Network Reconnaissance - With increasing number of data thefts courtesy of new and complex attack mechanisms being used everyday, declaring the internet as unsafe would be the understatement of the century. For current security experts the scenario is equivalent to an endless cat-and-mouse game across a constantly changing landscape. Hence relying on firewalls and anti-virus softwares is like trying to fight a modern, well-equipped army using sticks and stones. All that an attacker needs to successfully breach our system is the right social networking or the right malware used like a packing or encoding technique that our tools won’t detect. Therefore it is the need of the hour to shift our focus beyond edge defense, which largely involves validating the tools, and move towards identification of a breach followed by an appropriate response. This is achieved by implementing an ethereal network which is an end-to-end host and network approach that can actually scale as well as provide true breach detection. The objective is not just blocking; it is significant time reduction. When mundane methods involving firewalls and antiviruses fail, we need to determine what happened and respond. Any industry report uses the term weeks, months, and even years to determine the time of response, which is not good enough. Our goal is to bring it down to hours. We are talking about dramatic time reduction to improve our response, hence an effective breach detection approach is mandatory. A MHN (Modern Honey Network) with a honeypot system has been used to make management and deployment easier and to secure the honeypots. We have used various honeypots such as Glastopf, Dionaea honeypots, Kippo. The dubious activity will be recorded and the attacks details detected in MHN server. The final part of our research is reconnaissance. Since it can be awfully complicated we simplify the process by having our main focus on reconnaissance. Because if a malware or an insider threat breaks into something, they don’t know what they now have access to. This makes them feel the need to do reconnaissance. So, focusing on that behaviour provides us a simple way to determine that we have some unusual activity - whether it is an IOT device that has been compromised or whatever it may be, that has breached our network. Finally we deploy MHN, deploy Dionaea, Kippo, Snort honeypots and Splunk integration for analyzing the captured attacks which reveals the service port under attack and the source IP address of the attacker.

Insider Threat - Compare to outside threats, insider threats that originate within targeted systems are more destructive and invisible. More importantly, it is more difficult to detect and mitigate these insider threats, which poses significant cyber security challenges to an industry control system (ICS) tightly coupled with today’s information technology infrastructure. Currently, power utilities rely mainly on the authentication mechanism to prevent insider threats. If an internal intruder breaks the protection barrier, it is hard to identify and intervene in time to prevent harmful damage. Based on the existing in-depth security defense system, this paper proposes an insider threat protection scheme for ICSs of power utilities. This protection scheme can conduct compliance check by taking advantage of the characteristics of its business process compliance and the nesting of upstream and downstream business processes. Taking the Advanced Metering Infrastructures (AMIs) in power utilities as an example, the potential insider threats of violation and misoperation under the current management mechanism are identified after the analysis of remote charge control operation. According to the business process, a scheme of compliance check for remote charge control command is presented. Finally, the analysis results of a specific example demonstrate that the proposed scheme can effectively prevent the consumers’ power outage due to insider threats.

Insider Threat - Insider threats have high risk and concealment characteristics, which makes traditional anomaly detection methods less effective in insider threat detection. Existing detection methods ignore the logical relationship between user behaviors and the consistency of behavior sequences among homogeneous users, resulting in poor model effects. We propose an insider threat detection method based on internal user heterogeneous graph embedding. Firstly, according to the characteristics of CERT data, comprehensively consider the relationship between users, the time sequence, and logical relationship, and construct a heterogeneous graph. In the second step, according to the characteristics of heterogeneous graphs, the embedding learning of graph nodes is carried out according to random walk and Word2vec. Finally, we propose an Insider Threat Detection Design (ITDD) model which can map and the user behavior sequence information into a high-dimensional feature space. In the CERT r5.2 dataset, compared with a variety of traditional machine learning methods, the effect of our method is significantly better than the final result.

Insider Threat - Web services are growing demand with fundamental advancements and have given more space to researchers for improving security of all real world applications. Accessing and get authenticated in many applications on web services, user discloses their password and other privacy data to the server for authentication purposes. These shared information should be maintained by the server with high security, otherwise it can be used for illegal purposes for any authentication breach. Protecting the applications from various attacks is more important. Comparing the security threats, insider attacks are most challenging to identify due to the fact that they use the authentication of legitimate users and their privileges to access the application and may cause serious threat to the application. Insider attacks has been studied in previous researchers with different security measures, however there is no much strong work proposed. Various security protocols were proposed for defending insider attackers. The proposed work focused on insider attack protection through Elgamal cryptography technique. The proposed work is much effective on insider attacks and also defends against various attacks. The proposed protocol is better than existing works. The key computation cost and communication cost is relatively low in this proposed work. The proposed work authenticates the application by parallel process of two way authentication mechanism through Elgamal algorithm.

Insider Threat - Among the greatest obstacles in cybersecurity is insider threat, which is a well-known massive issue. This anomaly shows that the vulnerability calls for specialized detection techniques, and resources that can help with the accurate and quick detection of an insider who is harmful. Numerous studies on identifying insider threats and related topics were also conducted to tackle this problem are proposed. Various researches sought to improve the conceptual perception of insider risks. Furthermore, there are numerous drawbacks, including a dearth of actual cases, unfairness in drawing decisions, a lack of self-optimization in learning, which would be a huge concern and is still vague, and the absence of an investigation that focuses on the conceptual, technological, and numerical facets concerning insider threats and identifying insider threats from a wide range of perspectives. The intention of the paper is to afford a thorough exploration of the categories, levels, and methodologies of modern insiders based on machine learning techniques. Further, the approach and evaluation metrics for predictive models based on machine learning are discussed. The paper concludes by outlining the difficulties encountered and offering some suggestions for efficient threat identification using machine learning.

Insider Threat - In recent years, data security incidents caused by insider threats in distributed file systems have attracted the attention of academia and industry. The most common way to detect insider threats is based on user profiles. Through analysis, we realize that based on existing user profiles are not efficient enough, and there are many false positives when a stable user profile has not yet been formed. In this work, we propose personalized user profiles and design an insider threat detection framework, which can intelligently detect insider threats for securing distributed file systems in real-time. To generate personalized user profiles, we come up with a time window-based clustering algorithm and a weighted kernel density estimation algorithm. Compared with non-personalized user profiles, both the Recall and Precision of insider threat detection based on personalized user profiles have been improved, resulting in their harmonic mean F1 increased to 96.52\%. Meanwhile, to reduce the false positives of insider threat detection, we put forward operation recommendations based on user similarity to predict new operations that users will produce in the future, which can reduce the false positive rate (FPR). The FPR is reduced to 1.54\% and the false positive identification rate (FPIR) is as high as 92.62\%. Furthermore, to mitigate the risks caused by inaccurate authorization for users, we present user tags based on operation content and permission. The experimental results show that our proposed framework can detect insider threats more effectively and precisely, with lower FPR and high FPIR.

Insider Threat - A malicious insider threat is more vulnerable to an organization. It is necessary to detect the malicious insider because of its huge impact to an organization. The occurrence of a malicious insider threat is less but quite destructive. So, the major focus of this paper is to detect the malicious insider threat in an organization. The traditional insider threat detection algorithm is not suitable for real time insider threat detection. A supervised learning-based anomaly detection technique is used to classify, predict and detect the malicious and non-malicious activity based on highest level of anomaly score. In this paper, a framework is proposed to detect the malicious insider threat using supervised learning-based anomaly detection. It is used to detect the malicious insider threat activity using One-Class Support Vector Machine (OCSVM). The experimental results shows that the proposed framework using OCSVM performs well and detects the malicious insider who obtain huge anomaly score than a normal user.

Insider Threat - This paper deals with how to implement a system that extends insider threat behavior data using private blockchain technology to overcome the limitations of insider threat datasets. Currently, insider threat data is completely undetectable in existing datasets for new methods of insider threat due to the lack of insider threat scenarios and abstracted event behavior. Also, depending on the size of the company, it was difficult to secure a sample of data with the limit of a small number of leaks among many general users in other organizations. In this study, we consider insiders who pose a threat to all businesses as public enemies. In addition, we proposed a system that can use a private blockchain to expand insider threat behavior data between network participants in real-time to ensure reliability and transparency.

Insider Threat - This paper discusses the outcome of combining insider threat agent taxonomies with the aim of enhancing insider threat detection. The objectives sought to explore taxonomy combinations and investigate threat sophistication from the taxonomy combinations. Investigations revealed the plausibility of combining the various taxonomy categories to derive a new taxonomy. An observation on category combinations yielded the introduction of the concept of a threat path. The proposed taxonomy tree consisted of more than a million threat-paths obtained using a formula from combinatorics analysis. The taxonomy category combinations thus increase the insider threat landscape and hence the gap between insider threat agent sophistication and countermeasures. On the defensive side, knowledge of insider threat agent taxonomy category combinations has the potential to enhance defensive countermeasure tactics, techniques and procedures, thus increasing the chances of insider threat detection.

Insider Threat - Insider threats are steadily increasing, and the damage is also enormous. To prevent insider threats, security solutions, such as DLP, SIEM, etc., are being steadily developed. However, they have limitations due to the high rate of false positives. In this paper, we propose a data analysis method and methodology for responding to a technology leak incident. The future study may be performed based on the proposed methodology.

Data leakage by employees is a matter of concern for companies and organizations today. Previous studies have shown that existing Data Leakage Protection (DLP) systems on the market, the more secure they are, the more intrusive and tedious they are to work with. This paper proposes and assesses the implementation of four technologies that enable the development of secure file systems for insider threat-focused, low-intrusive and user-transparent DLP tools. Two of these technologies are configurable features of the Windows operating system (Minifilters and Server Message Block), the other two are virtual file systems (VFS) Dokan and WinFsp, which mirror the real file system (RFS) allowing it to incorporate security techniques. In the assessment of the technologies, it was found that the implementation of VFS was very efficient and simple. WinFsp and Dokan presented a performance of 51% and 20% respectively, with respect to the performance of the operations in the RFS. This result may seem relatively low, but it should be taken into account that the calculation includes read and write encryption and decryption operations as appropriate for each prototype. Server Message Block (SMB) presented a low performance (3%) so it is not considered viable for a solution like this, while Minifilters present the best performance but require high programming knowledge for its evolution. The prototype presented in this paper and its strategy provides an acceptable level of comfort for the user, and a high level of security.

Critical infrastructure is a key area in cybersecurity. In the U.S., it was front and center in 1997 with the report from the President’s Commission on Critical Infrastructure Protection (PCCIP), and now affects countries worldwide. Critical Infrastructure Protection must address all types of cybersecurity threats - insider threat, ransomware, supply chain risk management issues, and so on. Unsurprisingly, in the past 25 years, the risks and incidents have increased rather than decreased and appear in the news daily. As an important component of critical infrastructure protection, secure supply chain risk management must be integrated into development projects. Both areas have important implications for security requirements engineering.

Smart cities deploy large numbers of sensors and collect a tremendous amount of data from them. For example, Advanced Metering Infrastructures (AMIs), which consist of physical meters that collect usage data about public utilities such as power and water, are an important building block in a smart city. In a typical sensor network, the measurement devices are connected through a computer network, which exposes them to cyber attacks. Furthermore, the data is centrally managed at the operator’s servers, making it vulnerable to insider threats.Our goal is to protect the integrity of data collected by large-scale sensor networks and the firmware in measurement devices from cyber attacks and insider threats. To this end, we first develop a comprehensive threat model for attacks against data and firmware integrity, which can target any of the stakeholders in the operation of the sensor network. Next, we use our threat model to analyze existing defense mechanisms, including signature checks, remote firmware attestation, anomaly detection, and blockchain-based secure logs. However, the large size of the Trusted Computing Base and a lack of scalability limit the applicability of these existing mechanisms. We propose the Feather-Light Blockchain Infrastructure (FLBI) framework to address these limitations. Our framework leverages a two-layer architecture and cryptographic threshold signature chains to support large networks of low-capacity devices such as meters and data aggregators. We have fully implemented the FLBI’s end-to-end functionality on the Hyperledger Fabric and private Ethereum blockchain platforms. Our experiments show that the FLBI is able to support millions of end devices.