"High-Speed Detection of Insider Threats" by Dr. Sandra Dykes
Date: October 20, 2009
Time: 9:30 am – 11:00 am
Where: Executive Conference Room (BB 4.02.10)
"High-Speed Detection of Insider Threats"
Dr. Sandra Dykes (Southwest Research Institute)
Abstract:
The insider threat differs from other cyber security problems in that it involves authorized users sending and receiving valid data. However, a user may exhibit abnormal patterns of activities, such as performing an abnormally large number of database queries or accessing rarely used servers. The challenge lies in quantifying "normal" or "rare." Usage patterns vary according to many factors such as organization, employee role, current assignments, time of day, and unanticipated events. Fixed thresholds are problematic because they are prone to high false positive rates and can be easily bypassed by low and slow techniques. Statistical anomaly detection offers a promising approach because it adapts detection thresholds to current patterns by continuous monitoring and retraining.
This talk describes research in developing and evaluating statistical AD techniques for high-speed networks (10 Gbps). Our system copes with high traffic rates by using specialized packet capture hardware to reduce raw traffic to bidirectional flow data. The AD engine uses the flow data to build statistical models of normal user interactions with database, web, email, and other enterprise servers. An important contribution of this research is the development of a rigorous evaluation methodology. Most studies describe insiders using case studies and taxonomies that are unsuitable for quantitative testing. Our tests use explicit Gaussian and non-Gaussian distribution functions to model behaviors of normal users and insider threats. The results show that false positive and false negative rates can be reduced to negligible levels by applying higher order behavior rules to the low level statistical alerts, and we provide an analytical analysis that provides insight into this finding.
Bio:
Sandra Dykes received her Ph.D. in computer science from the University of Texas at San Antonio in 2000, and was the first Ph.D. in computer science to graduate from UTSA. She holds a B.S. degree in chemistry from the University of Texas at Austin, a M.S. degree in chemistry from the University of Texas at San Antonio, and a M.S. degree in computer science from UTSA. Dr. Dykes is currently a Principal Scientist at Southwest Research Institute, specializing in networking protocols and system security. While at Southwest Research Institute, Dr. Dykes has led projects in several areas, including a cooperative IP traceback system for spoofed packets, a broadcast mechanism for enabling the use of Internet protocols on SpaceWire networks, an adaptive ad hoc routing system, and behavior-based intrusion detection. Most recently, Dr. Dykes is investigating methods to determine causal relationships between communication events and applying the results to the discovery of rootkits and hidden malware. Dr. Dykes is a member of the ACM, IEEE, and USENIX.
Hosted by the Department of Information Systems & Technology Management