Where can an Insider attack?

Christian W. Probst, Rene Rydhoff Hansen, Flemming Nielson

AbstractBy definition, an insider has better access, is more trusted, and
has better information about internal procedures, high-value
targets, and potential weak spots in the security, than an outsider.
Consequently, an insider attack has the potential to cause
significant, even catastrophic, damage to the targeted
organisation.
While the problem is well recognised in the security community as
well as in law-enforcement and intelligence communities, the main
resort still is to audit log files \emph{after the fact}.
There has
been little research into developing models, automated tools, and
techniques for analysing and solving (parts of) the problem.

In this paper we first develop a formal model of systems, that can
describe real-world scenarios. These high-level models are then
mapped to acKlaim, a process algebra with support for access
control, that is used to study and analyse properties of the
modelled systems. Our analysis of processes identifies which
actions may be performed by whom, at which locations, accessing
which data. This allows to compute a superset of audit
results---before an incident occurs.
Keywordsprocess calculus, insider threat, system modelling, static analysis
TypeConference paper [With referee]
ConferenceWorkshop on Formal Aspects in Security and Trust (FAST 2006)
Year2006    Month August
BibTeX data [bibtex]
IMM Group(s)Computer Science & Engineering