acm-header
Sign In

Communications of the ACM

ACM TechNews

Lab's Behavioral System Can Catch Insider Threats


View as: Print Mobile App Share:
Insider threat

USAF

Oak Ridge National Laboratory researchers have developed a tool to identify malicious insiders and stop them from sending sensitive information outside the organization.

The system uses a host-based agent to learn a user's behavior and to look for anomalous behavior or other signatures, according to Oak Ridge researcher Justin Beaver. The system responds to these signature events by switching malicious users to a honeypot environment, which isolates them from data and enables their actions to be studied.

“It turns out there is a lot of data on each host you can leverage if you know what to look for,” Beaver says.

He notes that the system needs further refinement to eliminate false positives and to build a human oversight into the loop to ensure that legitimate users are not mistakenly removed from the network. Nevertheless, he says the tool can be very helpful in uncovering insider threats.

“A lot of defense is set up to operate at the perimeter,” Beaver says. “The unspoken assumption is that the inside is safe. That is rarely true.” The researchers also found that normal patterns of behavior remain surprisingly consistent as individuals move between computers and jobs.

From Government Computer News
View Full Article

Abstracts Copyright © 2011 Information Inc. External Link, Bethesda, Maryland, USA 


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account