFM |
| Year | 2005 |
| Keyword | |
| Abstract |
| Title | Efficient Data Structures for Tamper-Evident Logging |
| Author | Scott A. Crosby |
| Year | |
| Keyword | |
| Abstract |
| Title | HTEE: AN HMAC BASED TAMPER EVIDENT ENCRYPTION |
| Author | Bradley Baker and C. Edward Chow† |
| Year | |
| Keyword | Encryption, Integrity, Confidentiality, HMAC, Tamper Detection, Hash. |
| Abstract | This paper presents a HMAC based Temper Evident Encryption (HTEE) technique for providing confidentiality and integrity of numeric data in a database environment through an encryption scheme based on the keyed Hash Message Authentication Code (HMAC) function. The encryption scheme implemented in this project extends and improves an existing HMAC based encryption scheme. The result is a symmetric encryption process which detects unauthorized updates to ciphertext data, verifies integrity and provides confidentiality. This encryption scheme provides an alternative to standard approaches that offer confidentiality and integrity of data such as combining the Advanced Encryption Standard (AES) algorithm with a hash digest. The purpose of the scheme is to provide a straightforward and efficient encryption that supports data integrity, to investigate the use of HMAC for reversible encryption and key transformation, and to improve upon an existing method. 1 INTRODUCTION |
| Title | The cryptographic hash function crisis and the SHA-3 competition |
| Author | Bart Preneel |
| Year | 2010 |
| Keyword | |
| Abstract |
| Title | Fast Collision Attack on MD5 |
| Author | Tao Xie, Fanbao Liu, Dengguo Feng |
| Year | 2010 |
| Keyword | Hash Function; MD5 Differential Cryptanalysis; Collision Attack; Single-Block Collision |
| Abstract | We presented the first single block collision attack on MD5 with complexity of 2 pressions and posted the challenge for another completely new one in 2010. Last year, Stevens presented a single block collision attack to our challenge, with complexity of 2 Stevens’s hard work. However, it is a pity that he had not found even a better solution than our original one, let alone a completely new one and the very optimal solution that we preserved and have been hoping that someone can find it, whose collision complexity is about 2 method how to choose the optimal input difference for generating MD5 collision pairs. First, we divide the sufficient conditions into two classes: strong conditions and weak conditions, by the degree of difficulty for condition satisfaction. Second, we prove that there exist strong conditions in only 24 steps (one and a half rounds) under specific conditions, by utilizing the weaknesses of compression functions of MD5, which are difference inheriting and message expanding. Third, there should be no difference scaling after state word q so that it can result in the least number of strong conditions in each differential path, in such a way we deduce the distribution of strong conditions for each input difference pattern. Finally, we choose the input difference with the least number of strong conditions and the most number of free message words. We implement the most efficient 2-block MD5 collision attack, which needs only about 2 pair, and show a single-block collision attack with complexity 2 41 MD5 compressions. In this paper, we propose a |
| Title | Differential Attacks on Reduced RIPEMD-160 |
| Author | Florian Mendel, Tomislav Nad, Stefan Scherz, and Martin Schl ̈ |
| Year | 2012 |
| Keyword | hash functions, cryptanalysis, semi-free-start collisions. |
| Abstract | In this work, we provide the first security analysis of reduced RIPEMD-160 regarding its collision resistance with practical complexity. The ISO/IEC standard RIPEMD-160 was proposed 15 years ago and may be used as a drop-in replacement for SHA-1 due to their same hash output length. Only few results have been published for RIPEMD-160 so far and most attacks have a complexity very close to the generic bound. In this paper, we present the first application of the attacks of Wang et al. on MD5 and SHA-1 to RIPEMD-160. Due to the dual-stream structure of RIPEMD-160 the application of these attacks is nontrivial and almost impossible without the use of automated tools. We present practical examples of semi-free-start near-collisions for the middle 48 steps (out of 80) and semi-free-start collisions for 36 steps of RIPEMD-160. Furthermore, our results show that the differential characteristics get very dense in RIPEMD-160 such that a full-round attack seems unlikely in the near future. |
| Title | Keccak |
| Author | Guido Bertoni, Joan Daemen, Micha ̈ el Peeters, and Gilles Van Assche |
| Year | 2013 |
| Keyword | |
| Abstract |
| Title | Taxonomy of Cyber Attacks and Simulation of their Effects |
| Author | |
| Year | |
| Keyword | Cyber attack, taxonomy, effects, command, control |
| Abstract | Due to an increasing level of reliance on computer network technology, military organizations are increasingly vulnerable to cyber attacks. Cyber attacks take a variety of forms and have a broad spectrum of effects. In order to military cyber operators’ and defenders’ facilitate understanding of the threats they face, we propose a taxonomy of cyber attacks based on the level of access required by the attacker to launch the attack. We also discuss a number of methods used to deliver cyber attacks to target systems. Finally, we propose methods to simulate the effects of several cyber attack types for use in simulation in support of training and experimentation. |
| Title | The MAL: A Malware Analysis Lexicon |
| Author | David A. Mundie David M. McIntire |
| Year | |
| Keyword | |
| Abstract |
| Title | Behavioral detection of malware: from a survey towards an established taxonomy |
| Author | Grégoire Jacob · Hervé Debar · Eric Filiol |
| Year | 2008 |
| Keyword | |
| Abstract | Behavioral detection differs from appearance detection in that it identifies the actions performed by the malware rather than syntactic markers. Identifying these malicious actions and interpreting their final purpose is a complex reasoning process. This paper draws up a survey of the different reasoning techniques deployed among the behavioral detectors. These detectors have been classified according to a new taxonomy introduced inside the paper. Strongly inspired from the domain of program testing, this taxonomy divides the behavioral detectors into two main families: simulation-based and formal detectors. Inside these families, ramifications are then derived according to the data collection mechanisms, the data interpretation, the adopted model and its generation, and the decision support. 1 Introduction |
| Title | A Survey of Malware Detection Techniques |
| Author | Nwokedi Idika Aditya P. Mathur |
| Year | 2007 |
| Keyword | |
| Abstract |
| Title | computer attacks A taxonomy of network and |
| Author | Simon Hansman, Ray Hunt |
| Year | 2005 |
| Keyword | Taxonomy; Computer attack; Network attack; Classification scheme; Attack vector; Attack target; CERT |
| Abstract | Attacks over the years have become both increasingly numerous and sophisticated. This paper focuses on the provisioning of a method for the analysis and categorisation of both computer and network attacks, thus providing assistance in combating new attacks, improving computer and network security as well as providing consistency in language when describing attacks. Such a taxonomy is designed to be useful to information bodies such as CERTs (Computer Emergency Response Teams) who have to handle and categorise an every increasing number of attacks on a daily basis. Information bodies could use the taxonomy to communicate more effectively as the taxonomy would provide a common classification scheme. The proposed taxonomy consists of four dimensions which provide a holistic taxonomy in order to deal with inherent problems in the computer and network attack field. The first dimension covers the attack vector and the main behaviour of the attack. The second dimension allows for classification of the attack targets. Vulnerabilities are classified in the third dimension and payloads in the fourth. Finally, to demonstrate the usefulness of this taxonomy, a case study applies the taxonomy to a number of well known attacks. a 2005 Elsevier Ltd. All rights reserved. |
| Title | Recent Worms: A Survey and Trends |
| Author | Matthew C. Elder |
| Year | 2003 |
| Keyword | Malicious code, survey. |
| Abstract | In this paper, we present a broad overview of recent worm activity. Virus information repositories, such as the Network Associates' Virus Information Library, contain over 4500 different entries (through the first quarter of 2003). While many of these entries are interesting, a great number of them are now simply historical and a large percentage of them are completely derivative in nature. However, these virus information repositories are the best source of material on the breadth of malicious code, including worms. |
| Title | Design Space and Analysis of Worm Defense Strategies |
| Author | David Brumley Li-Hao Liu Pongsin Poosankam Dawn Song |
| Year | 2006 |
| Keyword | worms, worm propagation, worm taxonomy, defense strategy analysis, proactive protection, blacklisting, antibody, local containment |
| Abstract | We give the first systematic investigation of the design space of worm defense system strategies. We accomplish this by providing a taxonomy of defense strategies by abstracting away implementation-dependent and approach-specific details and concentrating on the fundamental properties of each defense category. Our taxonomy and analysis reveals the key parameters for each strategy that determine its effectiveness. We provide a theoretical foundation for understanding how these parameters interact, as well as simulationbased analysis of how these strategies compare as worm defense systems. Finally, we offer recommendations based upon our taxonomy and analysis on which worm defense strategies are most likely to succeed. In particular, we show that a hybrid approach combining Proactive Protection and Reactive Antibody Defense is the most promising approach and can be effective even against the fastest worms such as hitlist worms. Thus, we are the first to demonstrate with theoretic and empirical models which defense strategies will work against the fastest worms such as hitlist worms. |
| Title | Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses* |
| Author | By Eric Chien and Péter Ször |
| Year | 2002 |
| Keyword | |
| Abstract |
| Title | Information Systems Security Blended Threats: A New Era in Anti-Virus Protection |
| Author | John Gordineer |
| Year | 2006 |
| Keyword | |
| Abstract |
| Title | Detecting Kernel-Level Rootkits Through Binary Analysis |
| Author | Christopher Kruegel Technical University Vienna chris@auto.tuwien.ac.at |
| Year | |
| Keyword | |
| Abstract | A rootkit is a collection of tools used by intruders to keep the legitimate users and administrators of a compromised machine unaware of their presence. Originally, rootkits mainly included modified versions of system auditing programs (e.g., ps or netstat on a Unix system). However, for operating systems that support loadable kernel modules (e.g., Linux and Solaris), a new type of rootkit has recently emerged. These rootkits are implemented as kernel modules, and they do not require modification of user-space binaries to conceal malicious activity. Instead, these rootkits operate within the kernel, modifying critical data structures such as the system call table or the list of currently-loaded |
| Title | Detecting Scareware by Mining Variable Length Instruction Sequences |
| Author | Raja Khurram Shahzad Niklas Lavesson |
| Year | |
| Keyword | Scareware; Instruction Sequence; Classification |
| Abstract | Scareware is a recent type of malicious software that may pose financial and privacy-related threats to novice users. Traditional countermeasures, such as anti-virus software, require regular updates and often lack the capability of detecting novel (unseen) instances. This paper presents a scareware detection method that is based on the application of machine learning algorithms to learn patterns in extracted variable length opcode sequences derived from instruction sequences of binary files. The patterns are then used to classify software as legitimate or scareware but they may also reveal interpretable behavior that is unique to either type of software. We have obtained a large number of real world scareware applications and designed a data set with 550 scareware instances and 250 benign instances. The experimental results show that several common data mining algorithms are able to generate accurate models from the data set. The Random Forest algorithm is shown to outperform the other algorithms in the experiment. Essentially, our study shows that, even though the differences between scareware and legitimate software are subtler than between, say, viruses and legitimate software, the same type of machine learning approach can be used in both of these dissimilar cases. |
| Title | A Multifaceted Approach to Understanding the Botnet Phenomenon |
| Author | |
| Year | 2006 |
| Keyword | Botnets, Computer Security, Malware, Network Security |
| Abstract | The academic community has long acknowledged the existence of malicious botnets, however to date, very little is known about the behavior of these distributed computing platforms. To the best of our knowledge, botnet behavior has never been methodically studied, botnet prevalence on the Internet is mostly a mystery, and the botnet life cycle has yet to be modeled. Uncertainty abounds. In this paper, we attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic—27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnetrelated spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon. |
| Title | Intrusion and intrusion detection |
| Author | John McHugh |
| Year | 2001 |
| Keyword | Computer misuse – Intrusion detection – Intrusive anomalies – Intrusion signatures – Intrusion detection systems (IDS) – IDS evaluation |
| Abstract | Assurance technologies for computer security have failed to have significant impacts in the marketplace, with the result that most of the computers connected to the internet are vulnerable to attack. This paper looks at the problem of malicious users from both a historical and practical standpoint. It traces the history of intrusion and intrusion detection from the early 1970s to the present day, beginning with a historical overview. The paper describes the two primary intrusion detection techniques, anomaly detection and signature-based misuse detection, in some detail and describes a number of contemporary research and commercial intrusion detection systems. It ends with a brief discussion of the problems associated with evaluating intrusion detection systems and a discussion of the difficulties associated with making further progress in the field. With respect to the latter, it notes that, like many fields, intrusion detection has been based on a combination of intuition and brute-force techniques. We suspect that these have carried the field as far as they can and that further significant progress will depend on the development of an underlying theoretical basis for the field. |
| Title | The Knowledge Based Authentication Attacks |
| Author | Farnaz Towhidi, Azizah Abdul Manaf, Salwani Mohd Daud, Arash Habibi Lashkari Password Brute Force |
| Year | |
| Keyword | Authentication Attack, Graphical Password Attacks, Knowledge Based Attacks, Recognition Based Attacks, Recall based Attacks. |
| Abstract | Knowledge Based authentication is still the most widely used and accepted technique for securing resources from unauthorized access for its simplicity, ease of revocation and legacy deployment which divides to textual and graphical password. Over the last decade several attacks records for stealing user’s identity and confidential information using a single or combination of attacks. In this paper the attacks pattern of textual and graphical password describes according to CAPEC standard, following describing their effects on both conventional and image password. More over some categories lacks from detail research which highlighted and will select as future work. |
| Title | Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff |
| Author | Arvind Narayanan and Vitaly Shmatikov |
| Year | 2005 |
| Keyword | Passwords, Dictionary Attack, Time-Space Tradeoff, Cryptanalysis, Markov Models |
| Abstract | Human-memorable passwords are a mainstay of computer security. To decrease vulnerability of passwords to bruteforce dictionary attacks, many organizations enforce complicated password-creation rules and require that passwords include numerals and special characters. We demonstrate that as long as passwords remain human-memorable, they are vulnerable to “smart-dictionary” attacks even when the space of potential passwords is large. Our first insight is that the distribution of letters in easyto-remember passwords is likely to be similar to the distribution of letters in the users’ native language. Using standard Markov modeling techniques from natural language processing, this can be used to dramatically reduce the size of the password space to be searched. Our second contribution is an algorithm for efficient enumeration of the remaining password space. This allows application of time-space tradeoff techniques, limiting memory accesses to a relatively small table of “partial dictionary” sizes and enabling a very fast dictionary attack. We evaluated our method on a database of real-world user password hashes. Our algorithm successfully recovered 67.6% of the passwords using a 2 × 10 a much higher percentage than Oechslin’s “rainbow” attack, which is the fastest currently known technique for searching large keyspaces. These results call into question viability of human-memorable character-sequence passwords as an authentication mechanism. |
| Title | A Survey on Biometric Fingerprints: The Cardless Payment System |
| Author | Dileep Kumar, Dr.Yeonseung Ryu, Dr.Dongseop Kwon |
| Year | 2008 |
| Keyword | Biometric, Fingerprints, Card less - Payment System. |
| Abstract | In daily life people use credit cards for shopping, check card, bus card, subway card for traveling, student card for library and department, and many kinds of cards for unlimited purposes and etc. So problem is that a person has to take many cards and has to remember their passwords or secret codes and to keep secure to take with him all time. In this paper biometric the fingerprints payment system is used for various kinds of payment system instead of the tension of cards to place with them and to memorize theirs difficult passwords. Biometric fingerprints payment system is much safe and secure and very easy to use and even without using any password or secret codes to remember as compare with previous system like credit card payment system, wireless system and mobile system etc. Biometric fingerprints payment system is reliable and expensive and it has more advantages as compare with others. |
| Title | Adoption of Iris-Based Authentication |
| Author | |
| Year | 2008 |
| Keyword | Authentication, biometrics, iris recognition, technology adoption |
| Abstract | Even though iris-based systems have proven to be very promising in a world where security is crucial, surprisingly enough, this means of authentication has not been given a very warm welcome from the users. In order to appropriately confront this issue, critical success factors of the deployment of networked-based systems for iris authentication - namely technical, human, and implementation aspects, as well as necessary policies and standards - need to be carefully considered. One of the major success factors is the adoption issue concerning this relatively new technology. The decision to adopt iris-based authentication is influenced by many factors, including user characteristics, social factors, and technology characteristics. Addressing these key factors is extremely valuable for the successful implementation of iris-based technology. |
| Title | Examining Accuracy, Security and Privacy Issues Voice Authentication Using Short Phrases: |
| Author | University of Colorado, Colorado Springs R.C. Johnson, Terrance E. Boult Walter J. Scheirer Harvard University |
| Year | |
| Keyword | |
| Abstract | This paper examines a novel security model for voice biometrics that decomposes the overall problem into bits of “biometric identity security,” bits of “knowledge security,” and bits of “traditional encryption security.” This is the first paper to examine balancing security gained from text-dependent and text-independent voice biometrics under this model. Our formulation allows for text-dependent voice biometrics to address both what you know and who you are. A text-independent component is added to defeat replay attacks. Further, we experimentally examine an extension of the recently introduced Vaulted Voice Verification protocol and the security tradeoffs of adding these elements. We show that by mixing text-dependent with text-independent voice verification and by expanding the challenge-response protocol, Vaulted Voice Verification can preserve privacy while addressing the problematic issues of voice as a remote/mobile biometric identifier. The resulting model supports both authentication and key release with the matching taking place client side, where a mobile device may be used. This novel security model addresses a real and crucial problem: that of security on a mobile device. |
| Title | A survey of biometric technology based on hand shape |
| Author | Nicolae Duta |
| Year | 2009 |
| Keyword | Biometric systems Hand shape Hand geometry |
| Abstract | Automated biometric systems have emerged as a more reliable alternative to the traditional personal identification solutions. One of the most popular biometrics is hand shape due to its ease of use, non-intrusiveness and public acceptance. This paper presents a survey of the technology used in hand shape-based biometric systems. We first review the component modules including the algorithms they employ. Next we discuss system taxonomies, performance evaluation methodologies, testing issues and US government evaluations. A summary of the accuracy results reported in the literature is also provided. We next describe some of the commercial hand shape biometric systems as well as some recent successful deployments. Finally, we mention a few limitations of the hand shape biometric and give some directions for future research. |
| Title | DIGITAL SIGNATURE |
| Author | Ravneet Kaur, Amandeep Kaur |
| Year | 2012 |
| Keyword | Encryption, Hashing, Public Key Encryption, Authentication, Privacy, Information Security |
| Abstract | There are different types of encryption techniques are being used to ensure the privacy of data transmitted over internet. Digital Signature is a mathematical scheme which ensures the privacy of conversation, integrity of data, authenticity of digital message/sender and non-repudiation of sender. Digital Signature is embedded in some hardware device or also exits as a file on a storage device. Digital Signature are signed by third party some certifying authority. This paper describe the different key factor of digital signature with the working of digital signature, through various methods and procedures involved in signing the data or message by using digital signature. It introduces algorithms used in digital signatures. |
| Title | Hash Functions and Message Authentication Codes (MAC) |
| Author | Professor: Marius Zimand |
| Year | |
| Keyword | |
| Abstract |
| Title | A Provenance-based Access Control Model |
| Author | Ravi Sandhu |
| Year | 2012 |
| Keyword | |
| Abstract | Existence of data provenance information in a system raises at least two security-related issues. One is how provenance data can be used to enhance security in the system and the other is how to protect provenance data which might be more sensitive than the data itself. Recent data provenancerelated access control literature mainly focuses on the latter issue of protecting provenance data. In this paper, we propose a novel provenance-based access control model that addresses the former objective. Using provenance data for access control to the underlying data facilitates additional capabilities beyond those available in traditional access control models. We utilize a notion of dependency as the key foundation for access control policy specification. Dependency-based policy provides simplicity and effectiveness in policy specification and access control administration. We show our model can support dynamic separation of duty, II. P D ROVENANCE ATA |
| Title | Preventing Privilege Escalation |
| Author | Niels Provos CITI, University of Michigan Markus Friedl GeNUA Peter Honeyman CITI, University of Michigan |
| Year | |
| Keyword | |
| Abstract | Many operating system services require special privilege to execute their tasks. A programming error in a privileged service opens the door to system compromise in the form of unauthorized acquisition of privileges. In the worst case, a remote attacker may obtain superuser privileges. In this paper, we discuss the methodology and design of privilege separation, a generic approach that lets parts of an application run with different levels of privilege. Programming errors occurring in the unprivileged parts can no longer be abused to gain unauthorized privileges. Privilege separation is orthogonal to capability systems or application confinement and enhances the security of such systems even further. Privilege separation is especially useful for system services that authenticate users. These services execute privileged operations depending on internal state not known to an application confinement mechanism. As a concrete example, the concept of privilege separation has been implemented in OpenSSH. However, privilege separation is equally useful for other authenticating services. We illustrate how separation of privileges reduces the amount of OpenSSH code that is executed with special privilege. Privilege separation prevents known security vulnerabilities in prior OpenSSH versions including some that were unknown at the time of its implementation. |
| Title | A Survey of Insider Attack Detection Research |
| Author | Malek Ben Salem, Shlomo Hershkop, and Salvatore J. Stolfo |
| Year | |
| Keyword | |
| Abstract | tion appearing in the computer security research literature. We distinguish between masqueraders and traitors as two distinct cases of insider attack. After describing the challenges of this problem and highlighting current approaches and techniques pursued by the research community for insider attack detection, we suggest directions for future research. |
| Title | Towards Mechanisms for Detection and Prevention of Data Exfiltration by Insiders |
| Author | Keynote Talk Paper Elisa Bertino Gabriel Ghinita |
| Year | 2011 |
| Keyword | Insider Threat, Data Exfiltration. |
| Abstract | Data represent an extremely important asset for any organization. Confidential data such as military secrets or intellectual property must never be disclosed outside the organization. Therefore, one of the most severe threats in the case of cyber-insider attacks is the loss of confidential data due to exfiltration. A malicious insider who has the proper credentials to access the organization databases may, over time, send data outside the organization network through a variety of channels, such as email, crafted HTTP requests that encapsulate data, etc. Existing security tools for detection of cyber-attacks focus on protecting the boundary between the organization and the outside world. Numerous network-level intrusion detection systems (IDS) exist, which monitor the traffic pattern and attempt to infer anomalous behavior. While such tools may be effective in protecting against external attacks, they are less suitable when the data exfiltration is performed by an insider who has the proper credentials and authorization to access resources within the organization. In this paper, we argue that DBMS-layer detection and prevention systems are the best alternative to defend against data exfiltration because: (1) DBMS access is performed through a standard, unique language (SQL) with well-understood semantics; (2) monitoring the potential disclosure of confidential data is more effective if done as close as possible to the data source; and (3) the DBMS layer already has in place a thorough mechanism for enforcing access control based on subject credentials. By analyzing the pattern of interaction between subjects and the DBMS, it is possible to detect anomalous activity that is indicative of early signs of exfiltration. In the paper, we outline a taxonomy of cyber-insider dimensions of activities that are indicative of data exfiltration, and we discuss a high-level architecture and mechanisms for early detection of exfiltration by insiders. We also outline a virtualization-based mechanism that prevents insiders from exfiltrating data, even in the case when they manage to gain control over the network. The protection mechanism relies on explicit authorization of data transfers that cross the organizational boundary. |
| Title | Using Empirical Insider Threat Case Data to Design a Mitigation Strategy |
| Author | Dawn M. Cappelli |
| Year | 2010 |
| Keyword | Insider Threat, Security, Technology, Mitigation |
| Abstract |