| With the development of information technology, information management systems, such as business operating systems, are employed to manage the operation of enterprises and organizations. There are more and more digital assets in enterprises and organizations, such as intellectual property rights and trade secrets. Once these sensitive data are not properly protected, it can bring catastrophic losses to the enterprises and organizations. In recent years, most of influential information security events are caused by insider threats. A malicious insider refers to an employee, contractor or business partner who has or ever had authorized access to an organization’s information system and intentionally exceeds or misuses his/her privileges in a manner that negatively affects the confidentiality, integrity, or availability of the information system. Therefore, how to protect the sensitive data has become an important problem of information security management.In order to defend insider threats, security policies are formulated and enforced into information systems according to the organizational requirements of security and business. Permissions are used to restrict the access to systems. In role based access control model, permissions are assigned to roles and roles are then assigned to users. Security constraints, such as separation of duties, are enforced on sensitive tasks. Compliance audit is also adopted to verify whether user behaviors are compliance with these policies. However, since malicious insiders are legal users and are authorized to access systems or information, it is a challenge to detect whether their motivations and behaviors are benign or malicious. Therefore, this paper solve this problem from two aspects, the abnormal behavior detection based on log files and the collusion risk evaluation based on user relationship. The main contributions are as follows:We tackle the insider threat problem by auditing user behaviors in both historical and horizontal views. Our purpose is to figure out those potentially malicious insiders. One side is to compare a group of similar users so as to find whether ones behaviors are deviated from the normal behavior patterns. Another side is to compare a user behaviors with his/her historical behaviors so as to find the abnormal changes. The normal patterns are created by probabilistic methods, which is based on the assumption that users associated with the same position should behave similarly in an information system. Users who deviate from normal patterns should be suspected and the anomaly degree is evaluated as an evidence in conformity with malicious probability. We also identify which activity results in anomalies, which can help an organization better understand its security status so as to make improvement. Such evaluation also provides a reference for setting the importance of activities in subsequent anomaly detection.Furthermore, we solve the collusion problem based on user behaviors and relationships. We propose two typical collusion problems and the corresponding collusion risk quantification methods by analyzing the two necessary factors of collusion, which are the anomaly and consistency between user behaviors. Collusion analysis in RBAC system is to analyze the correlations between users, who are more frequently cooperate on sensitive task than others. By means of social network, we evaluate the closeness of users so as to quantify their collusion risk. In order to analyze collusion problem in weak social network, we propose the model of abnormal and correlative behavior analysis. The collusion risk is evaluated combined with users’influential indexes.In the experiments, we adopt some real datasets to verify our methods. We analyze the results derived by different parameter setting, and compare our methods with the most related methods. The results show the better effectiveness and efficiency of our methods. |
PDF Full Text Request