Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Researcher builds system to protect against malicious insiders

Sharon Gaudin | Oct. 15, 2014
Algorithms to spot attacks coming from inside the network gets Army support.

"The U.S. military is very concerned about security these days," added Olds. "The Bradley Manning leaks highlighted the massive damage that even a lowly Pfc can wreak if given access to a poorly secured IT infrastructure. The Snowden and Manning leaks have had a very severe impact on U.S. intelligence activities, disclosing not only the information gathered, but also showing the sources and methods used to get US intelligence data."

He also said insider-based attacks normally may not get as much media attention as most hacks, but can potentially cause much greater damage since the attacker at least knows where the keys to the castle are hidden. And if that attacker works in IT, he or she might even have the keys.

"Insider threats are many times the most devastating, as they are the least expected," said Patrick Moorhead, an analyst with Moor Insights & Strategy. "Companies spend most of their security time and money guarding against external threats.... So that sometimes leaves the inside exposed."

To combat this, Yao is combining big data, analytics and security to design algorithms that focus on linking human activities with network actions.

Typical computer systems monitor things like network traffic, file system events and email activities. They also focus on looking for specific warning signs, like someone uploading large amounts of data. The problem with that is that if someone knows what the warning signs are, they can easily adjust their actions -- uploading data in smaller increments, for instance -- to avoid detection.

Yao is taking a different approach; her algorithms are focused on learning what are normal activities and then detecting anything unusual.

"We build on a model of normal behaviors and then detect a deviation from normal behaviors," she explained. "If you see a user logging in and access a database or doing a file read or write in the middle of the night..., then you ask, 'Is this a legitimate sequence of actions or is this an anomaly?'"

She also said part of the idea behind her detection system is to corroborate the user's actions with what's happening on the network.

If, for instance, a military team is on a reconnaissance mission, then it makes sense that they would be accessing maps from a backend server and pulling various data off the network.

It's largely about putting network actions into context.


Previous Page  1  2 

Sign up for Computerworld eNewsletters.