Monitoring Technologies for Mitigating Insider Threats

  • Brian M. Bowen
  • Malek Ben Salem
  • Angelos D. Keromytis
  • Salvatore J. Stolfo
Part of the Advances in Information Security book series (ADIS, volume 49)


In this chapter, we propose a design for an insider threat detection system that combines an array of complementary techniques that aims to detect evasive adversaries. We are motivated by real world incidents and our experience with building isolated detectors: such standalone mechanisms are often easily identified and avoided by malefactors. Our work-in-progress combines host-based user-event monitoring sensors with trap-based decoys and remote network detectors to track and correlate insider activity. We introduce and formalize a number of properties of decoys as a guide to design trap-based defenses to increase the likelihood of detecting an insider attack. We identify several challenges in scaling up, deploying, and validating our architecture in real environments.


False Positive Rate Intrusion Detection Legitimate User Threat Model Insider Threat 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bell, J., Whaley, B.: Cheating and Deception. Transaction Publishers, New Brunswick, NJ (1982)Google Scholar
  2. 2.
    Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: In Proceedings of the 5th International ICST Conference on Security and Privacy in Communication Networks (SecureComm 2009) (2009)Google Scholar
  3. 3.
    Bowen, B.M., Salem, M.B., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Designing host and network sensors to mitigate the insider threat. In IEEE Security & Privacy Magazine 7(6), 22–29 (2009)CrossRefGoogle Scholar
  4. 4.
  5. 5.
    Ilett, D.: Trojan attacks microsoft’s anti-spyware (2005)Google Scholar
  6. 6.
    Jiang, X., Wang, X.: “Out-of-the-Box” monitoring of vm-based high-interaction honeypots. In: Proc. of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 198–218. Cambridge, MA, USA (2007)Google Scholar
  7. 7.
    Katz, J., Lindell, Y.: Introduction to Modern Cryptography: Principles and Protocols. Chapman & Hall/Crc Cryptography and Network Security Series (2007)Google Scholar
  8. 8.
    Lee, W., Fan, W., Miller, M., Stolfo, S.J., Zadok: Toward cost-sensitive modeling for intrusion detection and response. In: Workshop on Intrusion Detection and Prevention, 7th ACM Conference on Computer Security, November 2000 (2000)Google Scholar
  9. 9.
    Li, W., Stolfo, S.J., Stavrou, A., Androulaki, E., Keromytis, A.D.: A study of malcode-bearing documents. In:Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA), pp. 231–250 Google Scholar
  10. 10.
    Maloof, M.A., Stephens, G.D.: Keying hash functions for message authentication. In: Proceedings of the 16thAnnual International Cryptology Conference on Advances in Cryptology, pp. 1–15 (1996)Google Scholar
  11. 11.
    Maloof, M.A., Stephens, G.D.: Elicit: A system for detecting insiders who violate need-to-know’. In: Recent Advances in Intrusion Detection (RAID 2007), pp. 146–166 (2007)Google Scholar
  12. 12.
  13. 13.
    Richardson, R.: Csi computer crime and security survey. Technical report, CERT (2008)Google Scholar
  14. 14.
    Salem, M.B., Stolfo, S.J.: Masquerade attack detection using a search-behavior modeling approach. Technical report, Columbia University (2009)Google Scholar
  15. 15.
    Masquerading user data (2009). URL
  16. 16.
    Spitzner, L.: Honeypots: Catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC), pp. 170–179 (2003)Google Scholar
  17. 17.
    Spitzner, L.: Honeytokens: The other honeypot. Technical report, SecurityFocus (2003)Google Scholar
  18. 18.
    Stoll, C.: The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Pocket Books, New York (1990)Google Scholar
  19. 19.
    Symantec: Trends for july - december ’07. White paper (2008)Google Scholar
  20. 20.
  21. 21.
    Webb, S., Caverlee, J., Pu, C.: Social honeypots: Making friends with a spammer near you. In: In Proceedings of the Fifth Conference on Email and Anti-Spam (CEAS 2008) (2008)Google Scholar
  22. 22.
    Yuill, J., Denning, D., Feer, F.: Using deception to hide things from hackers: Processes, principles, and techniques. Journal of Information Warfare 5(3), 26–40 (2006)Google Scholar
  23. 23.
    Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: Deceptive files for intrusion detection. In: Proceedings of the 5th Annual IEEE SMC Information Assurance Workshop (IAW), pp. 116–122 (2004)Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Brian M. Bowen
    • 1
  • Malek Ben Salem
    • 1
  • Angelos D. Keromytis
    • 1
  • Salvatore J. Stolfo
    • 1
  1. 1.Department of Computer ScienceColumbia UniversityNew YorkUSA

Personalised recommendations