Behavior driven host based insider threats detection of Misuse of information for Windows Environment.

Abstract

With the evolution of information technology in the corporate sector, the working paradigm shifted from manual to automated. On one side, it has leveraged human efforts of managing and maintaining the document files efficiently while on the other hand, it demands more security efforts for confidential documents because of the availability of large number of access channels. So the horizon of information security has also expanded from physical to electronic. This laid the foundation of developing more security mechanisms for protecting valuable information. The need and use of internet inside the organizations made this security problem quite nontrivial. Organizations not only have to protect those documents from external (outside the organization) attackers but also have to do the same for insiders (their legitimate users). Time has proven that majority of the attacks to tamper the confidentiality of information of an organization comes from external attackers but most of the attacks that get successful are from insiders. This is due to an obvious fact that insiders already possess the information external attackers would need to find out to penetrate into a system. It has always been an intricate job to protect your critical assets from those who not only have your trust but are also privileged to access those assets. This also holds good for insiders who (normally) are the rightful users of confidential information in the organization. Their privileged access to secret resources, knowledge about critical information and security mechanisms implemented inside the organization and their ability to bypass the existing security arrangements make the insider threats detection problem quite a significant one. The criticality of the problem can be vindicated by the fact that even a little misuse of the confidential informational assets of the organization may bring the reputation of the organization down from first-rate standing to below-par and can adversely affect the its financial position. To cope up with the aforementioned challenges, a host based framework for insider threats detection of information misuse has been presented in this dissertation. This research work has broad applicability with reference to the organizations of Pakistan especially those which work on missioncritical projects and products like Khan Research Laboratories, National Development Complex, Atomic Energy Commission, National Engineering and Scientific Commission. Private sector organizations can also benefit if the confidentiality of their secret information is critically significant for them. This framework will enable these organizations to cope up with the security threats posed by the insiders even if they already use a third party tool for detection. Such organizations can get advantage from the framework in their efforts to avoid/reduce possible insider attacks. Tunable parameters of the framework make it flexible and organizations can use it according to their need and security requirements. The framework in its nature is a comprehensive one. It not only comprehends technical measures but also covers psychological indicators to handle the misuse of information by insiders. Compared with the available methodologies, it incorporates a more practical approach. It provides a novel methodology of risk assessment which practically quantifies the risks and assigns threats level to each user depending upon his/her behavior, a problem which has not been handled in detail in the current literature of insiders. It also denies the famous assumption of no covert channel’s presence in the mechanisms used for detection. It proves the aforementioned assumption as unrealistic and a great threat to the organization. It discusses a deployment methodology to avoid this assumption. In this deployment, the source code of the developed application is accessible only to the higher management of the organization in order to detect any illegal changes in the source files through different techniques like code reviews etc. Besides describing efficient behavioral classification mechanism through fuzzy classifier, development of information sensors to capture necessary information, reduction in overall processing overheads by deploying non uniform security policies and the way to minimize false alarms by filtering insiders in different stages, it also provides an exhaustive blue print of scenario building and testing methodology in order to validate the framework. This validation methodology is quite closer to the real world environment of the organizations by simulating the real attack scenarios on the framework instead of theoretically providing a validation methodology. In epitome, the framework provides sufficient contributions to the knowledge of the insider threats detection domain. We, here in Pakistan would have remained unaware of the latest research in the field of networks and information security had HEC (Higher Education Commission of Pakistan) not taken revolutionary steps like providing free access to many digital resources and libraries, facilitating students with laptops, providing research grants and scholarships. The vision of HEC has enabled researchers to reveal the positive value that their research can bring into this country. Its technical and financial support has been a beacon for individuals who want to pursue their research work in the area of their interest. It is also due to the support of HEC that we have been able to conduct this research. HEC facilitated us in all ways during the course of this research work. From providing the supervision of knowledgeable academic professionals to the facilitation of modern literature, tools, accommodation and arrangements, HEC’s role has been very sublime and encouraging.