Project: Ateet

ATEETAn Architecture for Detection and Incident Response of Insider Cyber Threats

AuthorsDr. J.S.Shah Professor, Head of the Department, LDCE, Ahmedabad, Gujarat, India.Kaushal Bhavsar Lecturer, Department of Computer Science, Gujarat University.Pursuing PhD in Computer Security at CHARUSAT, Changa. Rushal Chauhan, Krunal PanchalPursuing M.Tech in Networking Technologies at Department of Computer Science, Gujarat University

The ProblemRecent devastating cyber attacks like Stuxnet demonstrate key negative roles played by trusted insiders.We need to catch them (the insiders with a malicious intention). How Stuxnet worked

Are we missing something?How to find the culprit?Enumerate all flash disks or removable media used on a computer:

HKLM\SYSTEM\ControlSet00x\Enum\USBSTORHKLM\SYSTEM\MountedDevices

But we need more info!SolutionUse Windows Registry as an information sourceCollect data from the registryDump data from different terminals at a single placeAnalyze the data for possible signs of coordination in attacksAbout ATEETSensorsExtract data from the PCs and send to a remote network destination known as the AggregatorAggregatorConverges the data into a centralized databaseAnalyzerAnalyzes the database against a set of attack patterns and activity patterns to identify the origin of the threat.Alerter Simply notifies about the result

Why ATEETData is extracted forensically i.e. evidence is preserved.

This is done by running the program from a specially crafted bootable Windows USB disk

The collected database is analyzed by applying the Nave Bayesian filter across the entire dataset with respect to previously stored signatures.Nave Bayesian FIlterX = set of collected dataC = set of attack signatures

Probability that the data which is collected is related to any of the attack signature - n P(X|Ci) = P(Xk|Ci) K=1ConclusionThe sensor can be used on a USB Bootable medium which does not make any changes to existing system

The analyzer can be used on a laptop or a mobile embedded system carried on the field by the respective investigator

After running ATEET it is possible to gather preliminary information about possible sources of insider cyber crime from a large, complex network.

This information can be useful for further evaluation of the compromised systems.References[1]Christion W. Probst atal. Aspects of Insider Threats,in Insider Threats in Cyber Security .SushilJajodia ,Ed. New York:Springer,2010,pp.12-26 [2]Peter G. Neumann. Combatting Insider Threats,in Insider Threats in Cyber Security .SushilJajodia ,Ed. New York:Springer, 2010,pp 27-54[3]Matt Bishop at al. A Risk Management Approach to the Insider Threat, in Insider Threats in Cyber Security .SushilJajodia ,Ed. New York:Springer,2010,pp. 123-145

[4]A.Patcha, J-M.Park, Overview of Anomaly Detection Techniques: Existing Solutionsand Latest Technological Trends,ComputerNetworks(2007),doi:0.1016/j.comnet.2007.02.001

[5]L. Ying, Z. Yan, O. Yang-Jia ,The Design and Implementation of Host-based Intrusion Detection System, Third International Symposium on Intelligent Information Technology and Security Informatics,2010 ,pp.595-598.

[6]L. Vokorokos, A. Bal, Host-based Intrusion Detection System, 14th International Conference on Intelligent Engineering Systems , May 57, 2010,pp.43-47.

[7]S. Singh and S.Silakari, A Survey of Cyber attack Detection Systems , IJCSNS International Journal of Computer Science and Network Security, VOL.9 No.5, May 2009, pp. 1-10.

Thank You