Slashdot Mirror

← Back to Stories (view on slashdot.org)

Predicting User Behavior to Improve Security

Posted by michael on from the many-little-brothers dept.

CitizenC writes "New computer-monitoring software designed to second-guess the intentions of individual system users could be close to perfect at preventing security breaches, say researchers. Read more." The paper (pdf) is online as well.

6 of 133 comments (clear)

  1. Arms Race by queh · · Score: 5, Interesting

    Surely this will just prompt crackers to stealth their actions in commands that are similar to how the system is used normally?

  2. aliasing by Brandon+T. · · Score: 5, Interesting

    Wouldn't it be relatively easy to get around this by aliasing shell scripts to frequently used commands? Sure, the admin might be able to find the shell scripts lying around, but if an intruder was trying to do a one-off attack, it might be viable.

    Brandon

    1. Re:aliasing by DunbarTheInept · · Score: 5, Interesting

      But what about making new programs to imitate existing ones, but just in a way that isn't noticed by the snooper? (for example: myFuzzySlipperProgram could be a renamed "rm" program compiled from source.)

      Or, just do your malicious cracking using system calls from your own C programs. Don't use the rm command in a script, use a program that calls unlink().

      To even have a chance of being effective, the system would have to be watching not the commands you type, but the system calls you make. (In unix terms, any time you do something using one of the functions on man page 2, the system library would have to log that.)

      --

      Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.

  3. Not bad but... by aridhol · · Score: 5, Interesting
    At first glance, this looks like something that may be useful. However, what happens if a user knows about the system and its patterns, and plans out the attack over a large period of time?

    The user could "poison" the information by slowly changing his working habits. If done properly, the AI would probably think this was no different than the user just learning to do things in a different way. When the habits are close enough to the infringing behaviour, the user can probably do anything without setting off alarms.

    In addition, if this is the only line of security, the user can then gradually return his patterns to normal. The logs from this system won't show anything. The PHBs may well decide that, when using something as smart as this, traditional logs won't be needed.

    --
    I can't say that I don't give a fuck. I've just run out of fuck to give.
  4. Bruce Schneier by elb · · Score: 5, Interesting
    ...was recently featured in this article about US security policy, and primarily on the dangers of relying too much on technolgoy. the article is great -- not super-techy, but a great explanation of technology and security policy; it makes an intimidating topic accessible to the intelligent non-tech. a couple of good points from the article:
    • "[the leading / best face recognition] software has a success rate of 99.32 percent--that is, when the software matches a passenger's face with a face on a list of terrorists, it is mistaken only 0.68 percent of the time. Assume for the moment that this claim is credible; assume, too, that good pictures of suspected terrorists are readily available. About 25 million passengers used Boston's Logan Airport in 2001. Had face-recognition software been used on 25 million faces, it would have wrongly picked out just 0.68 percent of them--but that would have been enough, given the large number of passengers, to flag as many as 170,000 innocent people as terrorists. With almost 500 false alarms a day, the face-recognition system would quickly become something to ignore."
    • "The most important element of any security measure, Schneier argues, is people, not technology--and the people need to be at the scene. Recall the German journalists who fooled the fingerprint readers and iris scanners. None of their tricks would have worked if a reasonably attentive guard had been watching. Conversely, legitimate employees with bandaged fingers or scratched corneas will never make it through security unless a guard at the scene is authorized to overrule the machinery. "
  5. Re:hmmm... by DunbarTheInept · · Score: 5, Interesting

    I have my doubts:

    for example: which is the malicious activity?
    User A types: rm -rf *
    User B types: rm -rf *

    (User A was in the root dir at the time. User B was in a subdirectory of his home directory at the time.)

    Okay, that's easy- just remember to track the context of where the user currently is. But then what about this?

    User A types: rm -rf /shared_network_drive
    User B types: rm -rf /shared_network_drive

    The difference is that User A was trying to delete everyone's stuff, while User B, knowing how the permissions on the files work, was just trying to find a lazy way to delete those files that he has permissions on because he was trying to clear his own junk out of the /shared_network_drive. He was being sloppy, but not malicious.

    How does the software know the difference?

    --

    Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.