| In spite of the efforts in the security community in coming up with techniques to detect intrusions, the area of insider threats has not been sufficiently covered. The motivation is to provide protection against intrusions when traditional intrusion prevention methods fail. The problem is that currently only limited automated techniques to detect data corruption by misusers (insider threats or outside attackers masquerading to be authorized users) are available. To address this, this research describes techniques that will deter and detect a knowledgeable intruder from embedding incorrect (yet maybe plausible) information into a database system (at the physical, file or application level), while maintaining minimal system costs during implementation.; Two new techniques are presented. One is a system incorporating multiple levels of checksums to overcome the weaknesses of the current signature based approaches. The additional work in order for a malicious data modification to be successfully completed. A hashing function, strategies to combine and store first level checksums, and data access patterns are incorporated into the design. The second technique is an application of Hidden Markov Models (HMMs) for cluster-based profiling for security. The algorithm uses a left to right HMM and clustering to profile the transactional behavior of records in a system. The proposed system determines a degree of acceptance for new transactions by calculating delta alphas. Delta alpha values of valid sequence of events are statistically significantly different than the delta alphas for the anomalous sequences. |
