TWC: Medium: Collaborative: Data is Social: Exploiting Data Relationships to Detect Insider Attacks

TWC：媒介：协作：数据是社交的：利用数据关系检测内部攻击

• 批准号: 1409303
• 负责人: Xuanlong Nguyen
• 金额: $ 24万
• 依托单位: Regents of the University of Michigan - Ann Arbor
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2014
• 资助国家: 美国
• 起止时间: 2014-10-01 至 2018-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1409303&HistoricalAwards=false
• 关键词: TWC; Medium; Collaborative; Data; Social

Insider attacks present an extremely serious, pervasive and costly security problem under critical domains such as national defense and financial and banking sector. Accurate insider threat detection has proved to be a very challenging problem. This project explores detecting insider threats in a banking environment by analyzing database searches. This research addresses the challenge by formulating and devising machine learning-based solutions to the insider attack problem on relational database management systems (RDBMS), which are ubiquitous and are highly susceptible to insider attacks. In particular, the research uses a new general model for database provenance, which captures both the data values accessed or modified by a user's activity and summarizes the computational path and the underlying relationship between those data values. The provenance model leads naturally to a way to model user activities by labeled hypergraph distributions and by a Markov network whose factors represent the data relationships. The key tradeoff being studied theoretically is between the expressivity and the complexity of the provenance model. The research results are validated and evaluated by intimately collaborating with a large financial institution to build a prototype insider threat detection engine operating on its existing operational RDBMS. In particular, with the help of the security team from the financial institution, the research team addresses database performance, learning scalability, and software tool development issues arising during the evaluation and deployment of the system. Research results are reported via technical papers and disseminated through conferences and journals, through a new research webpage at the UB's NSA- and DHS-certified center of excellence (CAE) in Information Assurance, and at the center's future workshops.

内部攻击在国防、金融和银行等关键领域是一个极其严重、普遍和代价高昂的安全问题。准确的内部威胁检测已被证明是一个非常具有挑战性的问题。 该项目探讨通过分析数据库搜索来检测银行环境中的内部威胁。 本研究通过制定和设计基于机器学习的解决方案来解决关系数据库管理系统（RDBMS）的内部攻击问题，这是无处不在的，非常容易受到内部攻击。特别是，该研究使用了一个新的通用模型的数据库出处，它捕获的数据值访问或修改用户的活动，并总结了计算路径和这些数据值之间的潜在关系。起源模型自然地导致一种方式来建模用户活动的标记超图分布和马尔可夫网络的因素表示的数据关系。理论上研究的关键权衡是来源模型的表达性和复杂性之间的权衡。 通过与一家大型金融机构密切合作，在其现有的可操作RDBMS上构建一个原型内部威胁检测引擎，对研究结果进行了验证和评估。 特别是，在金融机构安全团队的帮助下，研究团队解决了系统评估和部署过程中出现的数据库性能、学习可扩展性和软件工具开发问题。研究结果通过技术论文报告，并通过会议和期刊传播，通过UB的NSA和DHS认证的信息保证卓越中心（CAE）的新研究网页，以及该中心未来的研讨会。