Client: The Boeing CompanyContact: Mr. Nick Multari

Adviser: Dr. Thomas Daniels

Group 6Steven Bromley Jacob GionetJon McKee Brandon Reher

Insider Access Behavior

Research and validate existing algorithms, tools, and systems that can detect unauthorized data access and data movement

— This approach will be limited to open source and freely available solutions that address the problem

Develop our own toolset and algorithm that will use a user profile to detect unauthorized or abnormal data access and data movement

Problem Statement

Conceptual Sketch

Shall make use of pre-existing technologies

Shall take input from a variety of sources and systems

Shall correlate and filter relevant data

Shall alert when malicious activity is discovered

Shall have a system to provide notifications on alerts

Shall contain an algorithm that decides whether an attack is being committed

Functional Requirements

Shall have a low false-positive rate

Shall be inconspicuous to the malicious user

Shall provide alerts in a timely manner

The product shall abide by all licenses of open source software utilized

Non-functional Requirements

The products shall be scalable to a network of up to 1000 machines

The product shall have a low false positive rate

Data shall be obtained from Cyber Defense Competitions

Data shall be obtained from activity scripts

Technical Constraints & Considerations

• Insider Threat Prediction Tool: Evaluating the probability of IT misuse

• Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector

• Composite Role-Based Monitoring (CRBM) for Countering Insider Threats

Literature Survey

No simulation data is found •Write activity scripts•Continue search for data

High false positive results •Continue to refine decision algorithm

Miss malicious attacks •Continue to refine filtering algorithm

Potential Risks & Mitigation

Time Estimate

Resource EstimateItem Team Hours Cost

Research Materials 180 $0

Dell PowerEdge T410 (8) 8 $6,392

Linux Red Hat 10 $350

NetBSD 10 $0

Splunk 3 $0

Ettercap 3 $0

Apache 2 $0

MySQL 2 $0

PHP 2 $0

Totals 220 $6,742

Item W/O Labor W/Labor

Research Materials $0 $3,600

Dell PowerEdge T410 (8) $6,392 $6,572

Linux Red Hat $350 $550

NetBSD $0 $200

Splunk $0 $60

Ettercap $0 $60

Apache $0 $20

MySQL $0 $40

PHP $0 $20

Algorithm N/A $6,000

Totals $6,742 $17,122

Research options for threat detection •Choice made on what methods will be used in product

Equipment has proper systems •All the systems of a LAMP architecture are installed on the machines allocated to the group

Data is obtained •Group had large amounts of data that contain both outside and inside malicious attacks

Project Milestones and Schedule

Log Analyzer•Gather Logs from the different systems installed on the network, give them a standard format, and store them in a central repository

Network Analyzer

Profiling Algorithm •Profile log information, look for anomalies in user profile activity, and raise alerts when malicious activity is detected

Functional Decomposition

Functional Modules

Interface Definition

Installation Interface•Trusted administrators will have an initial interface in which they can input trusted users and the access control lists

Runtime Interface•Normal users will have no interface to the system

Alert Interface•Trusted administrators will view alert details in the form of an e-mail message sent to the trusted administrator list

User Interface

Hardware Platform

Dell machines were profiled for market survey due to high market presence

Hardware Platform (cont.)

Operating Systems System LibrariesApache

MySQL

PHP

Third-Party Software

Ettercap

Snort

Splunk

NetBSD• Version 2.6.0

Red Hat Enterprise Linux (RHEL)• Version 6.0

Software Platform

Test Environment•Located on an ISEAGE-provided computers•Consists of small scale network that is designed to represent a scaled down version of a generic enterprise network•Focus is on the intranet traffic

Test Plan - Environment

Scenario 1 Scenario 2Network Traffic

Procedure• Create controlled traffic on the

network

• Compare the captured packets to the traffic created to determine if entire traffic sequences were captured.

Log Gathering

Procedure• Manually start the log gathering

system to gather a known set of logs from predefined locations.

• Compare the logs retrieved with the logs in the source location to determine if all logs were successfully collected.

Test Plan - Design

Scenario 3 Scenario 5Entire System

Procedure• Script various activity types,

including malicious and legitimate activity

• Monitor generated alerts to verify that malicious and suspicious activities are the only events reported

• Measure the response time from activity to alert report

Alert System

Procedure• Input the alert flag / trigger to the

system to create an alert

• Monitor the reporting mechanism to verify that the alert is created successfully

Test Plan – Design (cont.)

Machine Setup•Basic Installation Complete•Non-interference with ISU network

Data Detection Method

Location of Data Sources

Literature & Market Survey

Profiling Algorithm

Current Project Status

Task Responsibility

ID Task Name Start Finish Duration2010

Oct

1 10w12/17/201010/11/2010Research

2 3w12/17/201011/29/2010Test bed

3 8w3/4/20111/10/2011Development

2011

Nov Dec Jan Feb Mar Apr

4 8w4/29/20113/7/2011Implementation

Setup and Configuration of Toolset

Develop Profiling Algorithm•Transform abstract algorithm to concrete program

Testing and Modifications•Extensive testing of components to ensure proper results are obtained.

Compile Report of Successes and Failures

Plan for Next Semester