DOI QR코드

DOI QR Code

Indicator-based Behavior Ontology for Detecting Insider Threats in Network Systems

  • Kauh, Janghyuk (The 2nd Institute 3rd Directorate, Agency for Defense Development (ADD)) ;
  • Lim, Wongi (The 2nd Institute 3rd Directorate, Agency for Defense Development (ADD)) ;
  • Kwon, Koohyung (The 2nd Institute 3rd Directorate, Agency for Defense Development (ADD)) ;
  • Lee, Jong-Eon (Tactical Communication Team, Hanwha Systems) ;
  • Kim, Jung-Jae (Dept. of Computer Science, Kwangwoon University) ;
  • Ryu, Minwoo (Korea Telecom R&D Center, Korea Telecom (KT)) ;
  • Cha, Si-Ho (Dept. of Multimedia Science, Chungwoon University)
  • Received : 2017.02.02
  • Accepted : 2017.07.08
  • Published : 2017.10.31

Abstract

Malicious insider threats have increased recently, and methods of the threats are diversifying every day. These insider threats are becoming a significant problem in corporations and governments today. From a technology standpoint, detecting potential insider threats is difficult in early stage because it is unpredictable. In order to prevent insider threats in early stage, it is necessary to collect all of insiders' data which flow in network systems, and then analyze whether the data are potential threat or not. However, analyzing all of data makes us spend too much time and cost. In addition, we need a large repository in order to collect and manage these data. To resolve this problem, we develop an indicator-based behavior ontology (IB2O) that allows us to understand and interpret insiders' data packets, and then to detect potential threats in early stage in network systems including social networks and company networks. To show feasibility of the behavior ontology, we developed a prototype platform called Insider Threat Detecting Extractor (ITDE) for detecting potential insider threats in early stage based on the behavior ontology. Finally, we showed how the behavior ontology would help detect potential inside threats in network system. We expect that the behavior ontology will be able to contribute to detecting malicious insider threats in early stage.

Keywords

References

  1. Kroll and Economist Intelligence Unit, "Annual Global Fraud Report. 2015/2016," 2016.
  2. PricewaterhouseCoopers LLP, "Cybercrime: Protecting against the growing threat-Events and Trends," 2012.
  3. Spitzner, L., "Honeypots: Catching the insider threat," in Proc. of 19th Annual IEEE Computer Security Applications Conference, 2003, pp. 170-179, 2003.
  4. CERT Insider Threat Center, "2014 U.S. State of Cybercrime Survey," 2014, Available online: http://resources.sei.cmu.edu/asset_files/Presentation/2014_017_001_298322.pdf (accessed on 21 November 2016).
  5. IBM, "IBM 2015 Cyber Security Intelligence Index," 2015, Available online: http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=ST&infotype=SA&htmlfid=SEJ03278USEN&attachment=SEJ03278USEN.PDF&ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US (accessed on 21 November 2016)
  6. Robert N. Rose, "The Future Of Insider Threats," 2016, Available online: http://www.forbes.com/sites/realspin/2016/08/30/the-future-of-insider-threats/2/#3240ea4e3381 (accessed on 21 November 2016)
  7. Berners-Lee, T., Hendler, J., Lasslia, O., "The semantic web," Scientific American, pp. 28-37, 2001.
  8. R. Anderson, T. Bozek, T. Longstaff, W. Meitzler, M. Skroch, K. Van Wyk, "Research on Mitigating the Insider Treat to Information Systems," in Proc. of the Insider Workshop, August 2000.
  9. F. L. Greitzer, A. P. Moore, D. M. Cappelli, D. H. Andrews, L. A. Carroll, and T. D. Hull, "Combating the Insider Cyber Threat," IEEE Security & Privacy, pp. 61-64, 2007.
  10. Costa, D. L., Collins, M. L., Perl, S. J., Albrethsen, M. J., Silowash, G. J., Spooner, D. L., "An Ontology for Insider Threat Indicators," in Proc. of 10th International Conference on Semantic Technology for Intelligence, Defense, and Security (STIDS), 2015.
  11. van Heerden, R. P., Irwin, B., Burke, I., "Classifying network attack scenarios using an Ontology," in Proc. of of the 7th International Conference on Information-Warfare & Security (ICIW 2012), pp. 311-324, January 2012.
  12. Aleman-Meza, B., Burns, P., Eavenson, M., Palaniswami, D., Sheth, A. P., "An Ontological Approach to the Document Access Problem of Insider Threat," in Proc. of IEEE Intl. In Conference on Intelligence and Security Informatics (ISI-2005), 2005.
  13. Greitzer, F. L., Hohimer, R. E., "Modeling human behavior to anticipate insider attacks," Journal of Strategic Security, vol. 4, no. 2, pp. 25-48, 2001. https://doi.org/10.5038/1944-0472.4.2.2
  14. Raskin, V., Taylor, J. M., Hempelmann, C. F., "Ontological semantic technology for detecting insider threat and social engineering," in Proc. of the 2010 workshop on New security paradigms ACM, pp. 115-128, September 2010.
  15. Nirenburg, S., Raskin, V., "Ontological Semantics," MIT Press, 2004
  16. Symonenko, S., Liddy, E. D., Yilmazel, O., Del Zoppo, R., Brown, E., Downey, M., "Semantic analysis for monitoring insider threats," in Proc. of International Conference on Intelligence and Security Informatics, Springer Berlin Heidelberg, pp. 492-500, June 2004.
  17. Advanced Research and Development Activity (ARDA), Available online: http://www.ic-arda.org/ (accessed on 21 November 2016)
  18. Karande, M. H. A., Kulkarni, M. P. A., Gupta, S. S., Gupta, D., "Security against Web Application Attacks Using Ontology Based Intrusion Detection System," in Proc. of 2015 International Conference on Communication Networks (ICCN), Gwalior, India, November 2015.
  19. Wang, H., Wang, S., "Cyber warfare: steganography vs. steganalysis," Communications of the ACM, vol 47, no. 10, pp. 76-82, 2004. https://doi.org/10.1145/1022594.1022597
  20. Obrst, L., Chase, P., Markeloff, R., "Developing an Ontology of the Cyber Security Domain," in Proc. of CEUE Workshop on STIDS, pp. 49-56, October 2012.
  21. Stephens, G. D., Maloof, M. A., "U.S. Patent No. 8,707,431," Washington, DC: U.S. Patent and Trademark Office, 2014
  22. Coalition, D. S., "DAML-S: Semantic markup for Web services," in Proc. of the International Semantic Web Workshop (SWWS-01), 2001.
  23. I. Agrafiotis, J. R. C. Nurse, O. Buckley, P. A. Legg, M. Goldsmith, S. Creese, "Insider Threat Attack steps," Corporate Insider Threat Detection (CITD), Available online: https://www.cs.ox.ac.uk/files/7011/Attack%20steps.pdf (accessed on 21 November 2016).
  24. Klyne, G., & Carroll, J. J., "Resource description framework (RDF): Concepts and abstract syntax," W3C Recommendation, 2006.
  25. Apache Jena, "Reasoners and rule engines: Jena inference support." Available online: https://jena.apache.org/documentation/inference/ (accessed on 21 November 2016).
  26. Apache Jena, "TDB Architecture," Available online: https://jena.apache.org/documentation/tdb/architecture.html (accessed on 21 November 2016).
  27. Protege 5.0, Available online: http://protege.stanford.edu (accessed on 21 November 2016)
  28. Horrocks, I., Patel-Schneider, P.F., Boley, H., Tabet, S., Grosof, B., Dean, M., "SWRL: A semantic web rule language combining OWL and RuleML." Available online: http://www.w3.org/Submission/2004/SUBM-SWRL-20040521/ (accessed on 21 November 2016).
  29. CERT, http://www.cert.org/insider-threat/tools/index.cfm (accessed on 21 November 2016)

Cited by

  1. 네트워크 트래픽 수집 및 복원을 통한 내부자 행위 분석 프레임워크 연구 vol.13, pp.4, 2017, https://doi.org/10.17662/ksdim.2017.13.4.125