1. Technical Field
The present invention relates generally to real-time monitoring, auditing and protection of information assets in enterprise repositories such as databases, file servers, web servers and application servers.
2. Description of the Related Art
“Insider” intrusions are damaging to enterprises and cause significant corporate risk of different forms including: brand risk, corporate trade secret disclosure risk, financial risk, legal compliance risk, and operational and productivity risk. Indeed, even the specification of an insider intrusion creates challenges distinct from external intrusions, primarily because such persons have been authenticated and authorized to access the devices or systems they are attacking. Industry analysts have estimated that insider intrusions cost over $2.7 million per incident and in many cases are significantly more damaging than external intrusions by unauthorized users. As such, it is critical that if an insider intrusion is detected, the appropriate authorities must be alerted in real-time and the severity of the attack meaningfully conveyed. Additionally, because users who have complete access to the system carry out insider intrusions, it is important to have a mitigation plan that can inhibit further access once an intrusion is positively identified.
Classically, intrusion detection has been approached by classifying misuse (via attack signatures), or via anomaly detection. Various techniques used for anomaly detection include systems that monitor packet-level content and analyze such content against strings using logic-based or rule-based approaches. A classical statistical anomaly detection system that addressed network and system-level intrusion detection was an expert system known as IDES/NIDES. In general, statistical techniques overcome the problems with the declarative problem logic or rule-based anomaly detection techniques. Traditional use of anomaly detection of accesses is based on comparing sequence of accesses to historical learned sequences. Significant deviations in similarity from normal learned sequences can be classified as anomalies. Typical similarity measures are based on threshold-based comparators or non-parametric clustering classification techniques such as Hidden Markov models. While these known techniques have proven useful, content-based anomaly detection presents a unique challenge in that the content set itself can change with time, thus reducing the effectiveness of such similarity-based learning approaches.
It is also known that so-called policy languages have been used to specify FCAPS (fault-management, configuration, accounting, performance, and security) in network managements systems. For example, within the security arena, policy languages sometimes are used to specify external intrusion problems. These techniques, however, have not been adapted for use in specifying, monitoring, detecting and ameliorating insider intrusions.
In typical access management, it is also known that simple binary matching constructs have been used to characterize authorized versus unauthorized data access (e.g., “yes” if an access request is accompanied by the presence of credentials and “no” in their absence). In contrast, and as noted above, insider intrusions present much more difficult challenges because, unlike external intrusions where just packet-level content may be sufficient to detect an intrusion, an insider intrusion may not be discoverable absent a more holistic view of a particular data access. Thus, for example, generally it can be assumed that an insider has been authenticated and authorized to access the devices and systems he or she is attacking; thus, unless the behavioral characteristics of illegitimate data accesses can be appropriately specified and behavior monitored, an enterprise may have no knowledge of the intrusion let alone an appropriate means to address it.
Thus, there remains a long felt need to provide real-time monitoring, auditing and protection of information assets against attack from enterprise insiders.