期刊名称:Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications
印刷版ISSN:2093-5374
电子版ISSN:2093-5382
出版年度:2012
卷号:3
期号:1-2
页码:99-119
出版社:Innovative Information Science & Technology Research Group
摘要:Malicious insiders are difficult to detect and prevent, because insiders such as employees have legiti- mate rights to access organization's resources in order to carry out their responsibilities. To overcome this problem, we have developed a framework that detects suspicious insiders using a psychological trigger that impels malicious insiders to behave suspiciously. Also, we have proposed an architecture comprising an announcer, a monitor, and an analyzer. First, the announcer creates an event (called a "trigger") that impels malicious insiders to behave suspiciously. Then the monitors record suspicious actions such as file/e-mail deletions. Finally, the analyzer identifies the suspicious insiders by com- paring the number of deletions before/after the trigger. In this paper, we extend monitoring reaction from only "data deletion" to "stop further malicious activities". This extension allows a wider variety of use cases such as "finding private web browsing" and "finding use of unnecessary applications". Also, we extend the architecture so as to monitor servers as well as clients. The server monitoring architecture is required in the case of server side data deletions, i.e., e-mail or file deletions at the server side. Moreover, we describe the effectiveness of our approach in such cases.
关键词:Insider threats detection; sealing of evidences
