Slashdot Mirror
Predicting User Behavior to Improve Security
CitizenC writes "New computer-monitoring software designed to second-guess the intentions of individual system users could be close to perfect at preventing security breaches, say researchers. Read more." The paper (pdf) is online as well.
Surely this will just prompt crackers to stealth their actions in commands that are similar to how the system is used normally?
Wouldn't it be relatively easy to get around this by aliasing shell scripts to frequently used commands? Sure, the admin might be able to find the shell scripts lying around, but if an intruder was trying to do a one-off attack, it might be viable.
Brandon
How is the system used by credit card and phone companies different than the one proposed by this paper?
The law of excluded middle : Either I'm foo or I'm foobar
The user could "poison" the information by slowly changing his working habits. If done properly, the AI would probably think this was no different than the user just learning to do things in a different way. When the habits are close enough to the infringing behaviour, the user can probably do anything without setting off alarms.
In addition, if this is the only line of security, the user can then gradually return his patterns to normal. The logs from this system won't show anything. The PHBs may well decide that, when using something as smart as this, traditional logs won't be needed.
I can't say that I don't give a fuck. I've just run out of fuck to give.
See CylantSecure. Run your apps for a while and have it learn your apps typical behavior. Then when something unusual happens it kills off the process. Interesting concept.
what happens when users change roles, get promoted, demoted......
Heck, I end up using a variety of computers through out the day as problems pop up. This would trigger an alert everytime I brought up a ssh window on an average user's computer to kill a runaway process, etc.....Full time staff is right, either that or every computer I touched would end up with quite a wide "border" of actions allowed and would defeat the purpose of the system.
Chinchani says the new system would continually adjust its view of normal and abnormal behaviour.
But can it learn to think like a crook?
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
computer-monitoring software designed to second-guess the intentions of individual system users could be close to perfect at preventing security breaches
I don't think so... MS software constantly second-guesses users, and decides things for them, and it's pretty much as far from 'perfect' at preventing security breaches as you can get!
These guys have never used MS word have they?
From Clippy, to the damn 'auto-correct' which always decides to turn "MHz" into "Mhz", all they need to do is install MSOFFice, and see how wrong this idea is..
This should only be used to bolster existing security systems. Perhaps it could be used to correlate data gleaned from an IDS (Intrusion Detection System) to reduce the excessive noise that they usually generate.
A company would be foolish to put *any* single system like this as their only line of defense no matter what % success rate it has. Such systems are brittle and "when they fail, they fail badly."
Keep in mind that the sysadmin can see quite well what the user is doing. The point of this is just to raise a flag if someone does something outside of their daily pattern, not to mark them for inquisition.
All the sysadmin has to do is look at the log and say, "Ah, he's just trying to figure out how to filter his email" and dismiss it, whereas trying to get acquainted with an unfamiliar system and all of its configuration files would be extremely obvious.
Common sense is what tells you the world is flat.
"Bruce Schneier, head of US computer security firm Counterpane, says the research is interesting but warns that a 94 percent success rate would be useless at maintaining good security on its own." Well.. 94% x 100 users on the network (.94 ^ 100) = %0.2 chance of detecting all suspicious behavior. Nice odds, i wouldn't depend on it to protect my network, though.
I took a brief look at the paper and sincerly the idea is not bad at all. However that 94% is pure hype.
The biggest problem in computer security, in what is related to users, is not anomalies, but the usual practice. Remember that experts say that 90% of flaws is due to insiders and not outsiders. And why? Because 99% of these insiders don't care a nail for security. Most of them keep using the wife's name for password and sharing C: to everyone. And no matter the efforts, policies, orders and instructions keep gaining dust. If you try to enforce them then you get a crowd in front of the boss with a rope for your neck.And if even the boss comes up to defend your work, everyone start to mine all your job. All they want is Internet, passing documents and hoping that you finally get out and Microsoft comes in to solve all the problems. That's what the lamers think about security. And in this mess, no matter the expert you are, no matter the tools you have, no matter the hours you loose on the net, you always get trouble every week.
Besides I noted that if someone is going for the break-in, he will mostly go from start. It starts up with this guy "playing" with the computer, then it goes up to the net. Later he thinks he's smart enough to break the server and show that the security admin is a LaMeR.And it ends up with you looking at his desktop and writing the final document to fire or put him into court. You may ask why this guy could go so far. Because he's smart, because no matter the lamerness he is good on something. So the boss will think twice before firing him. If you are in a corporation, then the boss will hang you up with this "unreplaceble" expert because in the city where he lives there's no one else to do his job. Besides, the corporation lost too much money on training him and doesn't want to start from zero on this. So you continue to see the bastard for a few monthes more before you catch him on the red spot.
I saw this and I know that this is a problem on many companies and state institutions around the world. So how this system will help you in such cases? It will, with a large margin of error as the main anomaly, the user, is there from the very start..
They use something like this where I work. They have a script that filters all images over XX bytes into a program that then scans for flesh tones within the images. Possible offending images are then forwarded onto an admin who checks the image out and with a few clicks can either add the site the picture came from to the block list, send a warning letter to the logged in user, or both. Does the same thing for image attachments on email.
God I would love to have that guys job!
My guess is that it wiil take a statistical look at commands a la Bayesian Spam Plan
After all, probing port looks different than fixing network problems, package manangement/installation looks different than maliciously deleting files, trying to find memory leaks looks different than trying to access another process's memory space. They all us similar commands/system resources, but it should be possibile by look at a few tens of instructions whether a user is try to be malicious or not.
These may not be the best examples but the general idea is that it should be possible to determine user's intent because the probability of a sequence of commands having both a normal and malicous role, should go quite down the more instructions the user executes.
Even false positives should be useful to admins by telling about inadvertant, i.e. acidentally typing rm -rf *,users as well.
Why, o why must the sky fall when I've learned to fly?
I have my doubts:
/shared_network_drive /shared_network_drive
/shared_network_drive. He was being sloppy, but not malicious.
for example: which is the malicious activity?
User A types: rm -rf *
User B types: rm -rf *
(User A was in the root dir at the time. User B was in a subdirectory of his home directory at the time.)
Okay, that's easy- just remember to track the context of where the user currently is. But then what about this?
User A types: rm -rf
User B types: rm -rf
The difference is that User A was trying to delete everyone's stuff, while User B, knowing how the permissions on the files work, was just trying to find a lazy way to delete those files that he has permissions on because he was trying to clear his own junk out of the
How does the software know the difference?
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
I don't think the proposed system will work for every one. I think that most workers in development groups will end up getting spanked for what the system interprets as "misbehavior". A developer unit-testing pieces of an application may end up deleting large swaths of files to see how a routine responds to missing files. A developer may write a "dummy server" that just sends streams of random bytes to test how a client process responds to bad input data. Testers may have to reset dates on machines to verify leap year compliance. Testers may make a bunch of files read-only to see how an app handles a log file that has bad permissions.
These are all legit operations - I've done every single one as part of testing or unit-testing in the past. They're also all operations that might be part of a local or remote root exploit.
The Management will have to turn off the profiling for certain users to avoid periodically getting swamped with false alarms or cutting off testing during the final phases of product development.
I have to conclude that it's just more snake oil
Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.