1 / 21

Outlines

Enhanced Insider Threat Detection Model that Increases Data Availability Qussai Yaseen & brajendra panda. Introduction. The Threat of Knowledgebase. The Importance of the Life T ime of Data Items. The Importance of Organizing Access Privileges. Example Scenario.

sibyl
Download Presentation

Outlines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enhanced Insider Threat Detection Model that Increases Data AvailabilityQussaiYaseen & brajendra panda

  2. Introduction. The Threat of Knowledgebase. The Importance of the Life Time of Data Items. The Importance of Organizing Access Privileges. Example Scenario. Limitations and Possible Solutions. Conclusion. Outlines

  3. Insider threatis the threat that is caused by a malicious insider. Aninsider is a person who has authorized access privileges, knowledge of the relational database system he/she uses, is familiar with the dependencies between data items as well as the constraints, and is motivated to violate the security policy of the system through authorized access. According to the FBI Computer Crime Survey, trusted insiders are responsible of 52% of all security breaches. Introduction

  4. The history of data accesses by insiders, when combined with current data access requests, may pose a serious threat. Ignoring the knowledgebase of insiders is risky. Ignoring the lifetime of data items in knowledgebase affects the availability and limits the jobs of insiders. Knowledgebase is Risky

  5. Updating values of data items does not always make their lifetimes expire. Given the dependency (A B). The lifetime of the data item A expires when it is updated to a value such that if an insider uses the old value of A to infer information about B, his/her inference will be incorrect. Data items lifetime

  6. In a strong dependency (AB), updating the value of A make it expires always. • i.e. Rank  Salary • In a weak dependency (A B), updating the value of A may or may not make it expire. • i.e. Score  Grade Cont.

  7. Data items may be expired if updated. A task of an insider may consist of several operations and may need access to different data items. Different order of accesses imposes different levels of risks. Organizing Access Privileges

  8. The Requests Plan A Q Done X B Y K D M Z S The Insider’s Knowledgebase L Figure 1. A Sequence of operations to perform a task. Example

  9. Combining L with the data item Z poses a threat, which is indicated by the sensitive data item S. • To prevent this threat, the insider should not get read access to Z until the lifetime of L expires. • The insider may get access to X and Y to work on A first, before he get access to Z. • The lifetime of Lexpires by giving other insiders who want to modify L a write access on it. Cont.

  10. Done F A M Y X R Z S P • Risky data items in an insider’s knowledgebase may prevent him/her form getting access to some data items. • i.e. The system may deny the access of an insider, say A, to Z since he/she can use it with P to infer S. • Sol. Enable another insider in the system , say B, to update P (expire), before granting Z to A. Maximizing the availability • K’s KB

  11. Example Scenario

  12. Assume that there are two insiders who are currently working in parallel, where the task of the first insider (Insider1) is as follows: • Query 1: Retrieve the name and the rank for all computer science professors. • Query 2: Retrieve the experience in the rank for the professor Jiff. • Query 3: Retrieve the Base_Salary of all associate professors. While the second insider (Insider2) has the following task. • Query 4: Promote Jiff to Full Professor position. Cont.

  13. Assume that the data items (Name, Rank), (Rank, Base_Salary),and (Name, Experience_in_the _Rank) are not sensitive information, while the data items (Name, Base_Salary) and (Name, Salary) are sensitive information. Suppose that the database has the functional dependency {Rank Base_Salary}. In addition, suppose that the salary of an academic staff is computed using the formula: Salary = Base_Salary + 200 * Experience. Cont.

  14. The sequence <Query1, Query2, Query3, Query4> pose a threat. How? • When executing the first two queries, Insider 1 gets the following information: (< James, Assistant Prof >, < Jiff, Associate Prof >, < Jiff, 5>). • Using the Third Query, Insider 1 gets the information. (< Associate Prof, 120K>). • In this case, Insider1 can combine this result with the result of the first two queries to get the unauthorized information: <Jiff, 120K>, which is a threat. Cont.

  15. The sequence <Query1, Query2, Query4, Query3> does not pose any threat. How? • When the Query4 is executed before the Query3, Insider2 changes the Rank of “Jiff” to full professor. • After executing Query3, inferring the Salary of “Jiff” by insider1 would be incorrect since “Jiff” is no longer associate professor. Cont.

  16. Safe sequence: is a sequence of operations when executed in that order does not reveal any sensitive information neither with nor without the data in the corresponding insiders’ knowledgebase. Acceptable sequence: is a sequence that reveals insignificant sensitive information to the insider under consideration, where the exposed information pose any intolerable threat to the system. Choosing the Sequence with the Lowest Risk

  17. To choose a safe or an acceptable sequence: • The risk of each request is computed. • let C be the set of sensitive data items that may be revealed partially or fully, formally: C ={S|(R,K) S, where Sensitivity(S)> Threshold (I,S)} Risk(Rj)=Max(Sensitivity(di)-Threshold(I,di)), Where di ∈ C. • Next, the risk of the entire sequence of requests for an insider is computed as the sum of the risks of all requests the sequence contains. • Finally, the sequence with the lowest and acceptable risk is granted. Cont.

  18. The proposed approach is applicable when tasks are executed as a batch of transactions. • Sometimes, may be there is no available insiders’ requests that we can use to make the lifetime of risky data items expire. • Two solutions can be used: • First, delay the granting of risky accesses until such requests come in. This approach may reduce the system performance. Limitations and Possible Solutions

  19. Second, grant the insider an incorrect value of the data item and correct the results later based on the correct value of the data item. • The incorrect value should satisfy two conditions: • It should not be very different from the correct value, otherwise this would affect the insider’s trust on the system, if the insider has a guess on the range of the value. • Using the value, the user should not be able to make a correct estimation of the sensitive data item. Cont. incorrect values

  20. The knowledge-bases of insiders can be used to reveal sensitive information. Organizing insiders’ access requests can reduce the threat to its minimum level and increase the availability of data items. Limitations of the approach as well as possible solutions have been stated. Conclusion

  21. Questions ?

More Related