• PDF / 290,613 Bytes
• 11 Pages / 439.37 x 666.142 pts Page_size
• 13 Downloads / 185 Views

DOWNLOAD

REPORT

Abstract Information security is a great challenge for most organizations in today’s information world, especially the insider problem. With the help of malwares, insiders can search and steal valuable files easily and safely in an organization’s network. In this paper, we collect a dataset of file access behaviors for normal processes and malware processes. We analyze the dataset and find several features in which normal processes and malware processes show significant differences, a file access behavior model is given based on these features, and we apply both semi-supervised and unsupervised approaches to verify the effectiveness of our model, experimental results demonstrate that our model is effective in distinguishing between file access behaviors of normal processes and malware processes. Keywords Information security access behaviors


Insider
Insider detection
Malware
File

X. Wang (&)
Y. Wang
Q. Liu
Y. Sun
P. Xie College of Computer, National University of Defense Technology, Changsha, China e-mail: [email protected] Y. Wang e-mail: [email protected] Q. Liu e-mail: [email protected] Y. Sun e-mail: [email protected] P. Xie e-mail: [email protected] © Springer Science+Business Media Singapore 2016 J.J.(Jong Hyuk) Park et al. (eds.), Advances in Parallel and Distributed Computing and Ubiquitous Services, Lecture Notes in Electrical Engineering 368, DOI 10.1007/978-981-10-0068-3_28

209

210

X. Wang et al.

1 Introduction Most organizations today relay upon computers and networks to deal with all kinds of information data, which brings them huge benefits. However, the inherent defects of computers and networks make the risk of information security increase. Although several security facilities, e.g. Firewall and Intrusion Detection System (IDS), have been deployed to protect information from outer attacks, they are weak to defeat insiders [1–4]. Several approaches have been proposed to solve the problem of insider detection [5–7], none focuses on the case that insiders use malwares to search and steal files. We argue that using malware to search files is a preferable way for insiders. On one hand, using malware is a more effective and safer way for insiders; on the other hand, intranet users (especially those who are physically separated in the Internet) do not often pay much attention on the security of the intranet itself. Therefore, malicious insiders can easily inject malwares into other computers in the intranet. In this paper, we extend the work of [7], and propose a novel approach to detect malicious insiders who use malwares to search files. We collected a real dataset of process file access behaviors, including behaviors of normal processes and those of Trojan processes that were remotely controlled by an attacker to search files located in the target computer. By analyzing the dataset, we found out several important features of file access behaviors, which were effective to discriminate malware processes from normal ones. Then, we built a file access behavior model based on these features

Recommend Documents

Insider, Internal

164 64 49MB

Realistic Simulation of Financial Markets Analyzing Market Behaviors

155 8 7MB

Detection Violent Behaviors: A Survey

177 73 24MB

Deep Learning and Dempster-Shafer Theory Based Insider Threat Detection

182 113 2MB

Insider Threat Detection Using Multi-autoencoder Filtering and Unsupervised Learning

243 59 7MB

File

208 28 1MB

File Systems and File Processing

190 114 12MB

Redefining insider threats: a distinction between insider hazards and insider threats

151 13 711KB

File Forgery Detection Using a Weighted Rule-Based System

192 61 23MB

Modeling and Analyzing of Millimeter Wave Heterogeneous Cellular Networks by Poisson Hole Process

143 90 2MB

Grid File

197 72 2MB

Dynamic Community Detection into Analyzing of Wildfires Events

166 62 124MB