Much research in computer security has focused on approaches for preventing unauthorized and illegitimate access to systems and information. However, one of the most damaging malicious activities is the result of internal misuse within an organization. This may be because much of the attention has been focused on preventative measures against computer viruses, worms, trojans, hackers, rootkits, spyware, key recovery attacks, denial-of-service attacks, malicious software (or malware), probes, etc. such that far less attention has been focused inward.
Insider threats generally include masqueraders and/or traitors. Masqueraders generally include attackers that impersonate another inside user, while traitors generally include inside attackers that use their own legitimate credentials to attain illegitimate goals. For example, identity theft in financial transaction systems is one example of a masquerade attack. Upon stealing a bank customer's commercial identity (e.g., their credit card or account information), a masquerader presents those credentials for the malicious purpose of using the customer's credit line to steal money. In another example, a disgruntled insider employee is an example of a traitor, where the traitor generally has full knowledge of the systems he or she routinely uses and the security policies in force and uses his or her knowledge and access to conduct unauthorized activities. In yet another example, the disgruntled insider employee can act as a traitor and a masquerader upon stealing the identity of another employee within the organization.
In addition, some external attackers can become inside attackers when, for example, an external attacker gains internal network access. For example, external attackers can gain access to an internal network with the use of spyware or rootkits. Such software can be easily installed on computer systems from physical or digital media (e.g., email, downloads, etc.) and can provide an attacker with administrator or “root” access on a machine along with the capability of gathering sensitive data. In particular, the attacker can snoop or eavesdrop on a computer or a network, download and exfiltrate data, steal assets and information, destroy critical assets and information, and/or modify information. Rootkits have the ability to conceal themselves and elude detection, especially when the rootkit is previously unknown, as is the case with zero-day attacks. An external attacker that manages to install a rootkit internally in effect becomes an insider, thereby multiplying the ability to inflict harm.
Current detection approaches generally monitor command line calls issued by users, system calls for unusual application use or events, database or file accesses, and the organization policy management rules and compliance logs. For example, one particular detection approach detects malicious insider activities by specifically monitoring violations of a “Need-to-Know” policy. Another approach builds an adaptive command line interface. However, these approaches failed to reveal or clarify the user's intent when issuing commands or running processes. In addition, these detection approaches produce results with unacceptable false positive rates.
There is therefore a need in the art for approaches for detecting masquerade attacks by monitoring computer user behavior. Accordingly, it is desirable to provide methods, systems and media that overcome these and other deficiencies of the prior art.