Zilin Huang,Xiulai Li,Xinyi Cao,Ke Chen,Longjuan Wang,Logan Bo-Yee Liu

2024-11-09

Abstract:In the digital age, users store personal data in corporate databases, making data security central to enterprise management. Given the extensive attack surface, assets face challenges like weak authentication, vulnerabilities, and malware. Attackers may exploit vulnerabilities to gain unauthorized access, masquerading as legitimate users. Such attacks can lead to privacy breaches, business disruption, financial losses, and reputational damage. Complex attack vectors blur lines between insider and external threats. To address this, we introduce the IDU-Detector, integrating Intrusion Detection Systems (IDS) with User and Entity Behavior Analytics (UEBA). This integration monitors unauthorized access, bridges system gaps, ensures continuous monitoring, and enhances threat identification. Existing insider threat datasets lack depth and coverage of diverse attack vectors. This hinders detection technologies from addressing complex attack surfaces. We propose new, diverse datasets covering more attack scenarios, enhancing detection technologies. Testing our framework, the IDU-Detector achieved average accuracies of 98.96% and 99.12%. These results show effectiveness in detecting attacks, improving security and response speed, and providing higher asset safety assurance.

Cryptography and Security

Chaoqun Yang,Lei Mo,Xianghui Cao,Heng Zhang,Zhiguo Shi

DOI: https://doi.org/10.1109/JIOT.2023.3281273

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:The problem of multiple integrity attacks (attackers) detection and identification (MIADI) in cyber-physical systems (CPSs) is still a challenging problem to date. The goal of this article is to develop a knowledge-based method capable of simultaneously detecting and identifying multiple integrity attacks aiming at different sensors in a CPS. In this article, with the help of labeled random finite set (RFS) theory, a new solution to solve the MIADI problem is proposed. The main contributions of this article lie in the following two aspects, the first is the novel formulation of the MIADI problem, in which labeled RFSs are used to model the behaviors of multiple integrity attackers for the first time, and the second is the proposed labeled RFS-based solution, which provides an elegant framework to cope with the MIADI problem. Numerical experiments are conducted and experimental results demonstrate the effectiveness of the proposed solution. This proposed solution further extends the feasibility of the labeled RFS theory in the context of CPSs cybersecurity.

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan,YE Run-guo

2011-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Masquerade attacks are attempts by unauthorized users to gain access to confidential data or greater access privileges,while pretending to be legitimate users.This paper proposes a novel method to distinguish legitimate users from masqueraders.The uncertainty of the user′s behavior and the relevance of the operation of shell commands are thoroughly considered.The method constructs specific highorder homogeneous Markov chain models to represent the normal behavior profiles of valid users.It defines the states by twofold hierarchical merging shell commands.Therefore this method increases the accuracy of describing the normal behavior profiles,improves the generalization of the detection system and sharply reduces the storage space.In the detection period,taking the real-time performance into account,it computes the categorical boolean variables only using the transition probabilities,which has little computation workload,and then smoothes them to get the decision values used to determine whether the monitored user′s behavior is normal or anomalous.Its performance is tested in computer simulation,showing higher detection accuracy and fewer computation costs than related methods′.The proposed method is especially suitable for on-line detection.

Wen-yi LIU,Zhi XUE,Yi-jun WANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.07.016

2014-01-01

Abstract:Masquerade intrusion is attack by unauthorized users to obtain access to confidential data or conduct other illegal operation. Currently, masquerade detection largely depends on the retrieval of user’s sensitive information to model the user characteristics. To avoid the violation of user privacy, this paper proposes a new masquerade intrusion detection method based on network flow statistical data. User Characteristic modeling is illustrated in details and a hybrid algorithm combining AdaBoost and Support Vector Machine(SVM) is also introduced to train and predict user behavior. Experiments on a real packet data set show that the method can resist masquerade intrusion, preserve user privacy, and its system detection rate is 97.5%, false positive rate is 1.1%when delay is in milliseconds, prove that the detection performance of this method is better than the existing methods.

Hoda Eldardiry,Evgeniy Bart,Juan Liu,John Hanley,Bob Price,Oliver Brdiczka

DOI: https://doi.org/10.1109/SPW.2013.14

2013-01-01

Abstract:Malicious insiders pose significant threats to information security, and yet the capability of detecting malicious insiders is very limited. Insider threat detection is known to be a difficult problem, presenting many research challenges. In this paper we report our effort on detecting malicious insiders from large amounts of work practice data. We propose novel approaches to detect two types of insider activities: (1) blend-in anomalies, where malicious insiders try to behave similar to a group they do not belong to, and (2) unusual change anomalies, where malicious insiders exhibit changes in their behavior that are dissimilar to their peers' behavioral changes. Our first contribution focuses on detecting blend-in malicious insiders. We propose a novel approach by examining various activity domains, and detecting behavioral inconsistencies across these domains. Our second contribution is a method for detecting insiders with unusual changes in behavior. The key strength of this proposed approach is that it avoids flagging common changes that can be mistakenly detected by typical temporal anomaly detection mechanisms. Our third contribution is a method that combines anomaly indicators from multiple sources of information.

Zhiyuan Lv,Youjian Zhao,Haibin Li

DOI: https://doi.org/10.1109/ISCC47284.2019.8969587

2019-01-01

Abstract:Nowadays, masquerade attack caused by identity misuse is a kind of severe insider threat and a common security problem for most organizations. Although the anomaly detection based on machine learning has been applied as a common method for this problem, most existing approaches for detecting masquerade attack usually use host-based data to profile user behavior and detect anomaly. However, host-based data are too sensitive to collect, which results in poor universality and makes it difficult for enterprises to deploy. In this paper, we propose a cheap and general masquerade detection method with high accuracy to profile user network behavior and detect anomaly, using network packet sketches (IP, port, protocol, etc.). As network packet headers with standardized format are non-sensitive, our method is suitable for most enterprises and much cheaper to deploy. To validate the method, we collected more than 10 TB normal user data and 5 GB simulated masquerader data in real enterprise environment. The experimental results show that our method achieves good performance with average AUC up to 0.988 and the approach of modeling user network behavior by network packet sketches results in good time efficiency.

Jianguo Jiang,Xu Wang,Yan Wang,Qiujian Lv,MeiChen Liu,TingTing Wang,LeiQi Wang

DOI: https://doi.org/10.1109/iscc53001.2021.9631465

2021-01-01

Abstract:Masqueraders are a severe insider threat and have become a conventional security issue for most organizations. The majority of existing techniques for detecting masqueraders extract statistical features from file access logs. However, the graph's features from these logs have not been fully explored. In this work, we introduce GSketch. First, it divides each user's file access logs into equal length, non-overlapping time windows. Then file access logs on each time window are transformed into a graph according to chronological order. GSketch extracts global features and local features from the graph. Global features provide a panoramic view of the graph, and local features mine small, induced sub-graphs. Finally, GSketch applies an abnormal detection algorithm to find anomalous points in the feature space and marks these points as masquerader's activities. The effectiveness of GSketch is demonstrated by its excellent performances on two public datasets - WUIL and TWOS.

Anagi Gamachchi,Li Sun,Serdar Boztas

DOI: https://doi.org/10.48550/arXiv.1809.00141

2018-09-01

Cryptography and Security

Abstract:While most security projects have focused on fending off attacks coming from outside the organizational boundaries, a real threat has arisen from the people who are inside those perimeter protections. Insider threats have shown their power by hugely affecting national security, financial stability, and the privacy of many thousands of people. What is in the news is the tip of the iceberg, with much more going on under the radar, and some threats never being detected. We propose a hybrid framework based on graphical analysis and anomaly detection approaches, to combat this severe cybersecurity threat. Our framework analyzes heterogeneous data in isolating possible malicious users hiding behind others. Empirical results reveal this framework to be effective in distinguishing the majority of users who demonstrate typical behavior from the minority of users who show suspicious behavior.

Zhiyuan Wei,Usman Rauf,Fadi Mohsen,Wei, Zhiyuan,Rauf, Usman,Mohsen, Fadi

DOI: https://doi.org/10.1007/s12243-024-01023-7

2024-04-04

Annals of Telecommunications

Abstract:Insider threats refer to harmful actions carried out by authorized users within an organization, posing the most damaging risks. The increasing number of these threats has revealed the inadequacy of traditional methods for detecting and mitigating insider threats. These existing approaches lack the ability to analyze activity-related information in detail, resulting in delayed detection of malicious intent. Additionally, current methods lack advancements in addressing noisy datasets or unknown scenarios, leading to under-fitting or over-fitting of the models. To address these, our paper presents a hybrid insider threat detection framework. We not only enhance prediction accuracy by incorporating a layer of statistical criteria on top of machine learning-based classification but also present optimal parameters to address over/under-fitting of models. We evaluate the performance of our framework using a real-life threat test dataset (CERT r4.2) and compare it to existing methods on the same dataset (Glasser and Lindauer 2013). Our initial evaluation demonstrates that our proposed framework achieves an accuracy of 98.48% in detecting insider threats, surpassing the performance of most of the existing methods. Additionally, our framework effectively handles potential bias and data imbalance issues that can arise in real-life scenarios.

telecommunications

Jiarong Wang,Junyi Liu,Tian Yan,Mingshan Xia,Jianshu Hong,Caiqiu Zhou

DOI: https://doi.org/10.3390/s22176471

IF: 3.9

2022-08-29

Sensors

Abstract:With the wide application of Internet of things (IoT) devices in enterprises, the traditional boundary defense mechanisms are difficult to satisfy the demands of the insider threats detection. IoT insider threat detection can be more challenging, since internal employees are born with the ability to escape the deployed information security mechanism, such as firewalls and endpoint protection. In order to detect internal attacks more accurately, we can analyze users' web browsing behaviors to identify abnormal users. The existing web browsing behavior anomaly detection methods ignore the dynamic change of the web browsing behavior of the target user and the behavior consistency of the target user in its peer group, which results in a complex modeling process, low system efficiency and low detection accuracy. Therefore, the paper respectively proposes the individual user behavior model and the peer-group behavior model to characterize the abnormal dynamic change of user browsing behavior and compare the mutual behavioral inconsistency among one peer-group. Furthermore, the fusion model is presented for insider threat detection which simultaneously considers individual behavioral abnormal dynamic changes and mutual behavioral dynamic inconsistency from peers. The experimental results show that the proposed fusion model can accurately detect insider threat based on the abnormal user web browsing behaviors in the enterprise networks.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Bin Zhang,Xi Xiao,Weizhe Zhang,Arun Kumar Sangaiah,Ying Zhou,Xinyu Liu

DOI: https://doi.org/10.1002/ett.3858

IF: 3.6

2022-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:In-vehicle network is easy to be attacked by masquerade attackers because of the controller local area network, and there are many intrusion detection systems to solve this problem. However, the traditional methods consider the transition and frequent property, but they lose the information of the cooccurrence. In this article, a novel method based on cooccurrence matrixes is proposed, and it makes use of the cooccurrence property of the command stream, which is often ignored. There are two steps in the training process. First, a relatively large number of distinct shell commands are transformed into a smaller number of unique events by hierarchically merging shell commands. Second, considering the correlation property of audit data, the method constructs a partly normalized cooccurrence matrix to profile the valid user's normal behaviors. Although performing detection, the partly normalized cooccurrence matrixes of the current event sequences are generated. Then the distances between these matrixes and the profile matrix are calculated with sliding windows. Finally, distances are used to determine whether they are normal or not. Our method is evaluated against two standard masquerade detection datasets provided by T. Lane et al and M. Schonlau et al, respectively. The results indicate that the proposed method is promising in terms of detection accuracy, which is at least 10% higher than other four solutions, and the proposed method has fewer memory requirements, which saves at most 90% of the compared methods, and it can be conducted in parallel and is more suitable for real-time masquerade detection.

Xin Zan,Feng Gao,Jiuqiang Han,Yu Sun

DOI: https://doi.org/10.1109/mines.2009.277

2009-01-01

Abstract:Recently, several approaches for intrusion correlation and attack scenario analysis have been proposed. However, these approaches all focus on the flooding alert reduction or high-level alert correlation. In this paper, we study the problem of tracking and predicting of attack intentions. We use hidden markov models to represent the typical attack scenarios and design a complete framework named HMM-AIP composed of online tracking and prediction module and offline model training module. A novel and effective tracking and predicting attack intention algorithm is presented. We perform experiments to validate our algorithm and the results show that our approach can identify false alert and give the creditable prediction result when the alert observation sequence fits the typical attack scenarios nicely.

Bin Lv,Dan Wang,Yan Wang,Qiujian Lv,Dan Lu

DOI: https://doi.org/10.1007/978-3-319-94268-1_28

2018-01-01

Abstract:Insider threats have shown their power by hugely affecting national security, financial stability, and the privacy of many people. A number of techniques have been proposed to detect insider threats by comparing behaviors among different individuals or by comparing the behaviors across different time periods of the same individual. However, both of them always fail to identify the certain kinds of inside threats due to the fact that the behaviors of insider threats are complex and diverse. To deal with this issue, this paper focuses on constructing a hybrid model to detect insider threats based on multi-dimensional features. First, an Across-Domain Anomaly Detection (ADAD) model is proposed to identify anomalous behaviors that deviate from the behaviors of their peers based on the isolation Forest algorithm. Second, an Across-Time Anomaly Detection (ATAD) model is proposed to measure the degree of unusual changes of a user's behavior based on an improved Markov model. What's more, we propose a hybrid model to integrate the evidence from the above two models ADAD and ATAD. To evaluate the performance of the proposed models comprehensively, we implement a series of experiments with the 17-month data. The experimental results show that the ADAD and ATAD models are robust and the hybrid model can outperform the two separated models obviously.

xiaojun chen,jinqiao shi,rui xu,s m yiu,bingxing fang,fei xu

DOI: https://doi.org/10.1007/978-3-662-45670-5_22

2014-01-01

Abstract:It is relatively easier for an insider attacker to steal the password of a colleague or use an unattended machine (logged in by other users) within a trusted domain to launch an attack. A simple real-time authentication by password may not work if they have the password. By comparing the stored mouse behavioral profile of the valid user, the system automatically authenticates the user. However, long verification time in existing approaches based on mouse dynamics which mostly last dozens of minutes and probably make masquerader escaped from detection mechanism. In this paper, we proposed a system called PAITS (Practical Authentication with Identity Tracing System) to do reauthentication via comparison of mouse behavior under a short-lived interventional scenario. Mouse movements under the special scenario where the cursor is a bit out of control can capture the user's unconscious reaction, and then be used for behavioral comparison and detection of malicious masquerader. Our experiments on PAITS demonstrate best result with a FRR of 2.86% and a FAR of 3.23% under probability neural network with 71 features. That is a comparative result against the previous research results, but at the same time significantly shorten the verification time from dozens of minutes to five seconds.

Yuxin Ding,Ping Sun,Xiuyue Chen,Changan Liu

DOI: https://doi.org/10.2991/jcis.2008.121

2008-01-01

Abstract:Masqueraders invade into users'system and impersonate the real users to do whatever they want. Unfortunately, fire-walls or misuse-based intrusion detection systems are generally ineffective in detecting masquerades. In this paper an abnormal detection method based on one class SVM are presented to detect masquerade activities using UNIX command sets. Firstly the performance of binary SVM classifier are studied to illustrated why one class SVM are adopted, then to improve the performance of one class SVM different feature selection methods are studied, experimental results show that for abnormal detection using UNIX command simplifying raw data and decreasing the dimensions of feature space is an effective approach to improve the performance of SVM classifiers for masquerade detection.

Taolue Chen,Florian Kammüller,Ibrahim Nemli,Christian W. Probst

DOI: https://doi.org/10.1007/978-3-319-20376-8_16

2015-01-01

Abstract:Malicious insider threats are difficult to detect and to mitigate. Many approaches for explaining behaviour exist, but there is little work to relate them to formal approaches to insider threat detection. In this work we present a general formal framework to perform analysis for malicious insider threats, based on probabilistic modelling, verification, and synthesis techniques. The framework first identifies insiders' intention to perform an inside attack, using Bayesian networks, and in a second phase computes the probability of success for an inside attack by this actor, using probabilistic model checking.

李辉,蔡忠闽,韩崇昭,管晓宏

DOI: https://doi.org/10.3969/j.issn.1000-1220.2003.09.008

2003-01-01

Abstract:State of the art of the Intrusion Detection technology is investigated and a new IDS inference framework and prototype based on information fusion is proposed. The new framework is to solve the problems of existing IDS——high false positive rate and incapable of detection of coordinated attacks. The prototype employ Bayesian Network to do information fusion and goal-tree to analyze intensions of coordinated attacks and quantify the security risk of system. The prototype is more integral than existing IDS and easier to find coordinated attacks with lower false positive rate.

Zhongqiang Chen,Yuan Zhang,Zhongrong Chen,Alex Delis

DOI: https://doi.org/10.1093/comjnl/bxp026

2009-01-01

The Computer Journal

Abstract:Intrusion detection/prevention systems (IDSs/IPSs) heavily rely on signature databases and pattern matching (PM) techniques to identify network attacks. The engines of such systems often employ traditional PM algorithms to search for telltale patterns in network flows. The observations that real-world network traffic is largely legitimate and that telltales manifested by exploits rarely appear in network streams lead us to the proposal of Fingerprinter. This framework integrates fingerprinting and PM methods to rapidly distinguish well-behaved from malicious traffic. Fingerprinter produces concise digests or fingerprints for attack signatures during its programming phase. In its querying phase, the framework quickly identifies attack-free connections by transforming input traffic into its fingerprint space and matching its digest against those of attack signatures. If the legitimacy of a stream cannot be determined by fingerprints alone, our framework uses the Boyer–Moore algorithm to ascertain whether attack signatures appear in the stream. To reduce false matches, we resort to multiple fingerprinting techniques including Bloom–Filter and Rabin–Fingerprint. Experimentation with a prototype and a variety of traces has helped us establish that Fingerprinter significantly accelerates the attack detection process.

Haipeng Yao,Qiyi Wang,Luyao Wang,Peiying Zhang,Maozhen Li,Yunjie Liu

DOI: https://doi.org/10.1007/s10766-017-0537-7

2017-01-01

International Journal of Parallel Programming

Abstract:With the dramatic opening-up of network, network security becomes a severe social problem with the rapid development of network technology. Intrusion Detection System (IDS) is an innovative and proactive network security technology, which becomes a hot topic in both industry and academia in recent years. There are four main characteristics of intrusion data that affect the performance of IDS including multicomponent, data imbalance, time-varying and unknown attacks. We propose a novel IDS framework called HMLD to address these issues, which is an exquisite designed framework based on Hybrid Multi-Level Data Mining. In this paper, we use KDDCUP99 dataset to evaluate the performance of HMLD. The experimental results show that HMLD can reach 96.70% accuracy which is nearly 1% higher than the recent proposed optimal algorithm SVM+ELM+Modified K-Means. In details, HMLD greatly increased the detection accuracy of DoS attacks and R2L attacks.