Home

Dartmouth Crest
The I3P is managed
by Dartmouth College


Contact Us
Home > Publications >

Insider Threat Project Publications & Resources

Listed Below are the publications reported to the I3P as part of the Insider Threat Project (2007-2009). If a publication is not listed here and you think it should be please send it to the I3P Administrative Office.

 

Journal Articles:

  • Maya Haridasan, Ingrid Jansch-Porto, Kenneth Birman, and Robbert van Renesse. Enforcing Fairness in a Live-Streaming System. Multimedia Computing and Networking (MMCN 08). January, 2008.
  • Chi Ho, Danny Dolev, Robbert van Renesse. Making Distributed Applications Robust. Proceedings of the 11th International Conference On Principles Of Distributed Systems (OPODIS'07). December, 2007.

 

Presentations:

  • Farzeneh Asgapour, Debin Liu, Jean Camp. Risk Communication in Computer Security using Mental Models. presented at the Workshop on the Economics of Cyber Security. November 5-6, 2007.
  • Fariborz Farahmand, Mikhail Atallah, and Benn Konsynski. Incentives and Perceptions of Information Security Risks. Presented at International Conference on Information Systems. December 2008.
  • Malek Ben Salem. Research and Priorities for Insider Attack. presented at the ARO/FSTC/I3P Workshop on Insider Attack and Cyber-Security. April 15-16, 2008.
  • Maya Haridasan and Robbert van Renesse. Gossip-based Distribution Estimation in Peer-to-Peer Networks. presented at the International Workshop on Peer-to-Peer Systems (IPTPS 08). February, 200
  • Chi Ho, Robbert van Renesse, Mark Bickford, Danny Dolev. Nysiad: Practical Protocol Transformation to Tolerate Byzantine Failures. presented at the USENIX Symposium on Networked System Design and Implementation (NSDI 08). April, 2008.
  • Jeffrey Hunker. Tangible and Specific Challenges for Insider Threat Research. presented at the IACS '07 Workshop on Insider Attack and Cyber Security. 2007.
  • Andrew Moore and Dawn Cappelli. Malicious Insider Threats. presented at the I3P Consortium Meeting. 2007.
  • Andrew Moore. Malicious Insider Threats. presented at the IACS '07 Workshop on Insider Attack and Cyber Security. 2007.
  • Ahmet Erhan Nergiz and Chris Clifton. A Privacy Preserving Credentialing System for Health Care. Presented at Secure Knowledge Management. Novemeber 3-4, 2008.
  • Sinclair. Policy and Integrated Approaches. panel discussion at the ARO/FSTC/I3P Workshop on Insider Attack and Cyber-Security. April 15-16, 2008.
  • Smith. Call-to-Arms and Next Steps. panle discussion at the ARO/FSTC/I3P Workshop on Insider Attack and Cyber-Security. April 15-16, 2008.
  • Yee Jiun Song, Robbert van Renesse, Fred B. Schneider, and Danny Dolev. The Building Blocks of Consensus. presented at the 9th International Conference on Distributed Computing and Networking (ICDCN 08). January, 2008

 

Books:

  • Stolfo, S.J.; Bellovin, S.M.; Hershkop, S.; Keromytis, A.D.; Sinclair, S.; Smith, S.W., Eds. Insider Attack and Cyber Security: Beyond the Hacker. Springer. March, 2008.
  • Salvatore J. Stolfo, Steven M. Bellovin, Angelos D. Keromytis, Shlomo Hershkop, Sean W. Smith and Sara Sinclair. A Survey of Insider Attack Detection Research. Published in Insider Attack and Cyber Security, book series Advances in Information Security. Springer. August 2008.



Resources:

  • Host-based sensors running on Linux and Windows for modeling user behaviors and detecting when decoy documents get loaded into memory.
    The Linux sensor collects audit by hooking into the auditd kernel trap. The Windows sensor audits registry access, GUI touches, loading into memory of shared DLLs, as well as process creation and destruction. The sensors have integrated learning algorithms that model user search behavior including SVMs, PAD and “Naïve Bayes” .
    A framework for Linux user commands and windows applications was created and integrated with the sensors to allow richer models to be developed by classifying user actions into contextual categories. This modeling approach allows for a better detection of patterns of behavior that are indicative of mal-intent, and achieved perfect masquerade attack detection rate (100%) with a very low false positive rate of 1.4% when applied on the RUU dataset.  
    The sensors also include a file hook sensor which is responsible for monitoring system wide processes for any accesdec file accesses they perform to decoy files embedded in the file system
  • RUU Data Set
    Normal computer user data for 34 users was collected after student volunteers agreed to install the sensors described above on their main machines and to share the data captured by the sensors for research purposes. The participants were all computer science students.
    Simulated masquerade attack data was also collected for 14 masqueraders: Volunteers have been solicited to take part in capture-the-flag experiment by following the scenario and acting as masqueraders searching a colleague’s computer for files containing personal information for financial reasons.
    The aggregate of both datasets is known as the RUU dataset and is available for researchers to download and use to evaluate their masquerade attack techniques after signing a license agreement at: http://www.cs.columbia.edu/ids/RUU/data/
  • Decoy Document System
    An infrastructure for creating customized decoy documents in both PDF and MS Word formats was developed with hidden beacons and watermarks.
    The system, called DCubed, has a website front-end to allow users to generate decoy documents with customized information and register an email for alerting upon document access. The system supports roughly 6000 users, and around a million documents per user. The system also includes a website for tracking misuse of decoy documents.  See http://www.cs.columbia.edu/ids/RUU/Dcubed and http://www.cs.columbia.edu/ids/RUU/SONAR

Experiment Design Documentation:

  • As a part of the research effort, MITRE generated detailed experiment documentation, which included user consent forms, a rules of behavior agreement, user scenario descriptions, an experiment script, a pre-experiment questionnaire, a post-experiment questionnaire, a post-experiment interview form, and subject matter expert review criteria. These documents have been described in the publications listed below and are available for review upon request.

Last Updated: 12/21/09