Convergence Security Journal (융합보안논문지)

Korea convergence Security Association (한국융합보안학회)
권호 표지

Designing of The Enterprise Insider-Threats Management System Based on Tasks and Activity Patterns

사용자 직무와 활동패턴 기반의 내부자위협통합관리체계 설계

  • 홍병진 (국방대학교 컴퓨터공학전공) ;
  • 이수진 (국방대학교 국방과학학과 컴퓨터공학전공)
  • Received : 2015.09.24
  • Accepted : 2015.10.28
  • Published : 2015.10.30
Download PDF
⟨ Previous Next ⟩

Abstract

Recent massive data breaches or major security incidents show that threats posed by insiders have greatly increased over time. Especially, authorized insiders can cause more serious problems than external hackers can. Therefore there is a growing need to introduce a system that can monitor the insider threats in real time and prevent data breaches or security incidents in early-stage. In this paper, we propose a EITMS(Enterprise Insider-Threats Management System). EITMS detects the abnormal behaviors of authorized insiders based on the normal patterns made from their roles, duties and private activities. And, in order to prevent breaches and incidents in early-stage, a scoring system that can visualize the insider threats is also included.

최근 발생한 대규모 정보유출사고나 주요 보안사고 사례를 살펴보면, 내부자에 의한 보안위협이 급증하고 있음을 알 수 있다. 특히 권한 있는 내부자에 의해 발생한 보안사고는 외부에서의 침입행위보다 훨씬 치명적인 결과를 초래하고 있어, 내부자 위협을 실시간으로 모니터링하면서 정보유출이나 보안사고를 조기에 차단할 수 있는 체계 도입의 필요성이 증가하고 있다. 이에 본 논문에서는 내부자위협통합관리체계(EITMS : Enterprise Insider-Threats Management System)를 제안한다. EITMS는 직무와 역할 및 개인 활동에 근거한 정상패턴을 추출하여 특정한 권한을 가진 내부자에 의해 발생 가능한 위협을 실시간으로 탐지하고 관리한다. 또한, 위협행위를 가시화하여 관리함으로써 조기에 정보유출과 보안사고를 차단하기 위한 스코어링 시스템도 포함한다.

Keywords

References

  1. 한국인터넷진흥원, 침해사고 대응팀(CERT) 구축/운영 안내서, 2010.
  2. Access Control Log, http://www.jsinfos.com/cheditor/attach/si1_img1_big_copy1.jpg)
  3. CERT, 2014 US State of Cybercrime Survey, Carnegie Mellon Univirsity, 2014.
  4. Choi, Jong-Uk, Yong-Jin Lee, and Ju-Mi Park. "E-DRM-based privacy protection technology for overcoming technical limitations of DLP-based solutions." Journal of the Korea Institute of Information Security and Cryptology 22.5 (2012) : pp.1103-1113, 2012.
  5. Cappelli, D. M., Moore, A. P., and Trzeciak, R. F. (2012).The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes. Addison-Wesley, 2012.
  6. Greitzer, F. L. and Frincke, D. A. (2010). Combining traditional cyber security audit data with psychosocial data: towards predictive modeling for insider threat mitigation. In Insider Threats in Cyber Security, pp.85-113, 2010.
  7. Kosinski, M., Bachrach, Y., Kohli, P., Stillwell, D., and Graepel, T. (2014). Manifestations of user personality in website choice and behaviour on online social networks. Machine Learning, 95(3): pp.357-380, 2014. https://doi.org/10.1007/s10994-013-5415-y
  8. Legg, Philip, et al. "Towards a conceptual model and reasoning structure for insider threat detection." Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 4.4 (2013): pp.20-37, 2013.
  9. Magklaras, G. B., and S. M. Furnell. "A preliminary model of end user sophistication for insider threat prediction in IT systems." Computers & Security 24.5 (2005), pp.371-380, 2005. https://doi.org/10.1016/j.cose.2004.10.003
  10. Pennebaker, James W., Martha E. Francis, and Roger J. Booth. "Linguistic inquiry and word count: LIWC 2001." Mahway: Lawrence Erlbaum Associates 71, 2001.
  11. PWC (2014). US cybercrime: Rising risks, reduced readiness: Key findings from the 2014 US state of cybercrime survey. 2014
  12. Salem, Malek Ben, and Salvatore J. Stolfo. "Modeling user search behavior for masquerade detection." Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2011.
  13. Singh, Manpreet, and Manjeet S. Patterh. "For mal Specification of Common Criteria Based A ccess Control Policy Model." IJ Network Secur ity 11.3(2010): pp,139-148, 2010.
  14. "2015 INSIDER THREAT REPORT", http://www.vormet ric.com/campaigns/insiderthreat/2015.