insider access behavior team may 06 brandon reher jake gionet steven bromley jon mckee advisor...
TRANSCRIPT
Insider Access Behavior
Team May 06
Brandon ReherJake GionetSteven BromleyJon McKee
Advisor Client Dr. Tom Daniels The Boeing Company
Contact Dr. Nick Multari
Original Description
The goal of this project is to help students understand state-of-the-art techniques identifying malicious insider behavior.
Our Scope
Detect and identify users that are potentially leaking data to unknown outside sources. Research existing solutions and explain the advantages & disadvantages as they apply to the system
Problem Statement
Implemented solution Log Parsing• Systems generate logs for
just about everything
• MySQL has the ability to log queries and / or "slow" queries
• Focus on MySQL logso Connections o Database usage o Queries
Proposed solutions
System Taintingo Files & processes carry
a contagious and traceable taint
System Cloningo Duplicate systems for
comparison of system calls
Border watching File watermarks User baiting
Possible Solutions
The Markov implementation uses time slices from the profile to create Markov chains
For each new event processed a Markov chain is constructed, and the value is compared to the chain
If the probability of a series of events is breaks an improbable threshold an alert is raised.
Markov Implementation
Shall make use of pre-existing technologies
Shall take input from a variety of sources andsystems
Shall correlate and filter relevant data
Shall alert when malicious activity is discovered
Shall have a system to provide notifications onalerts
Shall contain an algorithm that decides whetheran attack is being committed
Functional Requirements
Shall have a low false-positive rate
Shall be inconspicuous to the malicious user
Shall provide alerts in a timely manner
Shall abide by all licenses of open sourcesoftware utilized
Non-functional Requirements
• The software shall be scalable to a large network
• The software shall alert within a reasonable amount of time
Technical Constraints & Considerations
Operating SystemsRed Hat Enterprise Linux - Version 6.0 NetBSD - Version 2.6.0
Software Platform
Supporting Software• MySQL• Apache Web Server• PHP• Syslogd
Application SoftwareJava Runtime Environment Version 6 Update 24 The Java Runtime Environment allows our application to live on any platform that supports Java.
Application Servers• These servers house the various applications that are to be
monitored for unusual behavior.
Log Storage Server• The log storage server is used as a central repository to
hold all the logs from the servers that are being monitored.• Network configurations allow the server to remain
inconspicuous to users accessing the application servers.
Profiling Algorithm Server• This server retrieves logs from the log storage server to be
parsed by the profiling algorithm.
Hardware Platform
Profile• Stores the learned information of user activity.• Provides the expected actions over two time slices to the
Decision Algorithm.
Log Parser• Parses incoming logs as they arrive• Creates an event based off of the content of the log
Decision Algorithm• Determines if unusual activity is occuring.• Makes decisions based on the current event and the time
slices from the profile.
Functional Modules
Initially, log files must be sent to a central location that is passed to the algorithm at the start.• This is left to the administrator to configure
The algorithm is packaged and executed as part of a jar file
The algorithm is run in the background
System Usage
The system interfaces with the user by:
• Allowing the administrator to launch the program via the command line.
• Alerting the administrator upon detection of a malicious activity.
User Interface
Needed to incorporate profile generation as well as testing the alert algorithm
Accomplished by simulating user traffic on an online forum Generates logged information in the MySQL database
The forum software follows pattern, which makes predictable profile
Breaking from the set profile indicates tampering in the system System should raise an alert
Testing
Item Team Hours Without Labor With Labor
Research 180 0 $3,600
Dell PowerEdge T410 (x8)
10 $6,392 $6,592
Red Hat OS 10 $350 $550
NetBSD OS 7 0 $140
Apache Install 3 0 $60
MySQL Install 7 0 $140
PHP Install 3 0 $60
Algorithm Development
300 N/A $6,000
Totals 520 $6,742 $17,142
Cost Analysis