Formalising Policies for Insider-threat Detection: A Tripwire Grammar

Ioannis Agrafiotis, Arnau Erola, Michael Goldsmith, Sadie Creese
<span title="">2017</span> <i title="JoWUA"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/wzskw2gcnneepegdm5qqr4h3qu" style="color: black;">Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications</a> </i> &nbsp;
The threat that organisations face from within is growing significantly, as it has been widely demonstrated by the harm that insiders have caused recently. For many years the security community has invested in barriers and perimeters, of increasing sophistication, designed to keep those with malign intent outside of the organisations' information infrastructures. But assuming that one can keep the threat out of an organisation is simply not a practical stance to adopt. In our research we are
more &raquo; ... cerning ourselves with how technology might be deployed to help with the detection of insider threats both automatically and in support of human-led mechanisms. This paper describes our recent research into how we might support threat detection when actions taken can be immediately determined as of concern. In particular we capture actions that fall into one of two categories: those that violate a policy which is specifically crafted to describe behaviours that should be avoided; or those that exhibit behaviours which follow a pattern of a known insider-threat attack. We view these concerning actions as something that we can design and implement tripwires within a system to detect. We then orchestrate these tripwires in conjunction with an anomaly detection system. We present a review of the security policies organisation apply and a grammar to describe tripwires. We further validate our grammar by formalising the most common tripwires for both categories. Our aim is to provide a single framework for unambiguously capturing tripwires, alongside a library of existing ones in use. Therefore, tripwires may be used to map experiences regardless of the heterogeneity of the security tools and practices deployed.
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.22667/jowua.2017.03.31.026">doi:10.22667/jowua.2017.03.31.026</a> <a target="_blank" rel="external noopener" href="https://dblp.org/rec/journals/jowua/AgrafiotisEGC17.html">dblp:journals/jowua/AgrafiotisEGC17</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/zixro43rbrfezjdkm5abqikilq">fatcat:zixro43rbrfezjdkm5abqikilq</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20200109034328/http://isyou.info:80/jowua/papers/jowua-v8n1-2.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/f6/8b/f68b07a1a9f7817828b0264599c86c00627a176e.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.22667/jowua.2017.03.31.026"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> Publisher / doi.org </button> </a>