Insider Access Behavior

Team May 06

Brandon ReherJake GionetSteven BromleyJon McKee

Advisor Client Dr. Tom Daniels The Boeing Company

Contact Dr. Nick Multari

Original Description

    The goal of this project is to help students understand state-of-the-art techniques identifying malicious insider behavior.

Our Scope

    Detect and identify users that are potentially leaking data to unknown outside sources. Research existing solutions and explain the advantages & disadvantages as they apply to the system

Problem Statement

Implemented solution   Log Parsing• Systems generate logs for

just about everything

• MySQL has the ability to log queries and / or "slow" queries

• Focus on MySQL logso Connections o Database usage o Queries

Proposed solutions

    System Taintingo Files & processes carry

a contagious and traceable taint

    System Cloningo Duplicate systems for

comparison of system calls 

Border watching    File watermarks User baiting

Possible Solutions

The Markov implementation uses time slices from the profile to create Markov chains

For each new event processed a Markov chain is constructed, and the value is compared to the chain

If the probability of a series of events is breaks an improbable threshold an alert is raised.

Markov Implementation

Conceptual Sketch

Shall make use of pre-existing technologies

Shall take input from a variety of sources andsystems

Shall correlate and filter relevant data

Shall alert when malicious activity is discovered

Shall have a system to provide notifications onalerts

Shall contain an algorithm that decides whetheran attack is being committed

Functional Requirements

Shall have a low false-positive rate

Shall be inconspicuous to the malicious user

Shall provide alerts in a timely manner

Shall abide by all licenses of open sourcesoftware utilized

Non-functional Requirements

• The software shall be scalable to a large network

• The software shall alert within a reasonable amount of time 

Technical Constraints & Considerations

Operating SystemsRed Hat Enterprise Linux    - Version 6.0    NetBSD    - Version 2.6.0

Software Platform    

Supporting Software• MySQL• Apache Web Server• PHP• Syslogd

Application SoftwareJava Runtime Environment Version 6 Update 24    The Java Runtime Environment allows our application to    live on any platform that supports Java.

Application Servers• These servers house the various applications that are to be

monitored for unusual behavior.

Log Storage Server• The log storage server is used as a central repository to

hold all the logs from the servers that are being monitored.• Network configurations allow the server to remain

inconspicuous to users accessing the application servers.

Profiling Algorithm Server• This server retrieves logs from the log storage server to be

parsed by the profiling algorithm.

Hardware Platform

Hardware Platform

Functional Decomposition

Profile• Stores the learned information of user activity.• Provides the expected actions over two time slices to the

Decision Algorithm.

Log Parser• Parses incoming logs as they arrive• Creates an event based off of the content of the log

Decision Algorithm• Determines if unusual activity is occuring.• Makes decisions based on the current event and the time

slices from the profile.

Functional Modules

Initially, log files must be sent to a central location that is passed to the algorithm at the start.•    This is left to the administrator to configure

The algorithm is packaged and executed as part of a jar file

The algorithm is run in the background

System Usage

The system interfaces with the user by:

• Allowing the administrator to launch the program via the command line.

• Alerting the administrator upon detection of a malicious activity.

User Interface

Needed to incorporate profile generation as well as testing the alert algorithm

Accomplished by simulating user traffic on an online forum    Generates logged information in the MySQL database

The forum software follows pattern, which makes predictable profile

Breaking from the set profile indicates tampering in the system    System should raise an alert

Testing

Time Estimate

Fall 2010 - Planning, Research

Spring 2011 - Development, Implementation

Item Team Hours Without Labor With Labor

Research 180 0 $3,600

Dell PowerEdge T410 (x8)

10 $6,392 $6,592

Red Hat OS 10 $350 $550

NetBSD OS 7 0 $140

Apache Install 3 0 $60

MySQL Install 7 0 $140

PHP Install 3 0 $60

Algorithm Development

300 N/A $6,000

Totals 520 $6,742 $17,142

Cost Analysis

Questions?