TY - GEN
T1 - Ghostbuster
T2 - 7th ACM Conference on Data and Application Security and Privacy, CODASPY 2017
AU - Mehnaz, Shagufta
AU - Bertino, Elisa
N1 - Publisher Copyright:
© 2017 ACM.
PY - 2017/3/22
Y1 - 2017/3/22
N2 - Protecting sensitive data against malicious or compromised insiders is a challenging problem. Access control mechanisms are not always able to prevent authorized users from misusing or stealing sensitive data as insiders often have access permissions to the data. Also, security vulnerabilities and phishing attacks make it possible for external malicious parties to compromise identity credentials of users who have access to the data. Therefore, solutions for protection from insider threat require combining access control mechanisms and other security techniques, such as encryption, with techniques for detecting anomalies in data accesses. In this paper, we propose a novel approach to create fine-grained profiles of the users' normal file access behaviors. Our approach is based on the key observation that even if a user's access to a file seems legitimate, only a fine-grained analysis of the access (size of access, timestamp, etc.) can help understanding the original intention of the user. We exploit the users' file access information at block level and develop a feature-extraction method to model the users' normal file access patterns (user profiles). Such profiles are then used in the detection phase for identifying anomalous file system accesses. Finally, through performance evaluations we demonstrate that our approach has an accuracy of 98:64% in detecting anomalies and incurs an overhead of only 2%.
AB - Protecting sensitive data against malicious or compromised insiders is a challenging problem. Access control mechanisms are not always able to prevent authorized users from misusing or stealing sensitive data as insiders often have access permissions to the data. Also, security vulnerabilities and phishing attacks make it possible for external malicious parties to compromise identity credentials of users who have access to the data. Therefore, solutions for protection from insider threat require combining access control mechanisms and other security techniques, such as encryption, with techniques for detecting anomalies in data accesses. In this paper, we propose a novel approach to create fine-grained profiles of the users' normal file access behaviors. Our approach is based on the key observation that even if a user's access to a file seems legitimate, only a fine-grained analysis of the access (size of access, timestamp, etc.) can help understanding the original intention of the user. We exploit the users' file access information at block level and develop a feature-extraction method to model the users' normal file access patterns (user profiles). Such profiles are then used in the detection phase for identifying anomalous file system accesses. Finally, through performance evaluations we demonstrate that our approach has an accuracy of 98:64% in detecting anomalies and incurs an overhead of only 2%.
UR - http://www.scopus.com/inward/record.url?scp=85018515051&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85018515051&partnerID=8YFLogxK
U2 - 10.1145/3029806.3029809
DO - 10.1145/3029806.3029809
M3 - Conference contribution
AN - SCOPUS:85018515051
T3 - CODASPY 2017 - Proceedings of the 7th ACM Conference on Data and Application Security and Privacy
SP - 3
EP - 14
BT - CODASPY 2017 - Proceedings of the 7th ACM Conference on Data and Application Security and Privacy
PB - Association for Computing Machinery, Inc
Y2 - 22 March 2017 through 24 March 2017
ER -