Type of Talk: UTCS Corporate Connection FoCS
<

br>Speaker/Affiliation: Sandy Dykes Ph.D./Southwest Research Institute

Date/Time: Tuesday October 28 2008 4:30 p.m.

Location: ACE

S 2.402

Host: UTCS FoCS

Talk Title: Applying Network-based S

tatistical Anomaly
Detection to the Insider Threat Problem

Talk

Abstract:
The insider threat differs from most network security
prob

lems in that user activities and network data may
appear legitimate. F

or example an authorized insider
with access to network resources can

collect potentially
sensitive data without triggering a rule-based intr

usion
detection system. Database queries HTTP downloads
and file
retrievals performed by insiders typically comply
with protocol standa

rds and carry valid data payloads.
However a malicious insider may ex

hibit abnormal activity
patterns in comparison to a population of norma

l users. An
example of such abnormal pattern may be “sends more

than N database queries per day ” or “accesses more
tha

n M rarely used resources.” The difficulty is that normal
values
for N and M depend upon various factors such as
assigned duties day

of the week and external events. Fixed
thresholds are too inflexible
resulting in high false alarm rates.
One alternative is to use statis

tical anomaly detection (AD)
methods which learn the thresholds by buil

ding models of
normality from observed data then detect deviation from

those models. This talk describes on-going research to
evaluate t

he potential of network-based statistical anomaly
detection for insider
threats. To be meaningful the evaluation
must provide a quantifiable
characterization of normal user
behavior and insider threat behavior.
The AD engine assumes
a Gaussian user population but our evaluation a

ddresses its
effectiveness for both Gaussian and non-Gaussian populatio

ns.
We have developed behavior models for normal users and for
ins

iders that generate network activities according to various
distributio

n functions including Gaussian Pareto and lognormal.
The evaluation

will also measure error rates for various levels of
insider activities.
This is a work-in-progress talk and we invite
speculation and input f

rom the audience.

Speaker Bio:
Dr. Dykes has a Ph.D. in Computer

Science from the University
of Texas at San Antonio. Dr. Dykes area of
expertise is network
security and communication protocols with an emp

hasis in
large-scale networks Internet infrastructure and high-perfor

mance
designs. Prior to joining Southwest Research Institute Dr. Dykes

was on the faculty of the University of Texas at San Antonio where
she taught courses in computer networks and programming
languages. She
is the author of numerous publications in leading
IEEE conferences and
journals has served on NSF review panels
for the Advanced Computation

al Research Program and the
Information Technology Research Program an

d frequently reviews
articles for journals and technical conferences on
communications
and computer networks. In addition to her experience i

n networks
and communications Dr. Dykes has worked in the areas of par

allel
computing and image processing. She developed parallel digital signal processing algorithms at Los Alamos National Laboratory
and p

um mechanical model of high energy Rydberg states in dipolar
molecules.