Knowing who to watch: accumulating evidence of subtle attacks
| dc.contributor.author | Chivers, H. | |
| dc.contributor.author | Clark, J. A. | |
| dc.contributor.author | Nobles, P. | |
| dc.contributor.author | Shaikh, S. A. | |
| dc.contributor.author | Chen, H. | |
| dc.date.accessioned | 2009-09-02T08:46:19Z | |
| dc.date.available | 2009-09-02T08:46:19Z | |
| dc.date.issued | 2010-09-23T08:46:19Z | |
| dc.description | © Springer Science+Business Media, LLC 2010 | |
| dc.description.abstract | Insider attacks are often subtle and slow, or preceded by behavioral indicators such as organizational rule-breaking which provide the potential for early warning of malicious intent; both these cases pose the problem of identifying attacks from limited evidence contained within a large volume of event data collected from multiple sources over a long period. This paper proposes a scalable solution to this problem by maintaining long-term estimates that individuals or nodes are attackers, rather than retaining event data for post-facto analysis. These estimates are then used as triggers for more detailed investigation. We identify essential attributes of event data, allowing the use of a wide range of indicators, and show how to apply Bayesian statistics to maintain incremental estimates without global updating. The paper provides a theoretical account of the process, a worked example, and a discussion of its practical implications. The work includes examples that identify subtle attack behaviour in subverted network nodes, but the process is not network-specific and is capable of integrating evidence from other sources, such as behavioral indicators, document access logs and financial records, in addition to events identified by network monitoring. | en_UK |
| dc.identifier.citation | Chivers H, Clark JA, Nobles P, et al., (2013) Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise. Information Systems Frontiers, Volume 15, March 2013, pp. 17-34 | |
| dc.identifier.uri | https://doi.org/10.1007/s10796-010-9268-7 | |
| dc.identifier.uri | http://hdl.handle.net/1826/3637 | |
| dc.language.iso | en | en_UK |
| dc.rights | © Springer Science+Business Media, LLC 2010 | |
| dc.subject | Insider | |
| dc.subject | Behavioural | |
| dc.subject | Subtle attack | |
| dc.subject | Intrusion detection | |
| dc.subject | Security | |
| dc.subject | Evidence | |
| dc.subject | Network | |
| dc.subject | Bayesian | |
| dc.title | Knowing who to watch: accumulating evidence of subtle attacks | en_UK |
| dc.type | Article | en_UK |