|
Formalising policies for insider-threat detection: University
of Oxford, Parks Rd, Oxford OX1 3QD, United Kingdom {ioannis.agrafiotis,
arnau.erola, michael.goldsmith,
sadie.creese}@cs.ox.ac.uk Abstract The threat that organisations
face from within is growing significantly, as it has been widely demonstrated
by the harm that insiders have caused recently. For many years the security
community has invested in barriers and perimeters, of increasing
sophistication, designed to keep those with malign intent outside of the organisations’ information infrastructures. But assuming
that one can keep the threat out of an organisation
is simply not a practical stance to adopt. In our research we are concerning
ourselves with how technology might be deployed to help with the detection of
insider threats both automatically and in support of human-led mechanisms.
This paper describes our recent research into how we might support threat
detection when actions taken can be immediately determined as of concern. In
particular we capture actions that fall into one of two categories: those
that violate a policy which is specifically crafted to describe behaviours that should be avoided; or those that exhibit behaviours which follow a pattern of a known
insider-threat attack. We view these concerning actions as something that we
can design and implement tripwires within a system to detect. We then orchestrate these
tripwires in conjunction with an anomaly detection system. We present a
review of the security policies organisation apply
and a grammar to describe tripwires. We further validate our grammar by formalising the most common tripwires for both
categories. Our aim is to provide a single framework for unambiguously
capturing tripwires, alongside a library of existing ones in use. Therefore,
tripwires may be used to map experiences regardless of the heterogeneity of
the security tools and practices deployed. Keywords: Insider-threat detection,
Security policies, Validation, Grammar. +: Corresponding author: Ioannis
Agrafiotis Journal of Wireless Mobile
Networks, Ubiquitous Computing, and Dependable Applications (JoWUA) |