Author_Institution :
Service Platform Res. Labs., NEC Corp., Kawasaki, Japan
Abstract :
Insider threats, such as information leakages, are big problems in many organizations. They are difficult to detect and control, because insiders such as employees have legitimate rights to access the organization\´s resources in order to carry out their responsibilities. For this reason, existing security systems such as firewalls, intrusion detection systems, and access control mechanisms are ineffective countermeasures. Therefore, a framework is being developed for detecting suspicious insiders by triggering monitoring and analysis of suspicious actions done to hide digital evidence. This framework first creates an event (called a "trigger") that will impel malicious members to behave suspiciously, for example, deleting digital data that may be evidence of their malicious behavior. In addition, the framework also monitors and analyzes actions by comparing operational logs before/after the trigger. This work is still in progress. Here, a system architecture based on the detection framework and cases in which it is used are described. Also, the effectiveness and the limitations of the proposed framework are discussed.
Keywords :
authorisation; computer network security; organisational aspects; digital data sealing; digital evidence hiding; information leakages; insider threats; malicious members; organization resource access; security systems; suspicious action monitoring; suspicious insider detection; system architecture; Computers; Electronic mail; Monitoring; Organizations; Postal services; Recycling; Servers; insider threats detection; sealing of evidence;
