McAfee SECURE sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams

Cookie Information

Privacy Information

UK Essays Services:

Free Help:

Information Network Security

INTRODUCTION

Most of the organizations nowadays are managing their information in a distributed way, which is an asset for them. In distributed environment the main and important issue is security management. Network security is a complicated subject, historically only tackled by well-trained and experienced experts.Systems which are distributed geographically provide support for different kind of activities including studying and teaching, shopping for goods, personal as well as commercial and international transactions. Geographically distributedsystems provide prompt access to information by replicating the state in every geographical location. Moreover, these systems are estimated to provide secure and continuous service within satisfactory throughput and latency parameters. In a complicated network environment it is very hard to assure that the network is not inclined to threats. Computers can get very easily compromised and created an opportunity for attacks coming from inside the system. Network security attacks are not some theoretical concept that can be put into the background. These threats are not only at the perimeter of your network that connects to the outside world of untrusted networks, but also inside your trusted environment.

In any organization, the most important thing is security. The threats to security of an organization are both physical and software. Physical security can be implemented by force and other things like installation of sensors in valuable area or take on services of some security agencies. However, software is most threatening because there is no one to one war you need to stop the opponents without knowing what he is doing.

There are basically two types of security threats outsider and insider. A lot of work has done to handle the outsider threats but insider threats are ignored by organizations or a little effort is made to capture these trusted insider attackers. The purpose of this study is to examine different factors which we believe contribute to different forms of insider threats. Security professionals and policy leaders currently view insider threat as serious problems but often as separate issues that should be addressed by a different configuration of security countermeasures.

In this study, the objective is to develop a framework which helps different organizations to better understand, detect, and ultimately prevent harmful insider activity.

1.2 Thesis Road Map

Chapter 1 gives the introduction to thesis, insider threats, the research question, research objectives, research contribution and justifications for the work are presented and discussed. The chapter also identifies common threats to different organizations.

Chapter 2 contains of what has been published on a topic by accredited scholars and researchers. It gives critical overview of prior research in the same area. The purpose of this chapter is to:

Chapter 3 contains the purposed frame work activities to detect and avoid the risk of insider threats.

Chapter 4 justifies my research regarding frame work activities defined in chapter 3.

Chapter 5 concludes the thesis and contains my concluding remarks and gives directions for further work.

1.3 Background: Insight into Security threats

The global acceptance and expansion of business as well as growth ofthe Internet technologies in general has become a reason of extraordinary expansion of electronic business. In electronic business a customer can put his request to access online business information.As the business is moving from internal (closed) to open and in open system the risk of malicious attacks and illegal access to critical assets is high than closed system. So a high level of security to information system is required. Prior to the requirement for online, open access, the information security budget of a typical company wasless then their tea and coffee expenses.

In a study of insider threats byRandazzo at el it is examined that theincidents perpetrated by insiders, such as current or former employees or contractors, who deliberately access the confidential data in a manner that breech the security of the organizations or daily business operations etc. Incidents included any compromise, manipulation of, unauthorized access to, exceeding authorized access to, tampering with, or disabling of any information system, network, or data. The cases examined also included any in which there was an unauthorized or illegal attempt to view, disclose, retrieve, delete, change, or add information.(Randazzoat el. 2004)

Attackers are largely responsible for security threats, which could affect the security of assets. "A threat is a set of circumstances that has the potential to cause loss or harm". The greatest threat to computer systems and information comes from humans, through actions that are either malicious or ignorant. Attackers, trying to do harm, exploit vulnerabilities in a system or security policy employing various methods and tools to achieve their aims. Attackers usually have a motive to disrupt normal business operations or to steal information.

The diagram below depicts the types of security threats that exist. The diagram depicts the all threats to the computer systems but main emphasis is on malicious "insiders". The greatest threats of attacks against computer systems are from "insiders" who know the codes and security measures.

Attackers can be grouped into two general categories:

1.3.1Outsider Security Threats

Internal attackers are not the only persons responsible for internal security threats. There are also external attackers. Mitnick, an infamous hacker in the 1980s and 1990s believe that "The biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall. In fact, the biggest threat could be you. What I found personally to be true was that it is easier to manipulate people rather than technology. Most of the time organizations overlook that human element". External attackers use common techniques to manipulate people from outside the organization. External attackers use methods such as Social Engineering. Social engineering is a method to manipulate people to get people to do things based on how you structure the request. External attackers do not have to be seen as someone trying to bypass the firewall of the company or to exploit vulnerabilities in the web server.

In the case of internal security threats, external attackers use techniques to manipulate people through the telephone, emails, and fax. External attackers do not use in general technical techniques.

The definition of insider threat should encompass two main threat actor categories and five general categories of activities. The first actor category, the "true insider," is defined as any entity (person, system, or code) authorized by command and control elements to access network, system, or data. The second actor category, the "pseudo-insider," is someone who, by policy, is not authorized the accesses, roles, and/or permissions they currently have but may have gotten them inadvertently or through malicious activities.

The activities of both fall into five general categories:

(Gabrielsonat el. 2006)

The diversity of cyber threat has grown over time. Initial stage of cyber threat is password cracking and minor network level attacks.With the passage of time new types of attacks come into existence such as insider attacks, social engineering and email worms. New types of attacks are considered as serious security problems. The rate of growing attack types are higher than the attack modeling and threat analysis tools.Some known formal models such as attack graphs perform action-centric vulnerability modeling and analysis. In this a user actions are represented as states and the sequences of suspicious activates which leads to violation are represented or indicate the expected exploits. (Chinchaniat el.2005)

Insider attacks are very unusual treats which are difficult to detect and prevent, the reason is this unlike external attacks, insider is a person who has authorized to access a network of organization computers. These networks represent a growing problem towards an organization security. These insider threats frustrate employers because insiders can bypass physical and technical security measures and can create serious problems for those organizations that lack the resources to identify and monitor their behavior. Insiders have different types they are not just trusted employees: today they can include third party contractors, vendors, business partners, auditors etc. Attacks from the inside carry the potential for significant damage but not all insiders are malicious; the perpetrators may be unknowing pawns of a malevolent colleague or simply the careless initiator of unintended consequences. Nevertheless, insider threats were the most costly of the various breaches and the exploration of the emergence of insider threats has also been taken as a learning problem. Organizations that lack the resources to monitor actions, prevent bad outcomes, or avoid harm when data leakages occur suffer more than those organizations that have policies as well as resources to monitor and mitigating insider threats.

The term "insider" encompasses both spies and saboteurs.

Internal attacks are more and more important in an organization, because internal attackers have the following in their favor:

In general, there is a high level of trust in users and computers accessing resources on the Local Area Network (LAN) of the company. Employees may have access to shared network resources, and it may be hard to discern whether an employee is using his/her access legitimately or illegitimately.

Employees have much greater physical access to network resources, and in general when an attacker has physical control of a computer, that computer can no longer be protected from the attacker.

Employees might be protected by employment laws. For example, a law might prohibit an organization from inspecting the Internet usage of its employee. Identifying your enemy is very important in order to be able to know their motivation. Internal attackers might be motivated by more than one reason.(Grandvaux 2004)

Common cases of computer-related employee damage include: changing, deleting and destroying data or programs with logic bombs; system crash; holding data hostage; destroying hardware or facilities; incorrect entry of data, perform unethical acts such as exposing sensitive information to public. Insiders can plant viruses, Trojan horses or worms, browse through file systems or program malicious code with little chance of detection and with almost total impunity.

A 1998 FBI Survey investigating computer crime found that of the 520 companies consulted, 64% had reported security breaches for a total quantifiable financial loss of $136 millions.

The survey also found that the largest number of breaches were by unauthorized insider access and concluded that these figures were very conservative as most companies were unaware of malicious activities or reluctant to report breaches for fear of negative press. The survey reported that the average cost of an attack by an outsider (hacker) at $56,000, while the average insider attack cost a company in excess $2.7 million. It found that hidden costs associated with the loss in staff hours, legal liability, loss of proprietary information, decrease in productivity and the potential loss of credibility were impossible to quantify accurately.

Employees who have caused harm have used their comprehension and access to information resources for different reasons , including insatiability, revenge for perceived grievances, ego satisfaction, resolution of personal or professional problems, to protect or advance their careers, to challenge their skill, express anger, impress others, or some combination of these concerns.

(Randazzoat el. 2004)

1.5) Common types of Insider Threats

Following are some common types of insider threats that an organization may face.

1.5.1) Exploiting information via remote access software

A considerable amount of insider abuse is performed offsite through remote access software such as Terminal Services, Citrix and GoToMyPC. When insiders perform their actions offsite there is no chance to monitor their malicious activates and they can steal sensitive information with more confidence. Remote computers which are inadequately protected may turn up in the hands of malicious users and these users can cause serious damage.

1.5.2) Sending out information via e-mail and instant messaging

Information which is important for an organization can be transfer to irrelevant person by using email or messengers. This is a serious threat, but it is easiest to eliminate.

1.5.3) Sharing sensitive files on P2P networks

Some organizations allow file sharing by using different peer to peer file sharing software and in some organizations this sharing is prohibited. Malicious attackers are always there to abuse the information whether or not organization allows sharing. Peer to peer file sharing software itself is not the problem but the way to use this software can cause a problem. This can be a simple misconfiguration of software which leads to serious damages.

1.5.4) Careless use of wireless networks

Insecure wireless network usage is the most unintentional insider threat.Insecure network can put sensitive information to intruder easily. Risk of information transfer to malicious insider is high when a user communicates through email or transfer a file by using insecure wireless network. The mostsusceptible network to these attacks is Wi-Fi networks. Bluetooth on smart phone and PDAs can also be a source of information theft. Organizations have WLANs setup may be at high risk because employees could use it after working hours to exploit security for their personal gain.

1.5.5) Posting information to discussion boards and blogs

Mostly user post requests on internet for their help. This request can include sensitive information that put the organization at high risk. This harm can be done intentionally or unintentionally. (Beaver 2005)

Internal attackers attempt to break into computer networks for many reasons. The subject has been fruitfully studied and internal attackers are used to be motivated with the following reasons.

1.6.1Challenge

Many internal attackers initially attempt to break into networks for the challenge. A challenge combines strategic and tactical thinking, patience, and mental strength. However, internal attackers motivated by the challenge of breaking into networks often do not often think about their actions as criminal. For example, an internal attack can be the challenge to break into the mail server in order to get access to different emails of any employee.

1.6.2 Revenge

Internal attackers motivated by revenge have often ill feelings toward employees of the same company. These attackers can be particularly dangerous, because they generally focus on a single target, and they generally have patience. In the case of revenge, attackers can also be former employees that feel that they have been wrongfully fired. For example, a former employee may be motivated to launch an attack to the company in order to cause financial losses.

1.6.3 Espionage

Internal attackers motivated by espionage, steal confidential information for a third party. In general, two types of espionage exists:

  1. Industrial espionage

Industrial espionage means that a company may pay its own employees in order to break into the networks of its competitors or business partners. The company may also hire someone else to do this.

  1. International espionage

International espionage means that attackers work for governments and steal confidential information for other governments. (Grandvaux 2004)

The subjects in the Shaw study appeared to identify more with their profession or computer specialty than with their employer. This finding is reminiscent of a study of computer fraud conducted by the U.S. Department of Health and Human Services in 1986, which found that computer programmers who committed fraud felt more loyalty to their profession than to their employer.

An employee's disregard for the impact of his or her action on others, or inability to appreciate this impact, has been noted consistently by investigators. Likewise, many of the subjects in the Shaw study lacked empathy. This characteristic is magnified by the nature of cyberspace, where the effect of events is muted by the lack of immediate apparent consequences.

Many of the subjects whose cases were studied by Shaw reportedly did not view their violations as unethical; some even viewed them as justified under the circumstances.

These subjects appeared to lack the moral inhibitions that prevent others from committing such acts. This finding is consistent with earlier research on ethical boundaries within the "information culture" conducted by S. Harrington and published in 1995. Harrington's findings indicate that approximately 7 percent of computer professionals do not object to cracking, espionage, or sabotage. Their rationale is that an electronic asset is fair game for attack if it has not been sufficiently secured by the company.

1.6.7 Personal and social frustrations

Professor R. Caldwell, a computer scientist who conducted separate studies in 1990 and 1993, identified that some individuals exhibit "revenge syndrome". These individuals often have a history of personal and social frustrations, often including childhood abuse and neglect. They tend to exhibit anger, alienation from authority, fewer social skills than peers, and an inclination to "strike out at the system".

1.6.8 Entitlement

A person with the sense self poweris often associated with a self perception of talents which are unrecognized by others. This self perception of talents often encourage that person having this specialness is not being recognized by employers or authority figures often combines with a pre-existing anger at employers or authority to produce feelings in these individuals that they have been treated unfairly and are right at their revengeful actions. Often, this sense of self power is supported by special arrangements to rules granted to highly value but "unpredictable" employees. Consequently employers or authority figures often reinforce this belief and contribute to what often becomes an inevitable disaster. (Shawat el.1999)

According to a 1991 report by psychologists Robert Raskin and Jill Novacek, "individuals with these narcissistic tendencies who are under higher levels of daily stress are prone to "power and revenge fantasies in which they see themselves in a powerful position able to impose punishment on those who have wronged them". ( Shawat el.1999)

1.6.9 Computer dependency

In the Shaw study, online activity significantly interfered with, or replaced, direct social and professional interactions for many of their subjects. According to psychologists, computer-addicted individuals are more likely than non-addicted users to be aggressive loners who make for poor team players. They report their primary interests as exploring networks, breaking security codes, hacking into computer systems, and challenging and outfoxing security professionals.(Anonymous 2003)

1.7 Can insiders be stopped?

Different tools and techniques already exist that warn organizations to possible insider action. These tools track network activity and different activity patterns, check signs of unusual behavior, such as repeated attempts to access a generally restricted site or resources. Typically systems can be burdensome and difficult to maintain because sometimes they produce false positives. They can also slow the traffic of a large network and interfere with different business operations. And since insiders have legitimate access, they can use security controls to get more privileges and technical skills.

The Insider Threat project goals must be clear and realize that security must complement, not hamper, organization needs. To achieve this, team members take a comprehensive overview of insider behavior (Psychological factors such as self-esteem, risk-taking behavior assertiveness), their motive, intentions that compel them to commit illegal actions. In addition, researchers are devising typologies to help characterize different types of insider behavior, and methods to discourage inappropriate activities. It is essential to incorporate legal, ethical, social, economic and technical concerns in detection, mitigation and prevention from malicious insiders.

1.8 Intrusion Detection System

Intrusion detection systems are recent security products, including both hardware and software, for detection and prevention of both external and internal security attacks of computer-based information systems. These Intrusion detection systems have drawn much research activities. These products are viewed as very promising from a practical point of view as well as both practically and theoretically and drawing considerable financial interests.( Tarimo 2003)

The word intrusion means "a wrongful entry" or "the act of seizing, or taking possession of the property of another". By Intrusion Detection, we mean identifying potentially malicious or undesirable activity that may have occurred in a given environment as recorded in an audit trail. Several steps make up this process: capture, analyze, classify, report, and possibly to the event. When intrusion detection is applied to computers, systems known as Intrusion Detection Systems (IDS) usually take care of automating these steps before informing the human supervisor of what has transpired. The aspect of automation is important, and it is a major difference between intrusion detection systems used in buildings and those used in computer systems.(Dobrucki 2002)

An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. There are several ways to categorize an IDS.

1.9 Problem Statement

Insider threat is becoming comparable to outsider threat in frequency of security events. Insider threats are not properly addressed by organizations. This is very worrying situation, since insider attacks have a high probability of success than outsider attacks, because insiders have authorized access and legitimate privileges. Thus, insiders do not only take advantage of technical expertise but they also take advantage of details specific to the organization environment based on trust. Additionally, insiders tend to have more opportunities, when compared to outsiders, caused e.g. by the deterioration of access and permission management which may cause accumulation of privileges. To reduce the insider threat problem, many challenges have yet to be overcome.

1.10 Proposed Solution

Organizations can not be 100% sure that their employees won't accept bribery for company's information or that a future event may not transform a good starting business relationship into a conflict that the employee may try to balance autonomously. Thus, almost every organization has a potential insider threat. The computer security breaches from insider attacks, especially through backdoors, logic bombs and Trojan horses are uncountable. Confidentiality, availability, integrity and authenticity are all under threat, since the attacker has a legitimate access to files and information technology infrastructure.

The contribution of this research is to develop a framework that addresses the first two challenges mentioned above. Approach which is used to tackle insider attacks is through the usage of intrusion detection systems. This methodology implies that in any given form the attack may take, those security systems will detect them.

1.11 Research Objectives & Aims

Insiders have two things that external attackers do not:privileged access and trust.This privileged access and trust allow employees to bypass preventative measures, conduct malicious acts and access mission-critical assets. There can be a number of reasons which motivate insiders. They can more easily commit a security breach than outsider because outsiders have limited access to organization critical assets. Malicious insiders can directly harm organization business in the form of revenue lost, , reduced shareholder faith, lost customers, lost organization reputation, regulatory fines and legal fees. Organizations need an automated solution to help detect and analyze malicious insider activity to cope such an expensive threat.

These are some goals which could be helpful in monitoring and minimizing the insider threats:


CHAPTER 2

REVIEW OF LITERATURE

Axelsson (2000) presented a taxonomy of intrusion detection systems that is then used to survey and classify a number of research prototypes. The taxonomy consists of a classification of the detection principle and certain intrusion detection system operational aspects. Grouping of the systems are based on the increasing difficulty of the problem they attempt to address. These classifications are used predicatively, pointing towards a number of areas of future research in the field of intrusion detection.

Georgiev and Georgiev (2001) described an attempt to extract a simple model for security analysis, system understanding, and teaching. The security model is based on establishing the trustworthiness and role of each component in a distributed computing environment. trustworthiness in a distributed computing environment. It deals in a systematic manner with all the issues that come from the lack of sufficiently accurate knowledge, both instantaneous and predictive, of the state of a network-based system. It separates the roles of component entities into trusted and untrusted categories and thus helps predict their behavior, even in the case when they become mobile.

Anonymous (2001)In most businesses correct functioning of information systems and continuity of operations is very important. Threats to computerized information and process are threats to business quality and effectiveness. The purpose of IT security is to eliminate or reduce significant threats which are faced to computerized business information system to an acceptable level. Quality management is directly related to security and risk management. The base of security policies should be on risk analysis and in harmony with Quality processes, structures and checklists. The most important question is

What needs to be protected, against whom and how?

Security is basically the protection of systems, services and information against mistakes, disasters and manipulation so that the impact of security incidents is lowered or minimized. Athreat is a danger which could affect the security (availability, confidentiality, integrity) of assets, leading to a potential damage or loss.

Stoneburneret al.(2002)in this paper authors described the risks which are posed by a university IT system. This paper 1st gives us the background of risks, methodology employed, its implementation and knowledge gained by performing risk assessment. Next author defines the term security and risk. According to author from an IT perspective security can be defined as "the state of being free from unacceptable risk". To define a risk author quoted Texas A&M University definition "any event or action that adversely impact the University's ability to achieve its objectives" Author discussed the security policies and guidelines.

The risk assessment process has two main objectives, namely to implement reasonable safeguards and to document due diligence of management in mitigating risks. It is also important to take time to precisely define what is meant by each threat that is identified. The risk assessment process permits prioritization of a potentially very large number of actions that could be taken to improve security. For forecasting purposes, author divided the systems, into three categories - simple, medium and complex.

Satti (2003)in this report the author has discussed business adoption and growth of internet. This adoption is accepted globally.Internetworking technologies generally help a customer to put his request online to access business information system. As business is moving from closed to open system so the risk is high. In open business system risk of malicious attacks has increased, to tackle these risks require high level of security for information system. Prior to the requirement for online, open access, the information security budget of a typical company was less then their tea and coffee expenses.

Andersonat el.(2004)described that their major focus in 2005 has been to study the insider threat by using the threat dynamics framework. Results from a comprehensive study of insider threats shows that managers, make decisions that are helpful to enhance organizational performance and productivity but that have the unintended consequence of magnifying the likelihood of insider cyber attack and exposure of the organization. Writers of this paper also discussed the methods, which are used to deal with the insider threat problem, for example need to capture and analyze the complex interactions between behavioral, policies, technical, and cultural issues over time. This analysis is helpful in developing an integrated risk management approach. At the end author concludes that ultimate effect of business, policy, and technical decisions on insider threat risks is complex and often counterintuitive and can result in significant losses and operational impacts due to insider cyber attack.

Yu and Frincke (2004)Intrusion detection systems (IDS) are increasingly a key part of system defense, often operating under a high level of privilege to achieve their purposes. Therefore, the ability of an IDS to withstand attack is important in a production system. In this paper, writers addressed the issue of survivable IDS. Firstly authors categorize potential vulnerabilities in a generic IDS then classify different methods to enhance IDS survivability. Then propose an efficient fault tolerance based Survivable IDS (SIDS) along with a systematic way to transform an original IDS architecture into this survivable architecture.

Spitzner (2003) The author discusses that little research has been done for one of the most dangerous threats, the advance insider, and the trusted individual who knows the internal organization. These individuals are not after your systems, they are after the organizations information. This presentation discusses howhoney pot technologies can be used to detect, identify, andgather information on the insider threats especially advanced insider threats, are vastly different then those of an external threat. Author discussed that before going further how honeypots, specifically Honeynets and honeytokens, can catch the insider threat, there is a need to define goals and the threat face. Basic goal is to detect, identify, and confirm insider threats. Author simply meant by this "someone who is technically skilled, highly motivated, and has access to extensive resources". For example, this threat may be an employee working for a large corporation, but in reality they are employed by a competitor to engage in corporate espionage.

Randazzo et al. (2004)discussed the Insider Threat Study. The study indicates that management decisions related to organizational and employee performance sometimes yield unintended consequences magnifying risk of insider attack. Lack of tools for understanding insider threat, analyzing risk mitigation alternatives, and communicating results exacerbates the problem. Basically authors discussed that Insiders, by virtue of legitimate access to information of organization, systems, and networks, pose a significant risk to employers. Authors described different reasons of insider threats. Concluding remarks regarding Insider Threat Study showed that to detect insider threats as early as possible or to prevent them altogether, management, IT, human resources, security officers, and others in the organization must understand the psychological, organizational, and technical aspects of the problem, as well as how they coordinate their actions over time.

Randazzoat el (2004 b)described history of insider threats and told different stories about insider threats.Efforts have been made to study insider incidents, including workshops to develop a foundation of knowledge on insider threats; annual surveys of organizations on the number of insider incidents they have experienced in a given year and, in-depth case studies of information technology insiders.

Aleman-Mezaat el. (2005)discussed the verification of legitimate access of documents, which is one aspect of the umbrella of problems in the Insider Threat category, is a challenging problem. Writers said that Insider Threat refers to the "malevolent actions by an already trusted person with access to sensitive information and information systems". A specific type of Insider Threat relates to document access and involves effective monitoring of the actions of an intelligence analyst. Authors further described the purpose of addressing Insider Threat is to ensure that an intelligence analyst accesses documents that are relevant to his/her assigned investigation objective, i.e., accesses the data on a "needs to know" basis.

Framingham ( 2005)this paper is about e crimes and their impacts on companies. Results reveal that the fight against electronic crimes (e-crimes) may be paying off. A survey has conducted and results are formulated on the basis of survey. Of those who experienced e-crimes, more than half of respondents (55%) report operational losses, 28% state financial losses and 12% declare harm to reputation as a result. Interestingly, one third (31%) of respondents do not have a formal process or system in place for tracking e-crime attempts, and 39% do not have a formalized plan outlining policies and procedures for reporting and responding to e-crimes, demonstrating room for improvement.

Keeneyet al. (2005)described that an insider had extensive control over the source code of a critical application used by the organization. As lead developer of the software, he made sure that he possessed the only copy of the source code. There were no backups, and very little documentation existed. Following a demotion in both position and pay, the insider "wiped" the hard drive of his company-provided laptop. In doing so, he deleted the only copy of the source code the organization possessed. It took several months to recover the source code from the insider, during which time the organization was unable to update the software.

Cappelliet al. (2005)in this research paper an examination of how each organization could have prevented the attack or at the very least detected it earlier is presented. Rather than requiring new practices or technologies for prevention of insider threats, the research instead identifies existing best practices that are critical to the mitigation of the risks from malicious insiders.

Chinchaniet al. (2005)describedthe diversity of cyber threat has grown over time. Initial stage of cyber threat is password cracking and minor network level attacks.With the passage of time new types of attacks come into existence such as insider attacks, social engineering and email worms. New types of attacks are considered as serious security problems. The rate of growing attack types are higher than the attack modeling and threat analysis tools.Some known formal models such as attack graphs perform action-centric vulnerability modeling and analysis. In this a user actions are represented as states and the sequences of suspicious activates which leads to violation are represented or indicate the expected exploits.

In this paper, authors proposed a new target-centric model to address the new security threats such as insider attacks, email worm and social engineering. Modeling methodology is explained with examples. At the end a quantified vulnerability analysis is performed to show the worst case complexity result of the proposed model.

Chapple (2005)discussed that the major threat to information security in any organization is in the office (employees). Theseemployees have the ability to bypass the security measures and controls that an organization has put to secure its network. These employees can obtain credentials to access a significant portion of organization infrastructure. What is this threat? It is the often underestimated insider threat -- the risk thatemployees of the organization will violate the trust and conduct malicious activity on network of organization.

Here are five simple measures you can take to protect your organization against insider attacks:

These simple measures can go a long way toward helping you protect your organization against the insider risk. Remember, however, that there is no single cure and the most important component of any security program is vigilance!

Cappelli at el. (2006) this paper is basically about insider threat in SDLC. Authors discussed that insider are current or former employees or contractors who intentionally exceeded or misused an authorized level of access to networks, systems or data in a manner that targeted a specific individual or affected the security the data of the organization, systems and/or daily business operations.

Author described that insiders can attack due to following reasons:

Gabrielson at el. (2006) The definition of insider threat should encompass two main threat actor categories and five general categories of activities. The first actor category, the "true insider," is defined as any entity (person, system, or code) authorized by command and control elements to access network, system, or data. The second actor category, the "pseudo-insider," is someone who, by policy, is not authorized the accesses, roles, and/or permissions they currently have but may have gotten them inadvertently or through malicious activities.

The activities of both fall into five general categories:

  1. Exceeds given network, system or data permissions.

  2. Conducts malicious activity against or across the network, system or data.

  3. Provided unapproved access to the network, system or data.

  4. Circumvents security controls or exploits security weaknesses to exceed authorized permitted activity or disguise identify.

  5. Non-maliciously or unintentionally damages resources (network, system or data) by destruction, corruption, denial of access, or disclosure.

Some investigators have pointed out four categories of the insider problem: zealot, traitor, browser, and well intentioned. The zealot category involves an insider who believes strongly in the correctness of one position or feels the organization is not on the right side of a certain issue. The traitor category includes persons who have a malevolent intent to damage, destroy, or sell out their organization. The browser category consists of persons who are overly curious in nature (often a violation of the need-to-know principle), while the well-intentioned insider commits violations through. An insider threat conceptual architecture should leverage an array of network and host-based sensors along with existing networked systems that provide network analysis or access controls

Gordon at el. (2006) discussed that there are four major types of financial loss of organizations such as virus attacks, unauthorized access, financial losses related to hardware and theft of intellectual property. According to this paper these four categories are responsible more than 74 percent of financial losses. The total amount of financial losses resulting from security breaches had a substantial decrease, according to respondents. Further they describe the reason of this decrease. The main reason of this drop is due to a decrease in the number of respondents who provide estimates of losses, the average amount of financial losses in their organizations. According to their research now the vast majority of the organizations are giving the importance to security awareness training programs.

Stanley (2006)in this article author described that inside any organization there will be some malicious individuals and the possibility is that anyone of these could suddenly turn bad and sabotage the assets of the organizaton. Many security incidents continue to go unreported as organizations try and prevent damaging news stories from emerging and damaging their reputation. Research by the Ponemon Institute reported that 78% of their 450 IT security respondents had one or more unreported insider-related security breaches. 93% cited lack of resources and 81% cited lack of accountability as primary contributing factors.

To help mitigate against insider threats, different companies such as Arc Sight have created products to help detect and deal with such problems. The key to insider threat management is to find the early signs of unusual behavior, be this reconnaissance or preliminary leaks, and then respond using appropriate human resources or external legal sanctions if appropriate.

Franqueiraet al. (2006)introduced a framework consists of a method and supporting awareness deliverables. The identification of the insider threat risks are organized by the method as well as the assessment of insider threat risks from the perspective of the organization goals or business mission. This method is worked in three steps. First of all attack strategies are structured in four decomposition trees. Second, by a pattern of insider attack this reduces an insider attack step to six possible scenarios. Third, by a list of defense strategies this helps on the elicitation of requirements. The output of the method consists of goal-based requirements for the defense against insiders. Attack and defense strategies are collected from the literature and from organizational control principles.

Anonymous (2006) the authors discuss that employees are an organization's most important asset. Unfortunately, they also present the greatest security risks. Working and communicating remotely, storing sensitive data on portable devices such as laptops, PDAs, thumb drives, and even iPods - employees have extended the security perimeter beyond safe limits. While convenient access to data is required for operational efficiency, the actions of trusted insiders - not just employees, but consultants, contactors, vendors, and partners - must be actively managed, audited, and monitored in order to protect sensitive data.

In 2006, over 60% of information security breaches were attributable to insider behavior, yet more than 80% of corporate IT security budgets were spent on securing perimeter defenses against outside attack. Protecting against insider threats means managing policy, process, technology, and most importantly, people.

There are number of reasons which motivate insiders to do a malicious act, but the end result is that insiders can more easily commit their crimes than an outsider who has limited access. It does not take a skilled hacker to print out sensitive data, copy files to an MP3 player or send confidential information to a competitor.Because of this, anybody can become a malicious insider from the disgruntled system administrator hoping to sabotage access to business critical systems to the human resources intern that is selling employee salary information to recruiters. Insiders can directly damage the organization in the form of revenue lost, reduced shareholder, faith lost customers, a tarnished reputation, regulatory fines and legal fees. With such an expansive threat, organizations need an automated solution to help detect and analyze malicious insider activity.


CHAPTER 3

MATERIAL AND METHODS

Organizations of all kinds, from publishing to health care, are turning to on-line services. As they become dependent on this new technology, many are exposed to the downside of computer networking: theft, fraud and denial of service risks. To keep pace with the ever-changing nature of network-borne security threats, all kind of organizations are looking forward to secure their networks or systems before any intrusion attacks.

As the electronic media dominates the organizations and drives the growth of the Internet, organization's success whether large or small depends on interconnectivity of computers. This interconnectivity of computers within an organization or its peers involves a variety of entities like partners, suppliers, customers, and even the competitors. The growth of electronic business is dependent on the level of trust from all entities

With the passage of time as the interaction with computers is increasing in the organizations, they are becoming very sensitive towards security. Because every day they have to face different types of organizational threats, which can be from within or outside the organization. Although the attacks on computers by outside intruders are widely known but the attacks caused by insiders also becoming crucial and often more damaging.

Insider threats are mainly caused by the people working within the organization andthey represent the greatest threat to computer security because they understand working environment of the organization and their security policies. Insiders have both access and the confidentiality to perform malicious acts. Insiders are the trusted employee of the organization so they have a higher probability of successfully breaking into the system and extracting critical information. They are authorized a level of access to the file system and granted a degree of trust so they represent the greatest challenge to securing the company network. (Nguyen and Reiher 2003)

To handle the insider threats there are many intrusion detection systems are available. A lot of research have been done on the improvement and advancement of the these intrusion detection system, but there is a little attention has been given to prime issues that would facilitate effective and efficient use of these IDS's from the specific organization's point of views. However efforts have been seen towards the generic framework for implementation and use of IDS. But There is no frame work specifically for insider threats detection and mitigation of these insiderattacks. (Tarimo 2003)

The Purpose of my research is to propose a framework for specific to insider threats with in any organization and how should the IDSs be organized in such situation.

In this chapter a framework that captures deployment requirements for insider Intrusion Detection Systems has been proposed. With such a generic framework, users will be equipped with a tool, in form of an increased understanding, that should help them in making effective informed decisions regarding insider IDS product selection, planning, implementation, and operations in organizations networks.

3.1 Introduction to Framework

The proposed framework is composed series of activities that starts from Project feasibility to Organization Structure Analysis, Potential environmental risks analysis, design considerations, System deployment and ends at last but not the least Maintenance phase.

The goal of this framework is to help organizations to identify requirements that enable defense against insider threats. The six steps of the intrusion detection process framework form a cascade as depicted in Figure 3.1. Secure system is highly dependent on the all these phases of framework. Feasibility study and Organization Structure Analysis phases influence the whole process to make an organizations network secure. Design consideration and deployment phase are crucial to secure the systems from insider threats. Last phase that is the maintenance phase provides an ongoing maintenance because the security requirements change with the passage of time.

Following is brief description of the framework activities:

3.1.1 Project feasibility

The Feasibility Study is a detailed analysis of a preferred security development strategy as determined in the Planning, Resources and Budget. The Feasibility Study will confirm the need for a secure system that needs recommendations to be undertaken to enhance the security of system.

A Feasibility Study has the following activities:


3.1.2 Organization Structure Analysis

Along with the external threats there may be a variety of insider threats in any organization. For example there are the people developing a system - who may intentionally inject backdoors - and there are different kinds of users of the operational system that have different rights and thereby differ in the harm they are capable of inflicting on the system. Before procedures, practices, controls, can be put into use; or technologies can be acquired and implemented; size of the organization, organization's leadership and management must define, organization policies, document, approve, and disseminate "what" is to be done. This is the role of policy. On this point as well, the main concern is to generate as complete a picture of organization and the persons who are involved in managing and using the system as possible.(Røstad 2005)

Only with an overview of the organization and what the system is supposed to do, and who will use it, is it possible to start identifying potential attackers, weak spots and threats.

  1. Potential environmental risks analysis

The next step is to identify and analysis of potential environmental risks that may harm the system that is the possible threats and attacks.

3.1.3.1 Understand the real threats to the system

In this activity the threats to the organization are identified in the following areas:

Organization Security

Comprehensive risk analysis of any organization can identify threats which have to face an organization on behalf of organization's employee in the form of insider threats. A threat regarding organization security on behalf of employs or insiders can vary organization to organization. Threats which are common to organization security regarding employees are privileges/trust Abuse, Dishonesty and Human errors etc.

Information Security

Information security is the protection of data against unauthorized access, disclosure, modification, or destruction, whether accidental or intentional. Information Security includes techniques, policies and strategies used to ensure that the assets of the organization are secure from malicious intruders. It is important to identify the right balance of security measures and control such that the right people access the right information at right time.(Paul 2001)

Physical Security

Physical security is a major issue in all organizations. It is necessary to identify and analyze the physical security threats to take reasonable measures to ensure the physical security of organization's systems or networks. Insider threats corresponding to the physical security can be any unauthorized physical access to systems, Failure of any equipment, Information damage intentionally and disasters such as fire or water which is also internal security threats to systems in organizations.

3.1.3.2 Analysis and Prioritization of the identified threats

The goal of this step is to analyze and assessment of previously identified security threats. The purpose of this activity is to know if these threats are relevant, not relevant or indifferent to organizations. Threats are prioritized as( GRANDVAUX 2004)

Mostly physical security threats considered as irrelevant threats because they are difficult to predict before happening such as fire and flood. All internal security threats are considered relevant threats.(GRANDVAUX 2004)

Design considerations

The design choices are numerous and varied due to advances and low cost in intrusion detection systems.

Leveraging the existing Standards

It is an important activity while considering the design of secure systems to analyze the already existing standards and how they have become used to protection against the threats.

Identity and Access Management

Identify the critical assets that may become the targets of threats and how they will be targeted and can be protected. What resources are accessed and by whom is also a great importance when design the secure systems.

Type of systems architecture in use

To select an intrusion detection system and to develop a secure system it is necessary to analysis the system architecture of your organization. Because most intrusion detection systems and threat prevention tools work with specific operating systems for example most intrusion detection systems common Unix or Windows but if a significant part of infrastructure is based on mainframe computing there may be an issue that the IDS does not cover major assets.

3.1.5 System Deployment

When the intrusion detection security plan reaches a full deployment phase, there are concerns that should be considered. Some may or may not be relevant to all organizations and environment, but it matters to know them.(Tarimo 2003)

Cultural

Cultural problems essentially relate to the reaction to monitoring. For example, some individual may oppose monitoring by considering it as an invasion of privacy and the like.

Legal

Before deploying any type of IDS, it worth checking with local laws governing such issues as privacy and computer misuse. This is especially true if the IDS is to be used for forensic evidence with law enforcement.

Politics

Organization politics are significant in any enterprise-wide deployments. If there are divisions and each with their own test criteria it is more likely that such divisions may slow down a deployment.

Position

If there are divisions and each with their own test criteria then it is crucial to determine the positions to deploy the intrusion detection systems and related reactions to the identified threats within these divisions. The positions they are deployed in are determined by three fundaments:

  1. Organization divisions are significant and deployments depend on the different divisions and their test criteria.

  2. The network segment contains assets that require protection and are at risk from attack;

  3. The network segment would give a sensor the ability to predict an attack or defend against an attack.

Target ownership

While deploying agents, depending on the environment structure, you might certainly run into territorial individuals who will not let you touch "their" machines. If this kind of division exists in your environment then it might be difficult to have a smooth deployment.

The above are some of the concerns that should be known in advance and planned for in case they turn to apply to the deployment environment.

3.1.6 Maintenance

Security maintenance is a critical issue because once the security plan is implemented successfully, then the implemented security set-up should be monitored periodically. It is also important to review the security plan on regular basis, because as organizations change, so does the security requirements.

CHAPTER 4

RESULTS & DISCUSSIONS

In Previous Chapters of this thesis I have discussed insider threats and than proposed a frame work for detection and reaction mechanisms for different organizations' networks. Integration of detection and reaction mechanisms into organizations' networks has become an integral part of an organization's IT infrastructure. In order to achieve a substantial level of security and prevent the insider threats, it is important to take all activities of framework into account. During this chapter, I have covered insider attacks in an organization in a case study at the University of Management of Information Technology (MIT). In this case study I have exercised the proposed framework to make the University's network more secure. My discussion looked particularly into framework activities, deployment challenges, focusing on major issues in implementing an IDS and strategy for achieving success.

4.1 The Organization Case Study

Like most major educational institutions, MIT is a prime target for hackers and insider threat. The university has a Lincoln Laboratory, in which a research is in progress to make the university network secure from different types of threats. The most important thing MIT wants is a hacker or malicious insider commandeering one of its machines and using it to stage attacks against a research facility. This restructuring took place in different dimensions; for example, there were portions that involved designing and extension of new networks, while others involved redesigning of existing ones to make provision for new capabilities. Among these activities a task was involved designing, development and deployment of detection and response capability into the existing IT infrastructure. Apparently this decision came after realizing the risks and threats that the entire network was being exposed. To protect its network, university installed a variety of security devices, including multiple intrusion prevention systems, firewalls and vulnerability assessment tools.

Project feasibility

A feasibility study is an important part of creating a new project. In a feasibility study budget, cost and time frame for the new project estimated. Feasibility study describes one or more solutions to a specific problem and determines if the proposed solution is practical and feasible. More than one solution is offered and compared with each other in order to find the best option. Feasibility reports are crucial for decision making and product development in almost any technical organization. University is already working on security threats so it was feasible for me to exercise my framework for verification.

Organization Structure Analysis

Like most major educational institutions, MIT is a prime target for hackers and insider threat. The university has a Lincoln's laboratory in which researcher are busy to develop different strategies to make the university more secure. The most important thing which university wants is a hacker or malicious insider commandeering one of its machines and using it to stage attacks against a research facility. University has less people or employees to handle the network security.

Potential environmental risks analysis

Risk assessment is the process of identifying risks to reputation, functions, operations, assets or individuals, by determining the likelihood of occurrence, the expected impact, and the appropriate security controls to mitigate that impact. Insiders use different means to attack an organization. There attack to the organization is typically limited to the skill sets, experiences, and education exhibited while still an employee with the organization. Insiders have different motive e.g. to gain more access to organization's critical assets, to take revenge and to gain financial benefits. Different organizations have different types of assets so it is very important to analyze these assets and classify them relevant to their importance.

In MIT different types of attacks can be seen. These are masqueraders who usually outsiders, misfeasors are usually insider (that means they belong to the same company or organization) and clandestine user can be both i.e. outsider and insider. Attacks by intruders can range from simple to serious. The University's laboratory has classified data means a data set is taken from networked environment then classifies it by attack names. The Attack name can have "-, guess, phf, port-scan, rcp, rlogin and rsh".

Design Considerations

Depending on the technical infrastructure, multiple, overlapping protection approaches are used to ensure that the failure or circumvention of any individual protection approach will not leave the system unprotected. Network design is also an important design consideration. University has WLAN network setup. Currently university has Symantec Norton antivirus and restrictive network firewall for their network security. In addition to firewalls in the network, an IDS may be added to provide additional protection, say by monitoring violations of a firewall policies or attacks that got past firewall.

System Deployment

The overall project goal is to improve the security posture of the entire campus network by introducing detection and probably response capabilities. Rules can be defined by using ID3 algorith. ID3 stands for iterative Dichotomizer 3. ID3 is based on algorithm given by William of Ockham a French logician and a priest. The algorithm is famously known as Occam's razor that states that all things are of same importance and simpler solution is the best solution.ID3 algorithm does not always give the minimum tree, as it based on heuristic and that heuristic is entropy or information gain. Below the rules are given which are defined by using ID3 algorithm.

Rules Which are defined by using Algorithm

IF Source_port = {20 or 33017 or 43493 or 43494 or 43496 or 43497 or 43501 or 43504 or 43511 or 43516 or 43517 or 43518 or 43519 or 43521 or 43522 or 43524 or 43525 or 43526 or 43527 or 43528 or 43529 or 43530 or 43532 or 43533 or 43538 or 43540 or 43541 or 43546 or 43549 or 43555 or 43560 or 43566 or 43570 or 43571 or 43573 or 43581 or 43582 or 43583 or 43584 or 43587 or 43588 or 43589 or 43590 or 43591 or 43592 or 43593 or 43594 or 43595 or 43596 or 43597 or 43598 or 43599 or 43600 or 43602 or 43603 or 43606 or 43608 or 43610 or 43612 or 43613 or 43614 or 43617 or 43618 or 43619 or 43620 or 43621 or 43622 or 43623 or 43624 or 43625 or 1915 or 1916 or 1917 or 1922 or 1923 or 1924 or 1925 or 1926 or 1927 or 1931 or 1932 or 1933 or 1934 or 1936 or 1939 or 1941 or 1944 or 1945 or 1946 or 1947 or 1949 or 1951 or 1952 or 1953 or 1954 or 1956 or 1957 or 1958 or 1959 or 1961 or 1962 or 1963 or 1964 or 1965 or 1966 or 1967 or 1968 or 1976 or 1978 or 1982 or 1983 or 1984 or 1985 or 1986 or 1988 or 1989 or 1991 or 1993 or 1994 or 1995 or 1996 or 1997 or 1999 or 2000 or 2002 or 2003 or 2004 or 2005 or 2006 or 2007 or 2009 or 2010 or 2011 or 2012 or 2014 or 2016 or 2017 or 2018 or 2019 or 1908 or 1909 or 1910 or 1912 or 1913 or 1885 or 1886 or 1887 or 1889 or 1890 or 1891 or 1892 or 1900 or 1868 or 1869 or 1870 or 1873 or 1874 or 1875 or 1876 or 1877 or 1878 or 1879 or 1880 or 1881 or 1882 or 1883 or 1787 or 1788 or 1789 or 1790 or 1796 or 1804 or 1806 or 1807 or 1808 or 1810 or 1811 or 1814 or 1816 or 1818 or 1820 or 1826 or 1830 or 1832 or 1833 or 1834 or 1835 or 1836 or 1837 or 1838 or 1839 or 1841 or 1844 or 1846 or 1847 or 1848 or 1849 or 1850 or 1851 or 1852 or 1853 or 1855 or 1857 or 1859 or 1861 or 1864 or 1866 or 1031 or 1032 or 1033 or 1034 or 1035 or 1036 or 1037 or 1038 or 1039 or 1040 or 1041 or 1042 or 1048 or 1050 or 1754 or 1755 or 1756 or 1761 or 1769 or 1772 or 1778 or 1783} then there is no attack

IF Source_Port = 1022 and {Duration = 0:00:00 Or Duration = 0:00:03 Or Duration = 0:00:04 Or Duration = 0:00:05 Or Duration = 0:00:06 Or Duration = 0:00:11 Or Duration = 0:00:12 Or Duration = 0:00:13 Or Duration = 0:00:15 Or Duration = 0:00:16 Or Duration = 0:00:17 Or Duration = 0:00:18 Or Duration = 0:00:19 Or Duration = 0:00:20 Or Duration = 0:00:22 Or Duration = 0:00:23 Or Duration = 0:00:24 Or Duration = 0:00:34 Or Duration = 0:00:36 Or Duration = 0:00:37 Or Duration = 0:00:38 Or Duration = 0:00:40 Or Duration = 0:00:42 Or Duration = 0:00:44 Or Duration = 0:00:45 Or Duration = 0:00:48 Or Duration = 0:00:49 Or Duration = 0:00:53 Or Duration = 0:00:54 Or Duration = 0:00:57 Or Duration = 0:01:00 Or Duration = 0:01:01 Or Duration = 0:01:11 Or Duration = 0:01:18 Or Duration = 0:01:19 Or Duration = 0:01:23 Or Duration = 0:01:24 Or Duration = 0:01:26 Or Duration = 0:01:32 Or Duration = 0:01:40 Or Duration = 0:01:41} then there is no attack

IF Source_Port = 1022 and {Duration = 0:00:01 Or Duration = 0:00:02} then there is attack and name is rsh

IF Source_Port = 1022 and Duration = 0:00:14 then there is no attack

IF Source_Port = {1029 or 1030 2020 or 2021or 2022 or 2023 or 2024 or 2025 or 2026 or 2028 or 2029 or 2030 or 2031 or 2032 or 2034 or 2035 or 2037 or 2038 or 2039 or 2040 or 2041or 2042 or 2043 or 2044 or 2045 or 2046 or 2047 or 2048 or 2052} then there is attack and it is named as port-scan.

IF Source_Port = 1867 or 1884 or 1906 or 1914 then there is attack but name is not known i.e. referred as guess.

IF Source_Port = 1784 then there is attack and it is named as phf.

2nd example

IF Score = no then there is no attack

If Score = ok and Service = auth then there is no attack

If Score = ok and Service = exec or Service = finger or Service = ftp then there is attack named as port-scan

If Score = ok and Service = ftp-data then there is no attack

If Score = ok and Service = http and Destination_IP = 192.168.0.20 then there is attack named as port-scan

If Score = ok and Service = http and Destination_IP = 192.168.0.40 then there is attack named as phf

If Score = ok and Service = http and Destination_IP = 192.168.1.30 then there is no attack.

IF Service = lpr then there is attack named port-scan

IF Service = nfsd then there is attack named port-scan

IF Service = pop-2 then there is attack named port-scan

IF Service = pop-3 then there is attack named port-scan

IF Service = rlogin and Destination_IP = 192.168.0.20 then there is attack named port-scan

IF Service = rlogin and Destination_IP = 192.168.0.40 then there is attack named port-scan

IF Service = rlogin and Destination_IP = 192.168.1.30 then there is no attack

IF Service = rsh and Destination_IP = 192.168.0.20 then there is attack named port-scan

IF Service = rsh and Destination_IP = 192.168.0.40 then there is attack named port-scan

IF Service = rsh and Destination_IP = 192.168.1.30then there is attack named rsh

IF Service = SMTP then there is no attack

IF Service = ssh then there is attack named as port-scan

IF Service = sunrpc then there is attack named as port-scan

IF Service = telnet and Destination_IP = 192.168.0.20 then there is attack but named is to guessed

IF Service = telnet and Destination_IP = 192.168.0.40 then there is attack named as port-scan.

On the basis of above rules an Intrusion Detection System is introduced on experimental basis. Below is the code of Intrusion Detection System. This code will work as Controller class is a main class which makes the object of Log class. In Log class objects are created for both LogFile and UserLog. In LogFile a function read data is called which reads data from Data Set and store it in UserLog's array list. After this a parsrese function of Log class is called which apply on rules. This function is present in Controller. At the end savedata function is called which keep data in DataSetClassified.txt file. Log class contains savedata function.

CODE

1. Controller

import java.util.*;

class Controller

Log l;

Controller()

l = new Log();

l.requestLogParse();

public static void main(String arg[])

Controller control = new Controller();

2. User Log

class UserLog

int sid,sport,dport;

String sdate,stime,duration,service,sip,dip,score,attackname;

UserLog()

sid = 0;

sport = 0;

dport = 0;

sdate = "";

stime = "";

duration = "";

service = "";

sip = "";

dip = "";

score = "";

attackname = "";

UserLog(int sid,String sdate,String stime,String duration,String service,int sport,int dport,String dip,String sip,String score,String attackname)

this.sid = sid;

this.sport = sport;

this.dport = dport;

this.sdate = sdate;

this.stime = stime;

this.duration = duration;

this.service = service;

this.sip = sip;

this.dip = dip;

this.score = score;

this.attackname = attackname;

3. Log

import java.util.*;

class Log

ArrayList alllogs;

LogFile lf;

UserLog userlogobj;

Log()

alllogs = new ArrayList();

userlogobj = new UserLog();

lf = new LogFile();

alllogs = lf.readData();

public void requestLogParse()

int i;

System.out.println("IDS3 Example-1");

for (i=0; i<alllogs.size(); i++)

userlogobj = (UserLog)alllogs.get(i);

if (userlogobj.sport == 1022 && (userlogobj.duration.equals("0:00:01") || userlogobj.duration.equals("0:00:02")))

userlogobj.attackname="rsh";

if (userlogobj.sport==1029 || userlogobj.sport==1030 || userlogobj.sport==2020 || userlogobj.sport==2021|| userlogobj.sport==2022 || userlogobj.sport==2023 || userlogobj.sport==2024 || userlogobj.sport==2025 || userlogobj.sport==2026 || userlogobj.sport==2028 || userlogobj.sport==2029 || userlogobj.sport==2030 || userlogobj.sport==2031 || userlogobj.sport==2032 || userlogobj.sport==2034 || userlogobj.sport==2035 || userlogobj.sport==2037 || userlogobj.sport==2038 || userlogobj.sport==2039 || userlogobj.sport==2040 || userlogobj.sport==2041 || userlogobj.sport==2042 || userlogobj.sport==2043 || userlogobj.sport==2044 || userlogobj.sport==2045 || userlogobj.sport==2046 || userlogobj.sport==2047 || userlogobj.sport==2048 || userlogobj.sport==2052)

userlogobj.attackname="port-scan";

if (userlogobj.sport==1867 || userlogobj.sport==1884 || userlogobj.sport==1906 || userlogobj.sport==1914)

userlogobj.attackname="guess";

if (userlogobj.sport==1784)

userlogobj.attackname="phf";

System.out.println("IDS3 Example-2");

for (i=0; i<alllogs.size(); i++)

userlogobj = (UserLog)alllogs.get(i);

if (userlogobj.score.equals("ok") && ( userlogobj.service.equals("exec") || userlogobj.service.equals("finger") || userlogobj.service.equals("ftp")))

userlogobj.attackname="port-scan";

if (userlogobj.score.equals("ok") && userlogobj.service.equals("http") && userlogobj.dip.equals("192.168.0.20"))

userlogobj.attackname="port-scan";

if (userlogobj.score.equals("ok") && userlogobj.service.equals("http") && userlogobj.dip.equals("192.168.0.40"))

userlogobj.attackname="phf";

if (userlogobj.service.equals("lpr"))

userlogobj.attackname="port-scan";

if (userlogobj.service.equals("nfsd"))

userlogobj.attackname="port-scan";

if (userlogobj.service.equals("pop-2"))

userlogobj.attackname="port-scan";

if (userlogobj.service.equals("pop-3"))

userlogobj.attackname="port-scan";

if (userlogobj.service.equals("rlogin") && userlogobj.dip.equals("192.168.0.20"))

userlogobj.attackname="port-scan";

if (userlogobj.service.equals("rlogin") && userlogobj.dip.equals("192.168.0.40"))

userlogobj.attackname="port-scan";

if (userlogobj.service.equals("rsh") && userlogobj.dip.equals("192.168.0.20"))

userlogobj.attackname="port-scan";

if (userlogobj.service.equals("rsh") && userlogobj.dip.equals("192.168.0.40"))

userlogobj.attackname="port-scan";

if (userlogobj.service.equals("rsh") && userlogobj.dip.equals("192.168.1.30"))

userlogobj.attackname="rsh";

if (userlogobj.service.equals("ssh"))

userlogobj.attackname="port-scan";

if (userlogobj.service.equals("sunrpc"))

userlogobj.attackname="port-scan";

if (userlogobj.service.equals("telnet") && userlogobj.dip.equals("192.168.0.20"))

userlogobj.attackname="guessed";

if (userlogobj.service.equals("telnet") && userlogobj.dip.equals("192.168.0.40"))

userlogobj.attackname="port-scan";

lf.saveData(alllogs);

4. Log file

import java.util.*;

import java.io.*;

class LogFile

FileReader fr;

BufferedReader br;

FileWriter fw;

PrintWriter pw;

ArrayList userlog;

UserLog userlogobj;

LogFile()

userlog = new ArrayList();

public ArrayList readData()

try

fr = new FileReader("DataSet.txt");

br = new BufferedReader(fr);

String line,splitedline[] = new String[11];

while((line = br.readLine()) != null)

splitedline = line.split(",");

userlogobj = new UserLog(Integer.parseInt(splitedline[0]),splitedline[1],splitedline[2],splitedline[3],splitedline[4],Integer.parseInt(splitedline[5]),Integer.parseInt(splitedline[6]),splitedline[7],splitedline[8],splitedline[9],splitedline[10]);

userlog.add(userlogobj);

catch(Exception e)

e.printStackTrace();

return userlog;

public void saveData(ArrayList classifiedlog)

try

FileWriter fw = new FileWriter("DataSetClassified.txt");

PrintWriter pw = new PrintWriter(fw);

for(int i=0;i<classifiedlog.size();i++)

UserLog userlogobj = (UserLog)classifiedlog.get(i);

pw.println(userlogobj.sid+","+userlogobj.sdate+","+userlogobj.stime+","+userlogobj.duration+","+userlogobj.service+","+userlogobj.sport+","+userlogobj.dport+","+userlogobj.dip+","+userlogobj.sip+","+userlogobj.score+","+userlogobj.attackname);

pw.flush();

pw.close();

catch(Exception e)

e.printStackTrace();

Results which are obtained after using the code are showed in appendix. This code classifies the data according to the types of attacks which are defined in rules. This is an initial work. Any organization can take data and after applying algorithm rules can be defined. On the bases of defined rules Intrusion Detection System can make to protect the network from insider threats as well outsiders.

CHAPTER 5

SUMMARY

There is growing and rapid change in business and organizational culture as world becomes a global village. Most of the work has been done on internet, because it is cost effective for an organization. So the organizational priorities around information security concerns must emphasize those that enable maintaining the organization's essential services (at least at some degraded level) despite malicious attacks insider as well as outsiders. This emphasis raises different security issues that must deal with broad avenues of attack and the motivations of both attackers and defenders. Network security is a complicated subject, historically only tackled by well-trained and experienced experts. Systems which are distributed geographically provide support for different kind of activities including studying and teaching, shopping for goods, personal as well as commercial and international transactions. An organization may waste much time and resources without having a view about essential services provided by the organization. Resources and time is wasted to detect and analyze attacks that have no impact on their ability to succeed. Computers can get so easily compromised, creating opportunities for attacks coming from inside the system, so it is very difficult to guarantee in a complex network environment that is susceptible to a multitude of human and/or electronic threats. Network security attacks are not some theoretical concept that can be put into the background. These threats are not only at the perimeter of your network that connects to the outside world of untrusted networks, but also inside your trusted environment. An organization cannot consider itself safe simply because it would cost an insider more to find and exploit a system. The insider evaluates his potential financial gains in a larger context that includes all possible targets and this vulnerability is based on the attacking organization benefits. The breaches resulting from an insider threat is much more than outsider. Organizations cannot eliminate the possibility of these insider threats because they are trusted employees of an organization.

In my research I have developed a framework to capture the insider threats. Framework consist of different activates and by following these activities an organization can make its system more secure and reliable. On the basis of framework an intrusion detection system is introduced for the justification of my work.

Future Work

My work is an initial phase because what I achieved is not end but rather the beginning. I have focused on simple requirements or in other words general requirements for an organization, more work can be done with respect to technical problems that may be faced different system environments. Intrusion detection system can be comprehended. They can increase the strength of these systems as they develop them by using market methods, and release systems with measured levels of strength.

CHAPTER 6

LITERATURE CITED

Aleman-Meza B., P. Burns, M. Eavenson, D. Palaniswami, A. Sheth (2005). An Ontological Approach to the Document Access Problem of Insider Threat. Available at http://lsdis.cs.uga.edu/projects/semdis/Needtoknow/Files/InsiderThreat-TM-01-30-2005.pdf

Anderson D. F., D. M. Cappelli, J. J. Gonzalez, M. Mojtahedzadeh, A. P. Moore, E. Rich, , J. M. Sarriegui, T. J. Shimeall, J. M. Stanton E. Weaver, A. Zagonel (2004). Preliminary System Dynamics Maps of the Insider Cyber-Threat Problem. Proceedings of the 22nd International Conference of the System Dynamics Society. Oxford, England. http://www.cert.org/archive/pdf/InsiderThreatSystemDynamics.pdf

Anonymous (2001). Information technology security. Available at http://www.protecht-me.com/

Anonymous (2003). IT Security Coobook. Available at http://www.boran.com/security/

Anonymous(2006) . Managing Insider Threats. Available at http://www.infolocktech.com/download/Insider_Threat_Assessment.pdf

Anonymous (undated). Protect Your Organization from Insider Threats, Available at USA www.arcsight.com.

Anonymous (undated). Assessing Data Risks. Available at http://www.infolocktech.com/download/Data_Risk_Assessment.pdf

Axelsson S. (2000). Intrusion Detection Systems. A Survey and Taxonomy. Technical Report. Department of Computer Engineering, Chalmers University of Technology, Sweden.

Band R. S., D. M. Cappelli, A. P. Moore, E. D. Shaw, R. F. Trzeciak (2006). Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis. Available at (http://www.sei.cmu.edu/publications/pubweb.html)

Beaver K. (2005). Five common insider threats and how to mitigate them. Available at http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1158172,00.html

Cappelli. D, A. Moore, T. Shimeall (2005). Common Sense Guide to Prevention and Detection of Insider Threat. In Proceedings of the 2005 CyLab Corporate Partners Conference, 13-15.

Cappelli D., A. Moore, T. Shimeall, R. Trzeciak (2006). Common Sense Guide to Prevention and Detection of Insider Threat. Available at http://www.cert.org/archive/pdf/CommonSenseInsiderThreatsV2.1-1-070118.pdf

Cappelli. D. M., A. G. Desai, A. P. Moore, T. J. Shimeall, E. A. Weaver B. J. Willke (2006). Management and Education of the Risk of Insider Threat (MERIT). In proceedings of the 24th International Conference of the System Dynamics Society, The Netherlands, Radboud University of Nijmegen.

Cappelli D. M., A. G. Desai, A. P. Moore, T. J. Shimeall, E. A. Weaver, B. J. Willke (2007). Management and Education of the Risk of Insider Threat (MERIT): Mitigating the Risk of Sabotage to Employers' Information, Systems, or Networks. Available at http://www.sei.cmu.edu/pub/documents/06.reports/pdf/06tn041.pdf

Chapple M. (2005). Thwarting insider threats. Available at http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1093643,00.html

Chinchani R., A. Iyer, H. Q. Ngo, S. Upadhyaya (2005). To wards a theory of insider threat assessment. Presented In International Conference on Dependable Systems and Networks, IEEE Publishing 108-117.

Dobrucki M. (2002). Priorities in the deployment of network intrusion detection systems. Available at http://www.tml.tkk.fi/Publications/Thesis/dobrucki.pdf

Framingham M.A. ( 2005). 2005 E-CRIME Watch Survey Shows E-crime Fighters Making Headway. Available at http://www.cert.org/archive/pdf/ecrime_watch05.pdf.

Franqueira V. N. L. and P. V. Eck (2006). Defense against Insider Threat: a Framework for Gathering Goal-based Requirements. Available at http://wwwhome.cs.utwente.nl/~franqueirav/Publication/Franqueira_vanEck_EMMSAD07.pdf

Gabrielson B., A. Booz, and Hamilton (2006). Solving the insider threat problem. Available at http://surflibrary.org/tech_papers/Solving_Insider_Threat.pdf

Iliya K. Georgiev and Ivo I. Georgiev(2001). A SECURITY MODEL FOR DISTRIBUTED COMPUTING. Presented at The Journal of Computing in Small Colleges, vol.17, No 1. or Available at http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=A94384BF296FE474D3314DD00A6E7E20?doi=10.1.1.89.8613&rep=rep1&type=pdf.

Gordon L. A., M. P. Loeb,W. Lucyshyn, R. Richardson (2006). COMPUTER CRIME AND SECURITY SURVEY. Available at http://www.cs.sfu.ca/CC/301/cwa50/FBI2006.pdf

Grandvaux O. ( 2004). How to Design Security to Prevent Internal Security Threats. In Proceedings of the UNIVERSITY of EDINBURGH SCHOOL of INFORMATICS.

Keeney M., E. Kowalski, D. M. Cappelli, T. Shimeall, S. Rogers (2005). Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors U.S. Secret Service and CERT Coordination Center.

Mylopoulos J., L. Chung, E. Yu (1999). From object-oriented to goal-oriented require-ments analysis. In Commun. ACM 42(1) 31-37.

Nguyen N. and P. Reiher (2003). Detecting Insider Threats by Monitoring System Call Activity. Proceedings of the IEEE, Workshop on Information Assurance United States Military Academy, West Point.On page(s): 45- 52, ISBN: 0-7803-7808-3.

Paul B. (2001). Evaluation of Security Risks Associated with Networked Information System. Published in School of Business Information Technology, Royal Melbourne Institute of Technology.

Randazzo M. R., M. Keeney, E. Kowalski, D. M. Cappelli (2004). Insider Threat Study. Illicit Cyber Activity in the Banking and Finance Sector.

Røstad L. (2005). An extended misuse case notation: Including vulnerabilities and the insider threat. Available at http://www.idi.ntnu.no/~lilliaro/publications.html

Satti M.M (2003). Computer Emergency Response Team of Pakistan (CERT-PAK) Guidelines. Available at http://www.csp.org.pk/articles/security.pdf

Shaw E. D., K. G. Ruby, J. M. Post, (1999). The Insider Threat to Information Systems. Available at http://rf-web.tamu.edu/security/Security%20Guide/Treason/Infosys.htm

Spitzner L.  (2003). Honeypots: catching the insider threat. In proceedings of Computer Security Applications Conference. On page(s): 170- 179, ISBN: 0-7695-2041-3,Digital Object Identifier: 10.1109/CSAC.2003.1254322

Stanley N.(2006). ArcSight and Insider (or Inside?) Threat Management. Available at http://www.it-director.com/content.php?cid=8861&tag=itdm1

Stoneburner G., A. Goguen, A. Feringa (2002). Risk Management Guide for Information Technology Systems. Available at http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

Tarimo C. N. (2003). Towards a generic framework for Implementation and Use of Intrusion Detection Systems. Available at Licentiate Thesis Stockholm University and Royal Institute of Technology.

Yu D. and D. Frincke (2004). Towards Survivable Intrusion Detection System. In proceedingsof the 37th Annual Hawaii International Conference on System Sciences (HICSS'04) - Track 9 - Volume 9. Page: 90299.1, ISBN:0-7695-2056-1.

We provide a professional essay writing service that thousands of our customers use as an effective way of improving their grades, improving their research and saving them lots of time.

Order Now. It takes less than 2 minutes.

  1.  
  2.  
  3.  
  1.  
Live Chat

Essay, dissertation & assignment
prices

About UK Essays

Buying an essay?
All you
need to
know...

Bibliography & References

SAVE Yourself Time & Money

Save £££s with our great
bundle
deals

Free
Essay
Questions

Harvard Referencing
Generator

Sign up and be the first to receive our latest offers:

See the order process