Predicting User Behavior to Improve Security

CitizenC writes "New computer-monitoring software designed to second-guess the intentions of individual system users could be close to perfect at preventing security breaches, say researchers. Read more." The paper (pdf) is online as well.

Home Security

[McFly69]

-Note to Self-

Keep doors locked at my house to prevent other people from coming in.

Arms Race

[queh]

Surely this will just prompt crackers to stealth their actions in commands that are similar to how the system is used normally?

Well, um

[Roadmaster]

if they had any clue about real-world users, they'd know they're absolutely unpredictable. A user's creativeness to mess things up never ceases to amaze.

Re:Well, um

[qengho]

A user's creativeness to mess things up never ceases to amaze.

Or as one of the corollaries to Murphy's Law states: "No matter how idiot-proof you make something, an ingenious idiot in the field will find a workaround."

aliasing

[Brandon+T.]

Wouldn't it be relatively easy to get around this by aliasing shell scripts to frequently used commands? Sure, the admin might be able to find the shell scripts lying around, but if an intruder was trying to do a one-off attack, it might be viable.

Brandon

Re:aliasing

[halftrack]

I think that's untrue such a scam is not viable. The shell scripts would call commands that get registered by the system and plain alias will only affect the user, the system still sees the original command.

Re:aliasing

[DunbarTheInept]

But what about making new programs to imitate existing ones, but just in a way that isn't noticed by the snooper? (for example: myFuzzySlipperProgram could be a renamed "rm" program compiled from source.)

Or, just do your malicious cracking using system calls from your own C programs. Don't use the rm command in a script, use a program that calls unlink().

To even have a chance of being effective, the system would have to be watching not the commands you type, but the system calls you make. (In unix terms, any time you do something using one of the functions on man page 2, the system library would have to log that.)

Stifle creativity

[nut]

This would encourage users not to experiment and find new ways of doing tasks, if everytime you tried something new a sysad came round to ask you what you were doing.

Not bad but...

[aridhol]

At first glance, this looks like something that may be useful. However, what happens if a user knows about the system and its patterns, and plans out the attack over a large period of time?

The user could "poison" the information by slowly changing his working habits. If done properly, the AI would probably think this was no different than the user just learning to do things in a different way. When the habits are close enough to the infringing behaviour, the user can probably do anything without setting off alarms.

In addition, if this is the only line of security, the user can then gradually return his patterns to normal. The logs from this system won't show anything. The PHBs may well decide that, when using something as smart as this, traditional logs won't be needed.

Minority Report?

[zoward]

And how long will it be before users start losing privileges for things that they "potentially might do" (with a 94% accuracy rate). About one in 20 of us is really going to suffer for this one.

Re:destined to failure

[distributed.karma]

> The Heisenberg uncertainty principle states that there will always be true statements within a system that cannot be proved within that system.

Um, that's Godel's Theorem.

> Wish I was a Physics Genius

I think that just about sums it up. ;-)

Obligatory

[scott1853]

Clippy: It appears as though you are trying to hack into an IIS box.

Would you to start the IIS hacking wizard?

Would you like to view a list of the top 1,000 exploits?

Never show this prompt again, its already too easy to hack IIS.

Bruce Schneier

[elb]

...was recently featured in this article about US security policy, and primarily on the dangers of relying too much on technolgoy. the article is great -- not super-techy, but a great explanation of technology and security policy; it makes an intimidating topic accessible to the intelligent non-tech. a couple of good points from the article:

• "[the leading / best face recognition] software has a success rate of 99.32 percent--that is, when the software matches a passenger's face with a face on a list of terrorists, it is mistaken only 0.68 percent of the time. Assume for the moment that this claim is credible; assume, too, that good pictures of suspected terrorists are readily available. About 25 million passengers used Boston's Logan Airport in 2001. Had face-recognition software been used on 25 million faces, it would have wrongly picked out just 0.68 percent of them--but that would have been enough, given the large number of passengers, to flag as many as 170,000 innocent people as terrorists. With almost 500 false alarms a day, the face-recognition system would quickly become something to ignore."
• "The most important element of any security measure, Schneier argues, is people, not technology--and the people need to be at the scene. Recall the German journalists who fooled the fingerprint readers and iris scanners. None of their tricks would have worked if a reasonably attentive guard had been watching. Conversely, legitimate employees with bandaged fingers or scratched corneas will never make it through security unless a guard at the scene is authorized to overrule the machinery. "

"Success" - "false positive" = garbage

[dpbsmith]

Any time someone mentions a "success rate" without also mentioning the false positive rate, they're feeding you garbage

I'd be much more impressed by a claim of an 0.001% false alarm rate than I am by a 94% success rate.

Yet, on a per-line basis, if you assume that a user averages, say, three typed lines per minute, that's 180 lines per hour = 360000 lines per working year.

A .001% false alarm rate means that an innocent worker is going to be interrupted THREE TIMES A YEAR by burly security people at the cube doorway shouting "Hands off that keyboard RIGHT NOW!"

Re:hmmm...

[DunbarTheInept]

I have my doubts:

for example: which is the malicious activity?
User A types: rm -rf *
User B types: rm -rf *

(User A was in the root dir at the time. User B was in a subdirectory of his home directory at the time.)

Okay, that's easy- just remember to track the context of where the user currently is. But then what about this?

User A types: rm -rf /shared_network_drive
User B types: rm -rf /shared_network_drive

The difference is that User A was trying to delete everyone's stuff, while User B, knowing how the permissions on the files work, was just trying to find a lazy way to delete those files that he has permissions on because he was trying to clear his own junk out of the /shared_network_drive. He was being sloppy, but not malicious.

How does the software know the difference?

Re:Intelligent pr0n filters..

[grub]

I assume the other 20% of rules cover the interracial and black pr0n sites?

They're all pink on the inside. :)