Research On Insider Threat Detection Techniques

The wide use of Internet brings us with not only great convenience but also severe threat to information security. As the research on information security goes in depth, people gradually attach importance to insider threat, which seems new but actually exists for a long time. Compared with the threat through Internet, insider threat to information systems has a lot of differences and may be more difficult to deal with. The disadvantage of insider threat prompts us to search for available solutions.Anomaly detection is an important branch of research on intrusion detection, and it is significant for the result of anomaly detection to choose right characteristics, which generally describe the state of programs. System call which bridges programs and the operating system can be observed to detect whether programs are running in the course of nature or not. However, at present anomaly detection using system call is mostly discussed on other operating systems except Windows.Therefore, under the new circumstance of insider threat to information systems, this dissertation does an intensive research on insider threat detection techniques on Windows operating system. The following is the main work.Firstly, the definition and remarkable attributes of insider threat are introduced, as well as some useful models and solutions. A role-based conceptual model is proposed to detect insider threat, the idea of which comes from Role-Based Access Control (RBAC).Secondly, all kinds of methods concerning system call interception on Windows are analyzed. A method which can collect Windows Native API is presented, by means of modifying Interrupt Descriptor Table (IDT).Then, two methods to detect anomaly of system call, based on sequences enumerating and Hidden Markov Model (HMM), are introduced. Given the solution to the evaluation problem of HMM is not very appropriate for the specific application, a new approach for anomaly detection is presented, which is proved effective.Finally, according to Common Intrusion Detection Framework (CIDF), an insider threat detection prototype system based on system call is realized. In a simulative inside network, it is confirmed to be able to detect insider threat.