|
Toward an Insider Threat Detection
Framework Parisa Kaghazgaran and Hassan Takabi+ University of North Texas, Denton, TX,
USA parisakaghazgaran@my.unt.edu, takabi@unt.edu Abstract The insider threat remains one of the most serious
challenges to computer security. An insider attack occurs when an authorized
user misuses his privileges and causes damages to the organization. Deception
techniques have served as a common solution to insider threat detection, and
several techniques, such as approaches based on honey entities, have been
proposed. On the other hand, access control systems lack the ability to
detect insider threats. In this paper, we focus on integrating deception into
the role-based access control (RBAC) model, which is one of the most widely
used access control models. We introduce the notion of ``honey permission''
and use it to extend RBAC to help in insider threat detection. We define
honey permissions as permissions that exceed the authorized access, and are
assigned to a subset of roles known as ``candidate roles''. Objects included
in honey permissions are fake versions of sensitive objects that are enticing
for malicious users. In this way, an attempt to access sensitive resources by
unauthorized users would be detected. We extend the RBAC model by adding
honey permissions, indicating candidate roles, and adding a monitoring unit
which monitors the sessions in which the owners of the sessions activate a
subset of candidate roles and have access to an object through a honey permission. We propose an algorithm to select
candidate roles and assign honey permissions to them. Furthermore, we provide
security analysis and consider the overhead that would be added to the RBAC
system for evaluation. Keywords: Insider Threat, Deception, Role-Based
Access Control (RBAC), Honey Permission +: Corresponding author: Hassan Takabi Tel:
+1-940-565-2385, Web: http://www.cse.unt.edu/~takabi Journal of Internet Services and Information Security (JISIS), 5(3): 19-36, August 2015 [pdf] |