A generic architecture for insider misuse monitoring in IT systems

A Generic Architecture for Insider Misuse Monitoring in I T Systems Aung Htike Phyo BSc (Hons) Intrusion Detection Systems (IDS) have been widely deployed within many organisations' IT nenvorks to delect network penetration attacks by outsiders and privilege escalation attacks by insiders. However, traditional IDS are ineffective for detecting o f abuse o f legitimate privileges by authorised users within the organisation i.e. the detection o f misfeasance. In essence insider IT abuse does not violate system level controls, yet violates acceptable usage policy, business controls, or code o f conduct defined by the organisation. However, the acceptable usage policy can vary from one organisation to another, and the acceptability o f user activities can also change depending upon the user(s), application, machine, data, and other contextual conditions associated with the entities involved. The fact that the perpetrators are authorised users and that the insider misuse activities do not violate system level controls makes detection o f insider abuse more complicated than detection o f attacks by outsiders. The overall aim o f the research is to determine novel methods by which monitoring and detection may be improved to enable successful detection o f insider IT abuse. The discussion begins with a comprehensive investigation o f insider IT misuse, encompassing the breadth and scale o f the problem. Consideration is then given to the sufficiency o f existing safeguards, with the conclusion that they provide an inadequate basis for detecting many o f the problems. This finding is used as the justification for considering research into alternative approaches. The realisation o f the research objective includes the development o f a taxonomy for identification o f various levels within the system from which the relevant data associated with each type o f misuse can be collected, and formulation o f a checklist for identification o f applications that requires misfeasor monitoring. Based upon this foundation a novel architecture for monitoring o f insider IT misuse, has been designed. The design offers new analysis procedures to be added, while providing methods to include relevant contextual parameters from dispersed systems for analysis and reference. The proposed system differs from existing IDS in the way that it focuses on detecting contextual misuse o f authorised privileges and legitimate operations, rather than detecting exploitation o f network protocols and system level \ailnerabilities. The main concepts o f the new architecture were validated through a proof-of-concept prototype system. A number o f case scenarios were used to demonstrate the validity o f analysis procedures developed and how the contextual data from dispersed databases can be used for analysis o f various types o f insider activities. This helped prove that the existing detection technologies can be adopted for detection o f insider IT misuse, and that the research has thus provided valuable contribution to the domain.