Sign In

Communications of the ACM

ACM TechNews

Lab's Behavioral System Can Catch Insider Threats

View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
Insider threat


Oak Ridge National Laboratory researchers have developed a tool to identify malicious insiders and stop them from sending sensitive information outside the organization.

The system uses a host-based agent to learn a user's behavior and to look for anomalous behavior or other signatures, according to Oak Ridge researcher Justin Beaver. The system responds to these signature events by switching malicious users to a honeypot environment, which isolates them from data and enables their actions to be studied.

“It turns out there is a lot of data on each host you can leverage if you know what to look for,” Beaver says.

He notes that the system needs further refinement to eliminate false positives and to build a human oversight into the loop to ensure that legitimate users are not mistakenly removed from the network. Nevertheless, he says the tool can be very helpful in uncovering insider threats.

“A lot of defense is set up to operate at the perimeter,” Beaver says. “The unspoken assumption is that the inside is safe. That is rarely true.” The researchers also found that normal patterns of behavior remain surprisingly consistent as individuals move between computers and jobs.

From Government Computer News
View Full Article

Abstracts Copyright © 2011 Information Inc. External Link, Bethesda, Maryland, USA 


No entries found