Post on 03-Jan-2016
transcript
Client: The Boeing CompanyContact: Mr. Nick Multari
Adviser: Dr. Thomas Daniels
Group 6Steven Bromley Jacob GionetJon McKee Brandon Reher
Insider Access Behavior
Research and validate existing algorithms, tools, and systems that can detect unauthorized data access and data movement
— This approach will be limited to open source and freely available solutions that address the problem
Develop our own toolset and algorithm that will use a user profile to detect unauthorized or abnormal data access and data movement
Problem Statement
Shall make use of pre-existing technologies
Shall take input from a variety of sources and systems
Shall correlate and filter relevant data
Shall alert when malicious activity is discovered
Shall have a system to provide notifications on alerts
Shall contain an algorithm that decides whether an attack is being committed
Functional Requirements
Shall have a low false-positive rate
Shall be inconspicuous to the malicious user
Shall provide alerts in a timely manner
The product shall abide by all licenses of open source software utilized
Non-functional Requirements
The products shall be scalable to a network of up to 1000 machines
The product shall have a low false positive rate
Data shall be obtained from Cyber Defense Competitions
Data shall be obtained from activity scripts
Technical Constraints & Considerations
• Insider Threat Prediction Tool: Evaluating the probability of IT misuse
• Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector
• Composite Role-Based Monitoring (CRBM) for Countering Insider Threats
Literature Survey
No simulation data is found •Write activity scripts•Continue search for data
High false positive results •Continue to refine decision algorithm
Miss malicious attacks •Continue to refine filtering algorithm
Potential Risks & Mitigation
Resource EstimateItem Team Hours Cost
Research Materials 180 $0
Dell PowerEdge T410 (8) 8 $6,392
Linux Red Hat 10 $350
NetBSD 10 $0
Splunk 3 $0
Ettercap 3 $0
Apache 2 $0
MySQL 2 $0
PHP 2 $0
Totals 220 $6,742
Item W/O Labor W/Labor
Research Materials $0 $3,600
Dell PowerEdge T410 (8) $6,392 $6,572
Linux Red Hat $350 $550
NetBSD $0 $200
Splunk $0 $60
Ettercap $0 $60
Apache $0 $20
MySQL $0 $40
PHP $0 $20
Algorithm N/A $6,000
Totals $6,742 $17,122
Research options for threat detection •Choice made on what methods will be used in product
Equipment has proper systems •All the systems of a LAMP architecture are installed on the machines allocated to the group
Data is obtained •Group had large amounts of data that contain both outside and inside malicious attacks
Project Milestones and Schedule
Log Analyzer•Gather Logs from the different systems installed on the network, give them a standard format, and store them in a central repository
Network Analyzer
Profiling Algorithm •Profile log information, look for anomalies in user profile activity, and raise alerts when malicious activity is detected
Functional Decomposition
Installation Interface•Trusted administrators will have an initial interface in which they can input trusted users and the access control lists
Runtime Interface•Normal users will have no interface to the system
Alert Interface•Trusted administrators will view alert details in the form of an e-mail message sent to the trusted administrator list
User Interface
Operating Systems System LibrariesApache
MySQL
PHP
Third-Party Software
Ettercap
Snort
Splunk
NetBSD• Version 2.6.0
Red Hat Enterprise Linux (RHEL)• Version 6.0
Software Platform
Test Environment•Located on an ISEAGE-provided computers•Consists of small scale network that is designed to represent a scaled down version of a generic enterprise network•Focus is on the intranet traffic
Test Plan - Environment
Scenario 1 Scenario 2Network Traffic
Procedure• Create controlled traffic on the
network
• Compare the captured packets to the traffic created to determine if entire traffic sequences were captured.
Log Gathering
Procedure• Manually start the log gathering
system to gather a known set of logs from predefined locations.
• Compare the logs retrieved with the logs in the source location to determine if all logs were successfully collected.
Test Plan - Design
Scenario 3 Scenario 5Entire System
Procedure• Script various activity types,
including malicious and legitimate activity
• Monitor generated alerts to verify that malicious and suspicious activities are the only events reported
• Measure the response time from activity to alert report
Alert System
Procedure• Input the alert flag / trigger to the
system to create an alert
• Monitor the reporting mechanism to verify that the alert is created successfully
Test Plan – Design (cont.)
Machine Setup•Basic Installation Complete•Non-interference with ISU network
Data Detection Method
Location of Data Sources
Literature & Market Survey
Profiling Algorithm
Current Project Status
Task Responsibility
ID Task Name Start Finish Duration2010
Oct
1 10w12/17/201010/11/2010Research
2 3w12/17/201011/29/2010Test bed
3 8w3/4/20111/10/2011Development
2011
Nov Dec Jan Feb Mar Apr
4 8w4/29/20113/7/2011Implementation