A Context, Role and Semantic (CRS)-based Approach for Countering Malicious Insider Threats
description
Transcript of A Context, Role and Semantic (CRS)-based Approach for Countering Malicious Insider Threats
www.syrres.com
1
A Context, Role and Semantic (CRS)-based Approach for Countering Malicious Insider Threats
Information Assurance for the Intelligence Community
Goals
Novel Ideas Milestones
A Context, Role and Semantic (CRS)-based Approach for Countering Malicious Insider Threats
Novel method for monitoring and assessing risk of individuals' behavior patterns within an organization by combining context-based socio-technical and role-based information security theory with natural-language-processing (NLP) techniques.
- Multi-perspective method for modeling intelligence community workflows combines role-based models of organizational networks and context-based models of social networks.
- Fine-grained analysis of text-based cyber observables through NLP-based semantic extractions.
To develop an insider threat model for detecting malicious insider behavior based on the context of the user’s task, their role within the organization and the semantic content of communications and documents associated with the user.
To develop a prototype software implementation of the CRS-based insider threat model and demonstrate that this model can reliably detect risks associated with malicious insider behavior.
Milestone Month
Concept of Operations 2
Strawman Scenario 3
Model Schema 3
M/S Environment 4
Evaluation Criteria 5
Threat Scenario (draft) 6
Org. Network Model 8
Social Network Model 8
Milestone Month
Semantic Analysis 8
Integrated CRS Model 10
Scenario Refinement 12
Prototype Development 15
Test & Evaluation 18
Demonstration 18
Final Report 18
Principal Investigator: Robert DelZoppo Syracuse Research Corporation
www.syrres.com
3
Primary Tasks
Task Focus
Scenario Development
Using Intelligence Community context, research and develops scenario for insider behavior, both malicious and non-malicious; Establish instances for the demonstration scenario
Model Development
Research and develop the organizational, social network, and semantic models; produce an integrated CRS model
Environment / Prototyping
Establish modeling & simulation environment; Develop the document training corpus; Develop prototype software implementation of the integrated CRS Insider Threat Model
Test & Evaluation Execute, test, and evaluate the model against the scenario. Document and present the results in the final demonstration.
Technical Rationale
Role: PA1Mission: Analysis & ProductionWork Products: Type: Report-A Timeframe: 30 daysInfo Systems: X1 (R,W); X2 (R)
Group: G1AOI: Country XTopic: Narcotics
Group: G3AOI: Country XTopic: Economics
Group: G7AOI: Country YTopic: Narcotics
Group: G8AOI: WorldwideTopic: Cocaine Production
Role: PA3Role: PA7Role: PA8
fulfillsrole
collaborateswith
hasrole
hasrole
hasrole
hasrole
assignstasks to
produces Info for
Actor: “Mallory”
Role: C1
Role: C2
Role: C3
Mission
Intelligence Work Products Produced
Required Intelligence resources and products
AOI and TOI
Organizational Relationships and communication patterns
Background
Intelligence analysts operate within a mission-based context, focused mainly on specific topics of interest (TOIs) and geo-political areas of interest (AOIs).
The role the analyst participates in dictates:
Technical Rationale
Role: PA1Mission: Analysis & ProductionWork Products: Type: Report-A Timeframe: 30 daysInfo Systems: X1 (R,W); X2 (R)
Group: G1AOI: Country XTopic: Narcotics
Group: G3AOI: Country XTopic: Economics
Group: G7AOI: Country YTopic: Narcotics
Group: G8AOI: WorldwideTopic: Cocaine Production
Role: PA3Role: PA7Role: PA8
fulfillsrole
collaborateswith
hasrole
hasrole
hasrole
hasrole
assignstasks to
produces Info for
Actor: “Mallory”
Role: C1
Role: C2
Role: C3
Context – the task or mission the insider operates in.
Role – the insider’s assigned job functions within context.
Semantics – the content of the information accessed by the insider.
Background
Modeling the insider therefore requires the following be considered:
Technical Rationale
Approach
Combine socio-technical, information security and natural language processing, with in a relevant intelligence community scenario:
Context – apply and extend existing social/shadow network approaches to modeling and monitoring discretionary communication patterns.
Role – extend role-based access control approaches to support strong, scalable, and efficient access monitoring mechanisms.
Semantics – apply NLP knowledge extraction techniques to analyze document and communication semantics.
Theoretical Basis
Context - Applying Social Network Analysis to Insider Threat Problem
Background
Analyze communication between individuals, teams, groups and communities for social structures and relational aspects.
Resulting Social Networks represent magnitude, frequency, and polarity of communication patterns.
Social Networks identify and characterize informal or undocumented organizational structures.
Social Network Analysis can discover and contrast legitimate network structures and shadow network structures of the organization.
Approach
Analyze insider communication data to identify and characterize Expected Insider Behavior.
Apply Social Network Analysis techniques to contrast Observed Insider Behavior against Expected.
A B C D E
A
B
C
D
E
- 2 1 4 2
2 - 0 0 0
1 0 - 0 0
4 0 0 - 3
2 0 0 3 -
InsiderAdjacency Matrix
K
R
L
H
G
J
I
B
E
A
C
D
F
Q
2
22
14
2
2
2
22
2
2
22
2
2
2 2
2 2
3
InsiderSocial Network
ExpectedBehavior
Role - Applying RBAM to the Insider Threat Problem
Background
Role-based Access Monitoring (RBAM) based on Role-based Access Control (RBAC) models.
Job responsibilities for a given role in an organization are stable. Individual user’s job functions are not.
In RBAC, permissions are associated with roles. Users are assigned appropriate roles.
RBAC provides efficient access control by modeling control at the role level.
Reduces complexity, cost, and potential errors in security system.
Approach
RBAC to RBAM.
Communication data for social network and semantic analysis is captured at individual insider level but abstracted to role-level in Expected Behavior Model.
Individual insider’s Observed Activity Patterns (Social/Semantic) are compared against Expected Behavior of insider’s current role.
RolesInsidersInsiders
AssignedRoles
ExpectedBehavior
Associated withRole
RolesUsers
User-RoleAssignment
Permission-Role Assignment
PermissionsURA PRA
Role-based Access Control
Role-based Access Monitoring of Insider Threats
Theoretical Basis
Data Accessed/Produced By Insider:• documents• communication texts• database queries
Theoretical Basis
Semantics - Applying Semantic Analysis to the Insider Threat Problem
Background
Based on proven Natural Language Processing (NLP) technology that applies linguistic analysis to achieve human-like processing of natural language texts.
Approximates morphological, lexical, syntactic, semantic, discourse, and pragmatic levels of human language processing.
Applies algorithms which interpret the meaning conveyed implicitly and explicitly in parts of words, phrases, syntax, multiple meanings of single words, flow and intent of spans of text, and references to real world entities.
Combines domain-specific knowledge, linguistic analysis techniques and training data.
Approach
Apply semantic analysis to text-based cyber observables including documents, communication texts, and database queries.
Extract useful semantic evidence including Topic of Interest (TOI) and geo-political area of interest (AOI).
Apply Semantic Analysis techniques to assess semantic distance between text-based cyber observables and Expected Insider Behavior in terms of TOI & AOI.
SemanticAnalysis
ExtractionsTOI: NarcoticsAOI: Country X, Y...
“Junior employees of the Acme Corporation must not describe specifications of company products in outgoing e-mails.”
Semantic Representation<Junior_employee (new_hire; level_1_to_6)|Person> of|PREP the|ART <Acme_ Corporation|Company> must|MOD not|MOD <describe (tell; explain; discuss)> <specification (size)> of|PREP <company_product|ProdName> in|PREP <outgoing_email (message; posting)>.
Logical RepresentationIf ISA (?X, junior_employee) and ISA (?Y, Acme_product) and ISA (?Z, email) and RCPT (?Z, ?P) and LOC (?P, outside_network) and CONT (?Z, ‘ASSOC (?Y, ?A) & MEAS (?A, ?B)’), then CHRC (?Z, nonreleasable).
Semantic Analysis Example
Semantic Analysis of Insider Threat Observables
Theoretical Basis
Modeling Expected Behavior
Approaches from Semantic Network Analysis, Role-based Access Monitoring, and Semantic Analysis will be combined to create a Role-based Social-Semantic Model of Expected Insider Behavior.
Analysis of roles and associated expected-behavior defined by organization policies, org charts, etc.
Social network analysis of discretionary insider behavior defined and modeled at the role level.
In addition to magnitude, frequency, and polarity, Social Network connections will be characterized by Semantics.
Analysis of negative behavior patterns such as real espionage case studies and manufactured insider threat scenarios.
OrganizationalNetworkAnalysis
Case Studies
ExpectedBehavior
Model
SemanticAnalysis
Social NetworkAnalysis
Theoretical Basis
Assessing Insider Threat Risk
Approaches from Semantic Network Analysis, Role-based Access Monitoring, and Semantic Analysis will be combined to assess current risk of insider threats by comparing Expected Insider Behavior with Observed Behavior.
Methods of Enforcing Role-based Access Control will be extended to monitor, rather than prevent access policy violations.
Methods for comparing Social networks will be applied to determine difference between expected and actual communication patterns.
Methods of semantic boundary control and determining semantic distance between expected and actual communication semantics will be incorporated.
SemanticBoundaryMethods
RiskAssessor
Role-basedAccess Monitoring
Methods
Social NetworkComparison
Methods
Insider Threat Model
Source
Sensor
ObservableBehavior
RiskAssessor
RiskBehaviorIndicator
ExpectedBehavior
Model
Insider
Insider - authorized participant in the intelligence community.
Source - origination point for evidence of risk behavior. Includes specific types of communication, documents, and human observations.
Sensor - any element capable of observing and recording the activities of an insider.
Observable - a discreet instance of insider activity gathered from a single source.
Expected Behavior Model - encapsulation of expected patterns of acceptable and unacceptable insider activity.
Risk Assessor - encapsulates CRS-based method for comparing observables against expected behavior model to detect suspicious patterns of activity.
Risk Behavior Indicator - evidence of risk behavior discovered by risk assessor such as unauthorized information collection/transmittal, or personal counter intelligence.
Primary Domains
Insiders interact with sources. Sensors monitor sources and record interactions as observables. Observables are monitored by the Risk Assessor and compared against a Model of insider behavior to identify indicators of risk behavior.
CRS-based Approach for Countering Malicious Insider Threats
Low Granularity Minimal information used to describe behavior of insiders. Interaction between X and Y either exists or it does not.
- Used to describe which insiders interact with which sources.
Medium Granularity Information about aggregate communication habits between each pair of insiders is represented.
- Used to characterize interactions between insiders and sources.
- Characterization could include frequency, typical interaction vehicle, typical semantics, etc.
High Granularity Maximum available information about each interaction is represented.
- Used to represent actual behavior patterns.
- Interaction metadata could include time, semantics, interaction vehicle, etc.
K
N
R
L
M
O
HG
J
I
Y
X Z
B
E
A
C
D
F
P
Q
X
T V
U
S
K
N L
O
HG
J
I
Y
X
B
EC
D
F
P
Q
X
T V
U
S
abc qrs
xyz
ghj
jhk jhk
jhk
ghj
ghjghj
abc
abc
qrs
qrs
qrs
xyz
xyz
xyz
rty
rty
rty
rty
hrx
hrx
hrx
hrx
jvb
jvb
jvb
tds
tds
tds
zkj
zkj
pfg
pfg
pfg
dfg
dfg
dfgfds
fds
rdz
rdz
xyz
R
M
Z
A
A
B
C
D
20 S
ep 2
003
21 S
ep 2
003
22 S
ep 2
003
23 S
ep 2
003
24 S
ep 2
003
dfgdfg
abc
abd
fgh
fgh
fgh
sdf
sdf
rstjkldfg
trw
qwrkjh
lkj
dcv
ytr
xcv
tmx
Insider Threat Model Granularity Role-Based Social-Semantic Network Model encapsulates insider behavior at multiple levels of granularity:
www.syrres.com
14
Technology Transition Strategy
Concept Development
Proof ofConcept
Product Development
Product Transition
Operational System
Phase Transition / Milestone Reviews
Concept of Operation
Research Objectives
Use Cases
Operational Constraints
Risk Mitigation
Requirement Specifications
System Architecture
SW Product Engineering
Transition Plan
Operational Support
Research & Publications
www.syrres.com
15
Issues / Concerns / Questions