The problem of insider threat is one of the most vexing problems for computer security research. We will present an overview of an ongoing collaborative project aimed at understanding human behavior and the insider threat. The organizations involved include Carnegie Mellon University, Columbia University, Cornell University, Dartmouth College, Indiana University, MITRE Corporation, Purdue University, and the RAND Corporation. Two primary objectives serve to focus and integrate the proposed research activities: technology exploration and environmental constraints. The first objective addresses the need for base technologies to monitor insider behavior, coupled with behavioral descriptions of suspicious, inappropriate or illegitimate events or activities. The second objective addresses the need for a methodological framework for handling incipient and actual insider behavior once it is recognized.
In this talk we describe some of the ongoing research at Columbia that aims to develop technology and monitoring functions that will provide a lightweight, robust, and scalable event processing infrastructure that can be deployed in a range of at risk enterprises (e.g. the U.S. military, banks, chemical plants and refineries, and border and port security systems). Our work involves the implementation of host-based sensors that detect unusual user behavior indicative of insider attack. We present an overview of prior work on masquerade detection and our most recent work to incorporate context and infer intent to more accurately identify potential insider attack. We also detail our current work on network based decoy traffic and detection of misuse of honeytokens, purposely placed, realistic-looking decoy data designed to entice traitors into revealing their nefarious actions.