International Journal of Application or Innovation in Engineering & Management (IJAIEM)

Web Site: www.ijaiem.org Email: [email protected], [email protected] Volume 2, Issue 11, November 2013 ISSN 2319 - 4847

Online Monitoring and Prevention of Internal Security Threats in Academic Campuses

D.S. Bhilare
Devi Ahilya University, India

ABSTRACT
It has always been challenging to keep watch on a watchman. In most of the institutions responsibility of protecting student, faculty and research data is entrusted to handful of trusted technocrats. As they are trusted persons, they are usually not monitored. There are several studies, which show that in majority of Information Security breaches, insiders were involved. Academic institutions have important student information and sensitive information about ongoing and finished research projects. As per various laws and acts, it is mandatory to protect student information and Intellectual Property. Generally University campuses are less disciplined compared to a business organization, which makes it more difficult. Further, fast moving student population and budget constraint also make the job further difficult. Most of the tools provide information about suspicious host but are unable to identify the exact user. Proposed architecture addresses this issue by capturing user actions and associated applications. In order to track and monitor user activities, they are correlated with active directory context. The proposed architecture enables implementation without disrupting the Campus Network and doesnt degrade the network performance. Further, it allows real-time monitoring and communication of alerts to concerned persons.

Keywords: Active directory, information security, online monitoring, internal threat

1. INTRODUCTION
An Insider Threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems [Wikipedia]. A report published in July 2012 on the insider threat in the U.S. financial sector gives some statistics on insider threat incidents: 80% of the malicious acts were committed at work during working hours; 81% of the perpetrators planned their actions beforehand; 33% of the perpetrators were described as "difficult" and 17% as being "disgruntled. The insider was identified in 74% of cases. Financial gain was a motive in 81% of cases, revenge in 23% of cases, and 27% of the people carrying out malicious acts were in financial difficulties at the time [1]. The US Department of Defense Personnel Security Research Center published a report that describes approaches for detecting insider threats [2]. Earlier it published ten case studies of insider attacks by information technology professionals [3]. The Project on Government Oversight (POGO), a watchdog group, released a memo from the Department of Energy's National Nuclear Security Administration (NNSA) expressing concern over the theft of three computer hard discs by an employee at Los Alamos National Security LLC (LANS) in January. As per the third annual Higher Education IT Security Survey 2008, by CDW-G [4] states that, the amount of data residing on the network is growing exponentially and IT directors struggle to balance security concerns with the open nature of higher education. The report concludes that less than half of campus networks are secure and data theft of sensitive information has increased up to 43%. Today, institutions find that their research data, intellectual property and sensitive information can be found on virtually any computer system or network in the campus. Academic records, patent research, financial information, transactions, student information, and many other types of protected information can routinely be found in databases, files and file servers, document management systems, e-mails etc. The challenge for Information Security Officers is how to determine what user action is legitimate and what is not. Once a legitimate user has access to internal resources, it may be hard to identify actions that are malicious. This can be particularly difficult when the user is an external consultant who has been granted limited access to carry out some institutional task. The different types of information assets such as documents, spreadsheets, images and databases, that organizations generate is growing exponentially. Typical campus networks include a mix of servers, switches, routers and wireless access points from multiple vendors, and connect users to numerous applications. Most of these servers and applications are protected by access control and logging mechanisms that are often specific to the platform. In addition to this, high employee turnover and changing roles are further enhancing the overall complexity. The rest of this paper is organized as follows. In section 2, related works are shown. In section 3, present solution and their shortcomings are discussed. Section 4, describes proposed solution and its implementation plan. Finally, in section 5, conclusion along with future work is presented.

Volume 2, Issue 11, November 2013

Page 28

International Journal of Application or Innovation in Engineering & Management (IJAIEM)

Web Site: www.ijaiem.org Email: [email protected], [email protected] Volume 2, Issue 11, November 2013 ISSN 2319 - 4847
2. RELATED WORK Identification of the abnormal activity was the basis of the earlier detection systems. They used events generated by the system, such as login time, number of bad logins, attempts to run special supervisor commands, etc [8]. This approach is simple, but not effective against professional intruders. Network System Monitor[14], was among the first systems using network traffic as the audit data. This tool looks at the data-path communication and the protocols to build a profile. Data-mining approach[13] analyzed network traffic by defining some attributes based rules. In activity based detection, the actions of the users are observed for policy violation. With social networks, a static social network is created beforehand for the insider and is used to detect whether there is any abnormal behavior. There were attempts to correlate social network analysis with user activity keeping in view insiders role & permissions[9], [10]. Activity log is compared to a social network in view of the expected behavior. However, both the roles and social networks must be created manually beforehand resulting in a lack of flexibility. If any malicious action that is not considered when the network was created, it will not be caught. Another approach focused on document access patterns and comparison with co-workers with similar responsibilities [11]. An agent-based distributed approach by simulating behavior to detect changes in behavior patterns as well as misinformation activities was also proposed [6]. This approach requires lot of beforehand planning and resources. Focus of the existing research is on traffic analysis or log analysis. In order to prevent threats, it is essential that violation should be detected, when it is happening so that it can be stopped or alert can be generated. In fact a not much work has been done in identifying the culprits on real time basis and automation of policy based audit process.

3. OVERVIEW OF PRESENT TECHNIQUES

Organizations are following various approaches to identify and mitigate the insider threats and; reduce their exposure to regulatory and financial risk. These approaches are described as under: 3.1 Use of active directory Institutions have tried to automate processes by using directory services by centrally defining objects like systems, users, groups, devices, sites, domains and their relationship. But many directory services offerings are limited to, due to working with devices that run a particular operating system. In many cases, the older, possibly unneeded rights are simply carried over even after change in employee role. Some times new roles are often assigned the same rights as assigned to other group member. So, one can not solely rely on directory services, something additional is required. 3.2 Use of native controls Many institutions simply do not know precisely how their intellectual property is being accessed. Some of them rely on the native controls of each application, server, or security device. The problem with this approach is that, as the network grows, so does the complexity and the efforts required to manage this. Adding to the complexity is the fact that many employees change roles within an organization. But existing rights are frequently not revoked even though they are not required now. For example, if an employee from examination department is transferred to finance section then his or her access to the students academic record is not revoked. Once users access information inadvertently or accidentally (because previous rights have not been revoked), they can often send that information outside the institution undetected. In many cases, there would not be any suspicion since the user had what appeared to be legitimate access rights to the information. Once access had been gained, a user could cut and paste data into a webmail account message and send it past email filters that are only looking at outbound Outlook messages and not at HTTP streams. Again, there are several problems. Wire speeds for network devices are so high that the computing resources needed to inspect each packet would degrade the performance significantly. Further, there is a large variety of data formats and communications protocols, making inspection very complex. Ideally what is required is a single interface, this would enable organizations to manage and respond better to policy exceptions, deviations from rules and misuse of privileges. 3.3 Logging systems Many of these logging systems, however, are specific to particular platforms. Separate log will be generated by mail server, web server, firewall etc. Activation of log on many servers, switches, routers, or security devices can slow down the performance. Logs usually record IP addresses which are a challenge to link back to the actual user who performed an operation recorded in the log. If information on a server can be accessed by an application or protocol that does not generate a log file, there will be no record of that activity. Because logs are in many formats, the software necessary to

Volume 2, Issue 11, November 2013

Page 29

International Journal of Application or Innovation in Engineering & Management (IJAIEM)

Web Site: www.ijaiem.org Email: [email protected], [email protected] Volume 2, Issue 11, November 2013 ISSN 2319 - 4847
correlate all of these logs is not always able to produce a complete picture of what users actually were doing. Because logs must be collected and combined after the fact, they do not provide a real-time solution to problems that require one. Nevertheless, logging systems have been adopted by many institutions. 3.4 Traffic Analysis Another approach to observe what is going on in an enterprise is capturing the network traffic and packet analysis. These solutions gather information from one of two sources and sometimes both. They capture traffic from routers and switches or they record IP addresses and port numbers from the network. Both of these sources contain a record of source IP, destination IP, protocol and port number. By collecting this information these devices produce a traffic-oriented picture of enterprise network activity. This approach for protecting intellectual property does not reveal much information about the transaction that occurred on that connection or who the actual user was.

4. PROPOSED SOLUTION
In order to discharge their duties efficiently, concerned employees must be trusted to certain extent. But this trust should follow the policy of trust but verify. We know that if anything can go wrong, sooner or later it will go wrong. Trust is necessary, but it must be monitored. Institutions are expected to keep track of the following: who is accessing sensitive information, when and how is it accessed; how is this information flowing within the institution?; what are authorized users and consultants actually doing?; what is the extent of a security breach or policy violation?; how much are resources being consumed across users, systems and applications?; are access controls being implemented and monitored as per the policy? etc. 4.1 Inputs required for effectively managing insider threats We need the following information for effective threat management: details of the assets being accessed e.g. filename, filepath, DB name, DB table name, type of operation, email addresses, attachments, chat identities, and webmail information. The path of access: was it done from inside the company or using VPN? The pattern of access: Number of records deleted, copied, updated. Tracking sensitive data movement across the Campus Network. Were they just copied form one server to the other? Using the applications native login and access controls? What is needed is detailed user transaction information in an actionable format [17]. Given these challenges and the growing complexity of securing servers, applications, and data, a new approach is needed to identify breaches and inappropriate activity, not after the fact by analyzing logs and audit trails, but in real-time when the violation can be stopped. Proposed solution captures extremely detailed network user actions across applications and correlates it with directory context to track and enforce institutional policies across the campus network. This is very different form existing approaches that essentially provide a traffic oriented view of user activity. Industry experts expect 90 percent of all businesses to be using Active Directory by 2010 [7]. In view of the above, efforts are made to propose a solution which can be implemented by the academic institutions, having low budget and limited manpower in minimum possible time. Further, the solution should not only detect the violation but identify the person and prevent the action on real time basis or generate an alert. While achieving this, care is taken that network performance should remain unaffected. 4.2 Architecture of proposed solution Figure 1, describes architecture of the proposed solution, Online Monitoring and Prevention of Internal Security Threats in Academic Campuses. There are two key modules: Grabber and Rea-Time Monitor. These are supported by three additional modules: Intelligent Rule Builder, History Analyzer and Auditor. Grabber module sits generally in or near a server farm, looking at the traffic that is flowing in and out of that server farm. It decodes all the protocol and application information after capturing and filtering unwanted data keeping in view the requirements of the Information Security Manager. Existing directory systems having legacy standards can also be used as it is, by deploying optional metadirectories. Computing power required to do this in real time is available at reasonable cost. The preferred mode of installation is to attach it to the switch on a SPAN port, so network performance remains unaffected. Though, using taps is more efficient but in order to reduce the cost SPAN ports are preferred. Secondly, they can be managed and allows selective monitoring of desired ports. Real-Time Monitor module analyzes the captured transactions to provide intelligence and mitigate insider threats. The module analyzes and reports the exceptions, as well as automates operational and security audits. It provides real-time, highly detailed activity tracking, alerting, and policy enforcement; all while maintaining historical records for instant analysis. This is all accomplished without agents or network changes.

Volume 2, Issue 11, November 2013

Page 30

International Journal of Application or Innovation in Engineering & Management (IJAIEM)

Web Site: www.ijaiem.org Email: [email protected], [email protected] Volume 2, Issue 11, November 2013 ISSN 2319 - 4847

Figure 1: Architecture of the Trusted Insider Tracking and Alerting System Post-Mortem module comprises two sub modules: Auditor module and History analyzer. Audit module automates audit process using history database and rule engine and generates routine as well as exception reports. History Analyzer builds user profiles and tries to match with profiles of other users performing similar duties. In addition, it looks for patterns and communicates to concerned person for further probe. It also provides Google like search environment for quick retrieval of the desired information. The Intelligent Rule Builder, interacts with almost all the objects and identifies actionable rules, once the violation pattern is established and action is approved by the authorities. By correlating user activity with a directory system, the following can be tracked: Network activity, including privileged and rogue users and systems Use of approved and unapproved applications and the means of access Access and movement of directories, files tables and records Broad e-mail and messaging transactions including instant messaging All cross-organization user and heterogeneous application activity is seen and recorded, including that of legacy systems and undocumented users. Information about user access to IP is presented by an alert mechanism. 4.3 Implementation plan for the solution described above to protect IP and sensitive student information Solution proposed in the section 4.2, can be implemented as under: 4.3.1 Identify key intellectual property assets and sensitive data. Identify key IP assets and sensitive data, which need protection. Generate asset wise and user wise report giving detailed user-object relationship. 4.3.2. Actively monitor. Examine and generate asset wise report. For example, when the information on server storing data of bio-technology research group was accessed without encryption turned on. If this is a violation of policy, such a report is of enormous value to the institution. Generate reports that look for anomalies in access to those assets. Generate use wise reports: Look at how particular users access all the sensitive assets and look for suspicious patterns. Compare the patterns of access between users in a department or who are working on the same project. In addition to running reports, the user can perform ad hoc queries based on various parameters. This query provides user actions over any period of time. It allows the Information Security Officer to focus on user activity that is suspicious. When normal behavior has been established, the system can be configured to generate alerts when accesses to IP appear to be suspicious. Conditions that are suspicious can be created based on historical information and, when these conditions occur, alerts are generated. The Grabber captures network traffic and combines it with the Active Directory information, creating "user-action records." Rules can be applied to the user-action records and when a rule is being violated, an alert is generated. It also sends an alert to the concerned person through SMS or E-mail to the address stored in the active directory. For example, an academic section employee whose job is to verify mark sheets or degrees, based on requests received from the employers for the candidates short listed by them. It would be unusual, however, for this employee to print

Volume 2, Issue 11, November 2013

Page 31

International Journal of Application or Innovation in Engineering & Management (IJAIEM)

Web Site: www.ijaiem.org Email: [email protected], [email protected] Volume 2, Issue 11, November 2013 ISSN 2319 - 4847
contact details of large number of passed out students. This type of activity might indicate that he or she is looking for a target audience with some commercial interest. An administrator can establish a rule to create an alert or other action under this kind of situation. This information can be treated as an actionable intelligence. 4.3.3. Real time action. Over a period of time when alerts achieve high degree of accuracy, than institutions may decide to activate enforcement on those alerts, so that the particular activity will be blocked in real time. 4.3.4 Storing history. To help make the process of monitoring user transactions, user activities with required attributes are saved. The combination of directory and application intelligence provides real-time user activity monitoring and policy enforcement. Since many organizations have already invested in Active Directory, Proposed solution leverages that investment. Active Directory integration imports, monitors, and automatically applies directory object changes to respective components. This reduces administrative efforts and ensures that policies are kept current, as objects in the directory change. The solution integrates with directory services, to gain visibility regarding users, systems and groups; and with network identity services, such as Domain Controllers and Kerberos, to maintain identity states. Through deep packet inspection and the decoding of popular applications, transactions details are extracted and combined with policy. These records contains not only user IDs, IP addresses and ports numbers, but stores important details such as user names, groups, applications, directories, files, databases, database tables, message source, destination and attachments. This provides the foundation for many applications that can reduce insider threats while automating IT and security audit, investigation and reporting processes.

5. CONCLUSION
The proposed solution is quick to deploy and allows organizations to get immediate results. There are no changes required to an existing network, identity or directory services. The solution provides real-time activity tracking, alerting, and policy enforcement and audit automation while the system manages historical records retained online for immediate access. It gives full visibility into group, user, system access, application use, and data access trends. It tracks user activities at the application level in heterogeneous environments, including legacy systems, in real time. The Proposed solution ensures secured academic campuses by protecting their critical information, intellection property and sensitive data, all while opening up access to research collaborations, outsourcing partners and contract employees. By leveraging Active Directory and providing alerts and reports, administration is improved. It also facilitates policy implementation and audit automation. Future plans involve, assessment of the proposed architecture and improving the Intelligent Rule Builder by considering behavioral aspects also.

References
[1.] Cummings, Adam; Lewellen, Todd; McIntire, David; Moore, Andrew; Trzeciak, Randall (2012), Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector, Software Engineering Institute, Carnegie Mellon University, (CMU/SEI-2012-SR-004) [2.] Shaw, Eric; Fischer, Lynn; Rose, Andre (2009), Insider Risk Evaluation and Audit, Department of Defense Personnel Security Research Center, TR 09-02 [3.] Shaw, Eric; Fischer, Lynn (2005), Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations [4.] CDW-G third annual report on higher education IT Security, http://newsroom.cdwg.com/features/feature-10-2507.html, 2008 [5.] Data leakage study conducted by CISCO and InsightExpress, http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-506224.html , 2008 [6.] John h. Buford, Lundy Lewis, Gabriel Jacobson. Insider threat detection using situation aware MAS. In the proceedings of 11th International Conference Information Fusion, page(s):1-8, Cologne, ISBN: 978-3-8007-30926, July 2008 [7.] Linda Musthaler , Network World , http://www.networkworld.com/newsletters/techexec/2006/0522techexec1.html, 2006 [8.] M. Sebring, E. Shellhouse, M. Hanna, and Whitehurst. Expert Systems in Intrusion Detection: A Case Study. In Proceedings of the Summer USENIX Conference, pp. 74-81, Baltimore, Maryland, 17-20 1988.

Volume 2, Issue 11, November 2013

Page 32

International Journal of Application or Innovation in Engineering & Management (IJAIEM)

Web Site: www.ijaiem.org Email: [email protected], [email protected] Volume 2, Issue 11, November 2013 ISSN 2319 - 4847
[9.] Natarajan, Anand & Hossain, Liaquat . Towards a Social Network Approach for Monitoring Insider Threats to Information Security. Lecture Notes in Computer Science, Volume 3073. Pages 501-507. 2004 [10.] Park, Joon S. & Ho, Shuyuan Mary . Composite Role-Based Monitoring (CRBM) for Countering Insider Threats. Lecture Notes in Computer Science, Volume 3073. Pages 201-213. 2004 [11.] Symonenko, Svetlana; Liddy, Elizabeth D. Liddy; Yilmazel, Ozgur; Zoppo, Robert Del; Brown, Eric & Downey, Matt (2004). Semantic Analysis for Monitoring Insider Threats. Lecture Notes in Computer Science, Volume 3073. Pages 492-500. 2004 [12.] www.cert.org/archive/pdf/ecrimesummary07.pdf , 2008 [13.] W. Lee, S. J. Stolfo. Adaptive Intrusion Detection: A Data Mining Approach. In Artificial Intelligence Review, 14:533-567, 2001 [14.] B. Mukherjee, L. Heberlein, and K. Levitt. Network Intrusion Detection. IEEE Network, June 1994. [15.] Bishop. Position: Insider is Relative. In Proceedings of the 2005 New Security Paradigms Workshop (NSPW), pages 7778, Lake Arrowhead, CA, October 2023, 2005. [16.] http://www.networkworld.com/news/2008/032108-faq-the-obama-breach-what.html, March 2008 [17.] D.S. Bhilare, A.K. Ramani, S. Tanwani, Protecting Intellectual Property and Sensitive Information in Academic Campuses from Trusted Insiders: Leveraging Active Directory, ACM SIGUCCS International conference 2009 on communication and collaboration, St. Louis, USA 11-14 October, 2009, Pages 99-104, ISBN:978-1-60558-477-5, http://doi.acm.org/10.1145/1629501.1629520

AUTHOR
D.S. Bhilare received his M.Tech.(Computer Sc.), M.Phil.(Computer Sc.), Ph.D. (Computer Sc.), and MBA from Devi Ahilya University, Indore. Worked as a senior project leader for ten years in the industry and developed various business applications for different industries. Since last twenty four years, working in the University as a Senior Manager & Head IT Centre, involved in Computer Centre and Campus Network Management. His areas of interest are Information Security, Network Management and Project Management.

Volume 2, Issue 11, November 2013

Page 33