A Fine-Grained Approach for Anomaly Detection in File System Accesses with Enhanced Temporal User Profiles

Protecting sensitive data from theft, exfiltration, and other kinds of abuses by malicious insiders is a challenging problem. While access control mechanisms cannot always prevent the insiders from misusing sensitive data (since, in most of the cases, authorized users within organizations are granted access permissions), malicious outsiders also pose severe threats due to different security vulnerabilities in the systems, e.g., phishing attacks, memory corruptions, etc., which enable them to steal the credentials of the authorized users who have access to the data. To protect sensitive data from such attackers, anomaly detection techniques are often combined with other existing security measures, e.g., access control and encryption. An anomaly detection technique for identifying anomalies in file system accesses is based on the key idea that there should be significant differences between the file access behaviors of a benign user and an attacker. In this article, we propose an approach to create fine-grained profiles of the users' regular file access activities while extensively analyzing the timestamp information of the file accesses. According to our observation, even if a user's access to a file seems benign, only a fine-grained analysis of the access (such as the size of access, the timestamp of access) can determine the original intention of the user. We exploit the users' file access information at the block level to model their regular file access behaviors (user profiles) which are then securely stored and used for identifying anomalous file system accesses in the detection phase. We are also able to automatically profile new files and new users added to the system dynamically. Finally, our performance evaluations demonstrate that our proposed approach has an accuracy of 98.7 percent in detecting anomalies while incurring an overhead of only 2 percent.