Slashdot Mirror
Predicting User Behavior to Improve Security
CitizenC writes "New computer-monitoring software designed to second-guess the intentions of individual system users could be close to perfect at preventing security breaches, say researchers. Read more." The paper (pdf) is online as well.
Does sound promising though.
Meow meow meow meow, meow meow meow meow...
-Note to Self-
Keep doors locked at my house to prevent other people from coming in.
NO! NO! Please don't mod me, I'm too young to die a troll. *click* Oh the pain, the pain...
the first action you take breaches security?
Jon Bardin
Surely this will just prompt crackers to stealth their actions in commands that are similar to how the system is used normally?
if they had any clue about real-world users, they'd know they're absolutely unpredictable. A user's creativeness to mess things up never ceases to amaze.
Oh wait. That wouldn't be unusual. DAMMIT!
This would work fine, with windows, you know. those 'illegal operations' have a really obvious prompt, it's easy to tell when someone is up to something.
Wouldn't it be relatively easy to get around this by aliasing shell scripts to frequently used commands? Sure, the admin might be able to find the shell scripts lying around, but if an intruder was trying to do a one-off attack, it might be viable.
Brandon
How is the system used by credit card and phone companies different than the one proposed by this paper?
The law of excluded middle : Either I'm foo or I'm foobar
This would encourage users not to experiment and find new ways of doing tasks, if everytime you tried something new a sysad came round to ask you what you were doing.
Never trust a man in a blue trench coat, Never drive a car when you're dead
The user could "poison" the information by slowly changing his working habits. If done properly, the AI would probably think this was no different than the user just learning to do things in a different way. When the habits are close enough to the infringing behaviour, the user can probably do anything without setting off alarms.
In addition, if this is the only line of security, the user can then gradually return his patterns to normal. The logs from this system won't show anything. The PHBs may well decide that, when using something as smart as this, traditional logs won't be needed.
I can't say that I don't give a fuck. I've just run out of fuck to give.
See CylantSecure. Run your apps for a while and have it learn your apps typical behavior. Then when something unusual happens it kills off the process. Interesting concept.
And how long will it be before users start losing privileges for things that they "potentially might do" (with a 94% accuracy rate). About one in 20 of us is really going to suffer for this one.
"Can't you see that everyone is buying station wagons?"
I am sure that they are also developing the new software that plugs the proverbial Social Engineering brain defecit that some users inherently posses. Makes you think huh?
I am Bennett Haselton! I am Bennett Haselton!
Bob from Accounting gets to look in the 2001 Sales figures, but Ted from Janitorial Services does not.
Names and passwords, logs and a good sysadmin sounds like it would do just fine.
How would this be any better than the so-called "anomoly" detection systems that some IDS people use (such as Manhunt?). I've eval'd these systems, they suck ass.
Just make a script that periodically calls every command in /usr/bin /sbin/ and /bin periodically. This could be done from a chroot jail so nothing actually got deleted. The detection program wouldn't know what was out of the ordinary if every command was part of what a user normally calls.
Get your stinking paws off me you damn dirty ape
... CowboyNeal would get himself kicked.
Look a monkey!
> Tests simulating inside attacks indicate that the new software would be up to 94 per cent reliable once implemented.
That's perfect security? 94%? Heck, I balk if my uptime isn't at least 99.999%. And security must be better than uptime.
There are/were some people working on something like this here at CMU. They had posted up bunch of the raw data that they had collected (basically just shell histories with each command run being assigned to a number, and then plotted as number of command (for instance, the 40th command the user entered) against the number value of the command). The results were extremely regular, and in many cases, downright periodic. People are far more predictable than they would like to think.
Common sense is what tells you the world is flat.
The Heisenberg uncertainty principle states that there will always be true statements within a system that cannot be proved within that system. Thus, there will always be "true" security breaches because it is not possible to predict in advance what form they may take.
Although, we can be certain that they will exist, they may be so insignificant that we never can detect them.
------------------
Wish I was a Physics Genius
Best Windows Freeware
Chinchani says the new system would continually adjust its view of normal and abnormal behaviour.
But can it learn to think like a crook?
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
..are what we need. If someone could come up with a box that could filter pages based on the amount of pink within the images I could delete 80% of my outgoing firewall rules at work!
Trolling is a art,
computer-monitoring software designed to second-guess the intentions of individual system users could be close to perfect at preventing security breaches
I don't think so... MS software constantly second-guesses users, and decides things for them, and it's pretty much as far from 'perfect' at preventing security breaches as you can get!
These guys have never used MS word have they?
From Clippy, to the damn 'auto-correct' which always decides to turn "MHz" into "Mhz", all they need to do is install MSOFFice, and see how wrong this idea is..
This should only be used to bolster existing security systems. Perhaps it could be used to correlate data gleaned from an IDS (Intrusion Detection System) to reduce the excessive noise that they usually generate.
A company would be foolish to put *any* single system like this as their only line of defense no matter what % success rate it has. Such systems are brittle and "when they fail, they fail badly."
"Bruce Schneier, head of US computer security firm Counterpane, says the research is interesting but warns that a 94 percent success rate would be useless at maintaining good security on its own." Well.. 94% x 100 users on the network (.94 ^ 100) = %0.2 chance of detecting all suspicious behavior. Nice odds, i wouldn't depend on it to protect my network, though.
The average user may be adept at breaking his PC, but he's much less likely to, say, flood the network with bad packets.
Would you to start the IIS hacking wizard?
Would you like to view a list of the top 1,000 exploits?
Never show this prompt again, its already too easy to hack IIS.
I took a brief look at the paper and sincerly the idea is not bad at all. However that 94% is pure hype.
The biggest problem in computer security, in what is related to users, is not anomalies, but the usual practice. Remember that experts say that 90% of flaws is due to insiders and not outsiders. And why? Because 99% of these insiders don't care a nail for security. Most of them keep using the wife's name for password and sharing C: to everyone. And no matter the efforts, policies, orders and instructions keep gaining dust. If you try to enforce them then you get a crowd in front of the boss with a rope for your neck.And if even the boss comes up to defend your work, everyone start to mine all your job. All they want is Internet, passing documents and hoping that you finally get out and Microsoft comes in to solve all the problems. That's what the lamers think about security. And in this mess, no matter the expert you are, no matter the tools you have, no matter the hours you loose on the net, you always get trouble every week.
Besides I noted that if someone is going for the break-in, he will mostly go from start. It starts up with this guy "playing" with the computer, then it goes up to the net. Later he thinks he's smart enough to break the server and show that the security admin is a LaMeR.And it ends up with you looking at his desktop and writing the final document to fire or put him into court. You may ask why this guy could go so far. Because he's smart, because no matter the lamerness he is good on something. So the boss will think twice before firing him. If you are in a corporation, then the boss will hang you up with this "unreplaceble" expert because in the city where he lives there's no one else to do his job. Besides, the corporation lost too much money on training him and doesn't want to start from zero on this. So you continue to see the bastard for a few monthes more before you catch him on the red spot.
I saw this and I know that this is a problem on many companies and state institutions around the world. So how this system will help you in such cases? It will, with a large margin of error as the main anomaly, the user, is there from the very start..
So this method might sound the alarm when someone who doesn't normally get to use 'su' or admin commands does so, but how would it help you once someone picks up an administrator password or otherwise compromises the system?
I'd guess on most networks, this system wouldn't sound alarms until the root user started ftp'ing entire file systems to an outside network... even then, what's the granularity on command analysis? Does it capture all i/o so it knows what you're using ftp for, or does it just know you're using ftp??
This won't replace prevention and secure passwords . More likely it'll give some clueless/overworked admins a false sense of security, and another program to monitor and maintain. Even when it works, you won't find out about an intrusion until it's probably too late.
Offtopic?! He was predicting user behaviour!
...who learn by breaking things repeatedly, and on purpose.
Tests simulating inside attacks indicate that the new software would be up to 94 per cent reliable once implemented.
That line right there should clue you in to the fact that these people are idiots.
Just like Clippy used to help me write letters.
"I looks like you're trying to break into the system. Would you like some help?"
It is software that launches a denial of service attack on your system if you don't buy.
Security is a good thing, but this is only useful for corporations.
Somebody has to predict Joe Average's behavior and setup a profile. The computer can't do that automatically because we have no good mind reading systems.
Joe Average is not smart (and that's an understatement). He can't setup such a profile for himself. Therebefore, this method is useless for the ignorant masses.
"I see you're trying to write an email to somebody! Would you like me to encrypt it with an approved DRM key so that nobody but you can read it?"
Everytime I fricken install Nero, Roxio pops up and says that's bad and my PC craps out.
Just kick anyone off the network who doesn't spend 80% of their time downloading pr0n.
Help save the critically endangered Blue Iguana
The users I manage are completely unpredictable. Not to sound like a Luddite, but there is no technology that will ever predict what my users do. If there is a way to do it, it will be done. Millions of monkeys with millions of typewriters, and that is a great analogy for what I have seen...
Sounds like profiling terrorists. It'll work great, and everyone will feel secure and all, until somone flies a plane into their "secure" server.
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
"close to perfect at preventing security breaches"!!?!? Those crazy experts! Oh man, that's a good one. Oh, boy I'm busting a gut here. Wheh! man. good one. heh. yeah.
The described system seems to base it's rules on learned user habits; obviously, this strikes one as being incredibly fallible. Assuming their 94% figure is correct for the sake of argument, how do you think *your* behaviour would change knowing full-well that you are being watched?
There are laws in certain places that say a user (in a corporate environment) must be notofied that they are being monitored at that very second. Some software places a pair of eyeballs - how creepy is that - in the toolbar when this occurs.
If the thing's purpose is to sniff out 'suspicious' behavious, I can't see how it could work properly. I mean, how can it sniff out 'motive'?
If Jesus wants me it knows where to find me.
$ r00t machine
Ush: command not found: r00t
*meanwhile, in the Secret Command Centre*
#QUEER#COMMAND##INVESTIGATE##
$ owNz0rz machine
owNz0rz: unknown parameter machine
*SCC*
###THERE#MIGHT#BE#SOMETHING#GOING#ON##
$ owNz0rz r00t
Ush: j00 owNz0r d4 r00t!
*SCC*
#####ALARM#ALARM#####
$
Ush: Someone trying to use 'alarm()', authorize? n0
Ush: Killing alarming process.
$ 1337
Marxist evolution is just N generations away!
It's Thinking...
Whatever man, I spelled it write!
Any time someone mentions a "success rate" without also mentioning the false positive rate, they're feeding you garbage
.001% false alarm rate means that an innocent worker is going to be interrupted THREE TIMES A YEAR by burly security people at the cube doorway shouting "Hands off that keyboard RIGHT NOW!"
I'd be much more impressed by a claim of an 0.001% false alarm rate than I am by a 94% success rate.
Yet, on a per-line basis, if you assume that a user averages, say, three typed lines per minute, that's 180 lines per hour = 360000 lines per working year.
A
"How to Do Nothing," kids activities, back in print!
it'd be like...
:;do for IP in `cat /var/log/httpd/access_log|awk '{print $2}'`; do /usr/sbin/iptables -t filter -A INPUT -p tcp -s $IP/32 -j DROP;done;done or something like that. Yeah. I got your AI right here. I can sell you a tarball with a digitally signed dignature- I'm quite digil when it comes to being a digilante.
while
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Any serious hacker will do their homework beforehand. This just makes one more step in the process of mapping out a target. Once you understand how the software works I'm sure it wouldn't be hard to circumvent given the time and dedication, not to mention the fact that it could potentially *open* security holes for malicious users to exploit.
"I'm not a vegetarian because I love animals. I'm a vegetarian because I hate plants."
maybe we could start putting hardware locks in the case that lock the keyboard! err... oh wait, that idea sucked too
I don't think the proposed system will work for every one. I think that most workers in development groups will end up getting spanked for what the system interprets as "misbehavior". A developer unit-testing pieces of an application may end up deleting large swaths of files to see how a routine responds to missing files. A developer may write a "dummy server" that just sends streams of random bytes to test how a client process responds to bad input data. Testers may have to reset dates on machines to verify leap year compliance. Testers may make a bunch of files read-only to see how an app handles a log file that has bad permissions.
These are all legit operations - I've done every single one as part of testing or unit-testing in the past. They're also all operations that might be part of a local or remote root exploit.
The Management will have to turn off the profiling for certain users to avoid periodically getting swamped with false alarms or cutting off testing during the final phases of product development.
I have to conclude that it's just more snake oil
Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
Pop up a dialog:
"It looks like you are trying to hack into this system. Would you like me to start the Hacking Wizard for you?"
If you want to get rid of the bathwater, you've got to throw out a few babies.
But, even if it is 94%, if you've got a system that runs around 100 users, then 94% equals approximately 1 million mistakes per year. Where does the budget come from to timely track down 1 million false alarms annually? How is any analyst going to seriously follow every machine-generated warning when 99.99% of the machine-generated warnings are spurious?
Let us now return to reality, which is already in progress.
Clippy pops up and says "I see it appears you want to go the bathroom" "would you like me to help you?"
you kill clippy
5 seconds later he re-appears "I know you need to go, I know better than you, you can't avoid this"
or the inverse of this. You try to click on outlook and the OS keaps moving your mouse away from the icon, then it stops, you go to try again and it throws your pointer across the screen. You go for the start menu and before you get there the taskbar hides.
Predicting User Behavior to Avoid A Line Of Hopeless Sales Staff Around My Desk
example (lesson) #1:
'why does it say i don't have permission to install kazaa on this machine?'
'delicate windows sytem message. very high level. just ignore it.'
I'm sorry, Dave. I'm afraid I can't do that. You're not yourself today.
Actually, that would be the chance of catching every one of 100 attacks. If you've got 100 people chipping away at your network then yes, you might miss six of 'em...then again, if you've got 100 crackers on your network, that's probably not all you've missed ;)
User A types: rm -rf /shared_network_drive /shared_network_drive
/shared_network_drive. He was being sloppy, but not malicious.
User B types: rm -rf
The difference is that User A was trying to delete everyone's stuff, while User B, knowing how the permissions on the files work, was just trying to find a lazy way to delete those files that he has permissions on because he was trying to clear his own junk out of the
How does the software know the difference?
How do you know the difference? Nothing differs between the users issuing these commands other than their intent. This is not something a human sysadmin could know either. Given that there is no system in the world, including a human element or not, that could say who had what in mind in the scenario you describe, you are unfair in requiring this of the system in question.
So, it isn't perfect. But did you really expect it to be? Any system will necessarily have to provide a number of false positives (such as the one you described). This does not imply that it couldn't work very well overall.
Also, it could be argued that a warning really should go off even if the user had no malicious intent, as using rm -rf on other people's files because of pure lazyness is not something that should be encouraged anyhow.
"If you think education is expensive, try ignorance" - Derek Bok
There is a sweet spot, between a free for all IT environment and network nazis. In the sweet spot, you have reasonable usage and security policies, backups, reimaging (when necessary), and best of all, something of a blind eye to the clueful.
Unfortunately, there seems to be a ratchet effect; an inevitable ossification. There's always going to be "incidents" of lost files, viruses, etc. Let's overreact, and put our users in straightjackets (but never, for example, replace Outlook with a sane mail client). Some idiot installed Kazaa, so let's make sure nobody installs vim or textpad. And the clueful people needed to run a reasonable network are too expensive; let's remotely install everything with some crap like Netware Application Launcher
And now this. We'll detect anyone trying to come up with a better way to do things, and harrass them. Great. Meanwhile, anyone with ill intent can still do whatever they want - yeah, you can theoretically restrict a user from writing to his own hard drive or registry, but good luck. What was that about cheap easy administration again?
seriously...this technique won't prevent against bad/poorly protected passwords or other issues where the 'proper' behavior is inherently insecure.
These systems will have to be tuned to such a fine line between false positives and false negatives that it will be hard to see as viable. A few false positives too many and the CEO will be sending memos.
New computer-monitoring software designed to second-guess the intentions of individual system users could be close to perfect at preventing security breaches
:)
Prediction: Users cause security breaches.
Near-perfect solution: Eliminate all users.
-- Skynet, 09-29-1997, 02:14 hours
My post first started out as "Score:1, Funny" then it started to sink. First, "Score:0, Funny" and now "Score:-1, Offtopic"... Sigh, it _was_ meant to be funny and only the first moderator saw what I still see... Sigh, what a loser among dogpoo I am..
I don't think this has a chance. If you look at software for intrusion detection, you'll see that researchers hav put in many, MANY years of research trying to pick up 'strange' network traffic. But it just didn't work. They couldn't get it useable, no matter what smart technologies they used (neural nets, petri nets, complicated statistical methods).
Then along comes a guy who just tries to pick up certain, well-known strings from the network stream and voila, a sort of virus scanner for networktraffic. Works like a charm, with low false positives. See also here, but there are others.
I'm sorry dave. I can't let you do that.
What happens when the system malfunctions? what power does this system have?
until you consider the fact that most security flaws have been discovered when a user has done something more or less unpredicable.
====
Crudely Drawn Games
It sounds a lot like a motion sensor hooked up to a light, it doesn't make you safe but you can see possible dangers even if stray cats set it off. And it helps to direct your attention towards problems that you might have.
That might affect performance...