Motivation

The issue of insider attacks cannot be sufficiently addressed using common security solutions such as firewalls, intrusion detection systems (IDS) or anti-virus software. In addition to extensive privileges, insiders are presumed to have a comprehensive and detailed knowledge of the targeted systems. They can also act a lot stealthier than external attackers, bypass detection and monitoring systems and hide the traces of their activities by manipulating logs. For these reasons, they can remain undetected, and typical perimeter security applications installed on the network borders cannot prevent them from gaining unauthorized access.

Goals and Approaches

In order to detect insider attacks, existing Security Information and Event Management (SIEM) systems must be extended considerably. This project aims to develop a distributed security center for the detection of insider attacks within an organization. The legal conformity and the efficiency of the implemented solutions under realistic circumstances are to be examined. This project consists of the following tasks: 

• Develop processes for collecting and storing security related events in a privacy-friendly manner while preserving the possibility of revealing the identities when required
• Develop anomaly detection methods which are able to detect insider attacks based on anonymized/pseudonymized data
• Analyze the legal constraints on privacy so that related criteria regarding data examination and persistence can be determined
• Apply the identified criteria within the scope of this project

Innovation and Perspectives

The main innovation focus of DREI is the implementation of a holistic security center for the detection of insider attacks, while considering both physical and IT events. The developed prototype of the security center within this project can later be integrated in existing SIEM systems and help to significantly reduce the damage potential from inside attackers.