Lecture
Insider Threat Detection: Host and Network Monitoring Techniques
Speaker: |
Salvatore J.
Stolfo, Dept of Computer Science Columbia University |
Date: |
Wednesday, 16 July 2008 |
Time: |
12:00-14:00 |
Location: |
"Stelios Orphanoudakis" Seminar Room, FORTH. Heraklion, Crete |
Host: |
E. Markatos |
Abstract: |
The problem of insider threat
is one of the most vexing problems for computer security research.
We will present an overview of an ongoing collaborative project
aimed at understanding human behavior and the insider threat.
The organizations involved include Carnegie Mellon University,
Columbia University, Cornell University, Dartmouth College, Indiana
University, MITRE Corporation, Purdue University, and the RAND
Corporation. Two primary objectives serve to focus and integrate
the proposed research activities: technology exploration and environmental
constraints. The first objective addresses the need for base technologies
to monitor insider behavior, coupled with behavioral descriptions
of suspicious, inappropriate or illegitimate events or activities.
The second objective addresses the need for a methodological framework
for handling incipient and actual insider behavior once it is
recognized. In this talk we describe some of the ongoing research at Columbia that aims to develop technology and monitoring functions that will provide a lightweight, robust, and scalable event processing infrastructure that can be deployed in a range of at risk enterprises (e.g. the U.S. military, banks, chemical plants and refineries, and border and port security systems). Our work involves the implementation of host-based sensors that detect unusual user behavior indicative of insider attack. We present an overview of prior work on masquerade detection and our most recent work to incorporate context and infer intent to more accurately identify potential insider attack. We also detail our current work on network based decoy traffic and detection of misuse of honeytokens, purposely placed, realistic-looking decoy data designed to entice traitors into revealing their nefarious actions. |
Bio: |
Salvatore J. Stolfo is Professor
of Computer Science at Columbia University. He received his Ph.D.
from NYU Courant Institute in 1979 and has been on the faculty
of Columbia ever since. (See http://www.cs.columbia.edu/~sal).
He has published well over 160 formal scientific papers in the
areas of parallel computing, AI knowledge-based systems, data
mining, computer security and intrusion and anomaly detection
systems. His most recent research has been devoted to distributed
data mining systems with applications to fraud and intrusion detection
in network information systems. (See http://www.cs.columbia.edu/ids
for complete details.) He has been awarded 15 patents in the areas
of parallel computing and database inference, internet privacy,
intrusion detection and computer security. He served as the Chairman of the Computer Science Department and the Director of the Center for Advanced Technology at Columbia University. He recently co-chaired several workshops in data mining, intrusion detection and the Digital Government and co-chaired the program committee of the ACM SIGKDD 2000 Conference and organized two recent workshops sponsored by NSF, ARO and the Department of the Treasury in the area of computer security and insider attack threats. He is a member of three editorial boards and a reviewer for many of the most prestigious journals in computer security, as well as a member of several program committees for the top conferences in the area. He was also an expert witness in the DOJ versus Microsoft "browser wars" case. He was a member the Congressional Internet Caucus Advisory Committee, and Visa 3D Secure Authenticated Internet Payments Vendor Program. He was a consultant to the CTO of Citicorp for several years, and helped organize the Financial Services Technology Consortium. He is a board member and treasurer of a private organization of Professionals for Cyber Defense. Recently, he has participated in a DARPA ISAT study, served as a consultant to the director of the DARPA IPTO office as a member of the DARPA Futures Panel and is a member of the National Academies National Research Council / Naval Studies Board (NSB) Committee on Information Assurance for Network- Centric Naval Forces. |