Countering Network-Centric Insider Threats through Self-Protective Autonomic Rule Generation

Insider threats are a growing problem in today's organizations. Detecting such attacks is especially challenging because most system owners and system administrators use networks to remotely manage the systems they are responsible for. In previous work, we introduced the Autonomic Violation Prevention System (AVPS) that has a scalable architecture to deal with such threats. This system uses low level human-specified and manually-entered rules to protect networked applications from disgruntled privileged users. However, rule-based systems are generally difficult to maintain when the number of rules is too large. This paper addresses this problem by allowing human beings to enter a smaller number of high-level rules that are automatically translated into one or more low-level rules based on an analysis of the incoming network traffic. The paper discusses how various high level rules (HLR) can detect new unwanted behaviors without any user intervention. Experiments conducted on three types of applications -- FTP, database, and Web -- show that the enhanced AVPS can detect known and unknown insider attacks through high level rules and process automation.