Information Assurance for the Intelligence Community for Countering Malicious Insider Threats
Download ReportTranscript Information Assurance for the Intelligence Community for Countering Malicious Insider Threats
A Context, Role and Semantic (CRS)-based Approach for Countering Malicious Insider Threats Information Assurance for the Intelligence Community www.syrres.com 1 A Context, Role and Semantic (CRS)-based Approach for Countering Malicious Insider Threats Goals To develop an insider threat model for detecting malicious insider behavior based on the context of the user’s task, their role within the organization and the semantic content of communications and documents associated with the user. To develop a prototype software implementation of the CRS-based insider threat model and demonstrate that this model can reliably detect risks associated with malicious insider behavior. Novel Ideas Novel method for monitoring and assessing risk of individuals' behavior patterns within an organization by combining context-based socio-technical and role-based information security theory with naturallanguage-processing (NLP) techniques. - - Multi-perspective method for modeling intelligence community workflows combines role-based models of organizational networks and context-based models of social networks. Fine-grained analysis of text-based cyber observables through NLP-based semantic extractions. Milestones Milestone Month Milestone Month Concept of Operations 2 Semantic Analysis Strawman Scenario 3 Integrated CRS Model 10 Model Schema 3 Scenario Refinement 12 M/S Environment 4 Prototype Development 15 Evaluation Criteria 5 Test & Evaluation 18 Threat Scenario (draft) 6 Demonstration 18 Org. Network Model 8 Final Report 18 Social Network Model 8 Principal Investigator: Robert DelZoppo Syracuse Research Corporation [email protected] 8 Primary Tasks Task Focus Scenario Development Using Intelligence Community context, research and develops scenario for insider behavior, both malicious and non-malicious; Establish instances for the demonstration scenario Model Development Research and develop the organizational, social network, and semantic models; produce an integrated CRS model Environment / Prototyping Establish modeling & simulation environment; Develop the document training corpus; Develop prototype software implementation of the integrated CRS Insider Threat Model Test & Evaluation Execute, test, and evaluate the model against the scenario. Document and present the results in the final demonstration. www.syrres.com 3 Technical Rationale Background Actor: “Mallory” Intelligence analysts operate within a mission-based context, focused mainly on specific topics of interest (TOIs) and geopolitical areas of interest (AOIs). The role the analyst participates in dictates: fulfills role Mission Intelligence Work Products Produced Required Intelligence resources and products AOI and TOI Group: G1 AOI: Country X Topic: Narcotics has role Organizational Relationships and communication patterns Role: PA1 Mission: Analysis & Production Work Products: Type: Report-A Timeframe: 30 days Info Systems: X1 (R,W); X2 (R) assigns tasks to Role: C1 Role: C2 Role: C3 produces Info for collaborates with Role: PA8 has role Group: G8 AOI: Worldwide Topic: Cocaine Production Role: PA7 has role Group: G7 AOI: Country Y Topic: Narcotics Role: PA3 has role Group: G3 AOI: Country X Topic: Economics Technical Rationale Background Actor: “Mallory” Modeling the insider therefore requires the following be considered: Context – the task or mission the insider operates in. fulfills role Role – the insider’s assigned job functions within context. Semantics – the content of the information accessed by the insider. Group: G1 AOI: Country X Topic: Narcotics has role Role: PA1 Mission: Analysis & Production Work Products: Type: Report-A Timeframe: 30 days Info Systems: X1 (R,W); X2 (R) assigns tasks to Role: C1 Role: C2 Role: C3 produces Info for collaborates with Role: PA8 has role Group: G8 AOI: Worldwide Topic: Cocaine Production Role: PA7 has role Group: G7 AOI: Country Y Topic: Narcotics Role: PA3 has role Group: G3 AOI: Country X Topic: Economics Technical Rationale Approach Combine socio-technical, information security and natural language processing, with in a relevant intelligence community scenario: Context – apply and extend existing social/shadow network approaches to modeling and monitoring discretionary communication patterns. Role – extend role-based access control approaches to support strong, scalable, and efficient access monitoring mechanisms. Semantics – apply NLP knowledge extraction techniques to analyze document and communication semantics. Theoretical Basis Context - Applying Social Network Analysis to Insider Threat Problem Background A B C D E A - 2 1 4 2 B 2 - 0 0 0 Resulting Social Networks represent magnitude, frequency, and polarity of communication patterns. C 1 0 - 0 0 D 4 0 0 - 3 Social Networks identify and characterize informal or undocumented organizational structures. E 2 0 0 3 - Analyze communication between individuals, teams, groups and communities for social structures and relational aspects. Social Network Analysis can discover and contrast legitimate network structures and shadow network structures of the organization. Analyze insider communication data to identify and characterize Expected Insider Behavior. Apply Social Network Analysis techniques to contrast Observed Insider Behavior against Expected. E 4 1 2 2 2 B Insider Adjacency Matrix 2 2 F A 2 2 I 2 G 2 2 Q 2 H 2 Approach 3 D C 2 R J 2 2 K 2 Insider Social Network 2 2 L Theoretical Basis Role - Applying RBAM to the Insider Threat Problem Background Role-based Access Monitoring (RBAM) based on Rolebased Access Control (RBAC) models. Job responsibilities for a given role in an organization are stable. Individual user’s job functions are not. URA Users PRA User-Role Assignment In RBAC, permissions are associated with roles. Users are assigned appropriate roles. Permissions Roles PermissionRole Assignment Role-based Access Control RBAC provides efficient access control by modeling control at the role level. Reduces complexity, cost, and potential errors in security system. Approach RBAC to RBAM. Communication data for social network and semantic analysis is captured at individual insider level but abstracted to role-level in Expected Behavior Model. Individual insider’s Observed Activity Patterns (Social/Semantic) are compared against Expected Behavior of insider’s current role. Insiders Roles Insiders Assigned Roles Expected Behavior Expected Behavior Associated with Role Role-based Access Monitoring of Insider Threats Theoretical Basis Semantics - Applying Semantic Analysis to the Insider Threat Problem Background Based on proven Natural Language Processing (NLP) technology that applies linguistic analysis to achieve human-like processing of natural language texts. Approximates morphological, lexical, syntactic, semantic, discourse, and pragmatic levels of human language processing. Applies algorithms which interpret the meaning conveyed implicitly and explicitly in parts of words, phrases, syntax, multiple meanings of single words, flow and intent of spans of text, and references to real world entities. Combines domain-specific knowledge, linguistic analysis techniques and training data. “Junior employees of the Acme Corporation must not describe specifications of company products in outgoing e-mails.” Semantic Representation <Junior_employee (new_hire; level_1_to_6)|Person> of|PREP the|ART <Acme_ Corporation|Company> must|MOD not|MOD <describe (tell; explain; discuss)> <specification (size)> of|PREP <company_product|ProdName> in|PREP <outgoing_email (message; posting)>. Logical Representation If ISA (?X, junior_employee) and ISA (?Y, Acme_product) and ISA (?Z, email) and RCPT (?Z, ?P) and LOC (?P, outside_network) and CONT (?Z, ‘ASSOC (?Y, ?A) & MEAS (?A, ?B)’), then CHRC (?Z, nonreleasable). Semantic Analysis Example Approach Apply semantic analysis to text-based cyber observables including documents, communication texts, and database queries. Extract useful semantic evidence including Topic of Interest (TOI) and geo-political area of interest (AOI). Apply Semantic Analysis techniques to assess semantic distance between text-based cyber observables and Expected Insider Behavior in terms of TOI & AOI. Data Accessed/Produced By Insider: • documents • communication texts • database queries Semantic Analysis Semantic Analysis of Insider Threat Observables Extractions TOI: Narcotics AOI: Country X, Y .. . Theoretical Basis Modeling Expected Behavior Approaches from Semantic Network Analysis, Role-based Access Monitoring, and Semantic Analysis will be combined to create a Role-based Social-Semantic Model of Expected Insider Behavior. Analysis of roles and associated expected-behavior defined by organization policies, org charts, etc. Social network analysis of discretionary insider behavior defined and modeled at the role level. In addition to magnitude, frequency, and polarity, Social Network connections will be characterized by Semantics. Analysis of negative behavior patterns such as real espionage case studies and manufactured insider threat scenarios. Organizational Network Analysis Social Network Analysis Expected Behavior Model Semantic Analysis Case Studies Theoretical Basis Assessing Insider Threat Risk Approaches from Semantic Network Analysis, Role-based Access Monitoring, and Semantic Analysis will be combined to assess current risk of insider threats by comparing Expected Insider Behavior with Observed Behavior. Methods of Enforcing Rolebased Access Control will be extended to monitor, rather than prevent access policy violations. Methods for comparing Social networks will be applied to determine difference between expected and actual communication patterns. Methods of semantic boundary control and determining semantic distance between expected and actual communication semantics will be incorporated. Social Network Comparison Methods Role-based Access Monitoring Methods Semantic Boundary Methods Risk Assessor Insider Threat Model Primary Domains Insiders interact with sources. Sensors monitor sources and record interactions as observables. Observables are monitored by the Risk Assessor and compared against a Model of insider behavior to identify indicators of risk behavior. Insider Source Insider - authorized participant in the intelligence community. Sensor Source - origination point for evidence of risk behavior. Includes specific types of communication, documents, and human observations. Sensor - any element capable of observing and recording the activities of an insider. Observable Behavior Observable - a discreet instance of insider activity gathered from a single source. Expected Behavior Model - encapsulation of expected patterns of acceptable and unacceptable insider activity. Risk Assessor - encapsulates CRS-based method for comparing observables against expected behavior model to detect suspicious patterns of activity. Risk Behavior Indicator - evidence of risk behavior discovered by risk assessor such as unauthorized information collection/transmittal, or personal counter intelligence. Expected Behavior Model Risk Assessor Risk Behavior Indicator CRS-based Approach for Countering Malicious Insider Threats Insider Threat Model Granularity Role-Based Social-Semantic Network Model encapsulates insider behavior at multiple levels of granularity: D C E xyz hrx Low Granularity Minimal information used to describe behavior of insiders. Interaction between X and Y either exists or it does not. High Granularity Maximum available information about each interaction is represented. - Used to represent actual behavior patterns. - Interaction metadata could include time, semantics, interaction vehicle, etc. dfg tds rty pfgabd dfg ytr tmx qwr fdsfgh sdf xcv Q G jvb H I xyz dfg abc jkl dcv fgh rst zkj abc abc qrs hrx pfg J kjh lkj C P D ghj fds O jhk qrs R tds K xyz rty dfg jvb rdz N L hrx pfg M S Y jvb rdz X qrs zkj ghj T hrx abc tds U dfg V xyz jhk 24 Sep 2003 Characterization could include frequency, typical interaction vehicle, typical semantics, etc. jhk F fghrty trw 23 Sep 2003 - Used to characterize interactions between insiders and sources. A ghj B Used to describe which insiders interact with which sources. Medium Granularity Information about aggregate communication habits between each pair of insiders is represented. - sdf qrs 22 Sep 2003 dfg 21 Sep 2003 - B 20 Sep 2003 ghj A rty X Z xyz Technology Transition Strategy Requirement Specifications System Architecture Use Cases Operational Constraints Concept of Operation Transition Plan Operational Support SW Product Engineering Operational System Product Transition Risk Mitigation Product Development Research Objectives Proof of Concept Phase Transition / Milestone Reviews Concept Development www.syrres.com Research & Publications 14 Issues / Concerns / Questions www.syrres.com 15