Trust Enhanced Security Architecture for Detecting Insider Threats Udaya Tupakula Vijay Varadharajan Information & Networked Systems Security Research Faculty of Science, Macquarie University Sydney, Australia {udaya.tupakula, vijay.varadharajan}@mq.edu.au Abstract—Attacks on the organization networks can be classified as external and internal attacks. For the purpose of this paper we consider that external attacks are generated by the attackers or from hosts outside the organization, and internal attacks are generated by malicious insiders within the organization. Insider attacks have always been challenging to deal with as insiders have legitimate and physical access to the systems within the organization, and they have knowledge of the organization networks and more importantly, are aware of the security environment enforced within the organization. In this paper we propose novel trust enhanced security techniques to deal with the insider attack problem. Our architecture detects the attacks by monitoring the user activity as well as the state of the system using trusted computing in exposing and analyzing suspicious behaviour. We will demonstrate how an insider can exploit the weakness in the systems to generate different attacks and how our architecture can help to prevent such attacks. Keywords-Insider Threat; Security Architecture; Trusted Computing; Secuurity Attacks. I. INTRODUCTION Today, one of the difficult tasks facing any organisation is how to deal with the insider threat problem. Issues such as grudge on other employees, failure in promotion, non renewal of contracts and the ability to generate untraceable attacks motivate the insiders [1] to generate attacks on the organization’s or other employees’ systems or and/or degrade services within the organisation or disclose confidential information to the competitor organisations. There are several challenges for organisations to address when dealing with malicious insiders. By definition, malicious insiders have legitimate access to the organization’s systems, have detailed knowledge of the internal networks and applications, as well as security tools installed on the various servers. Often most of the boundary devices such as firewalls are configured to consider the traffic coming from the systems within the organisation to be “trusted” and traffic from external networks (such as the Internet) to be “untrusted”. If this is the case, the security policies may be designed in such a way that they will not be enforced on the traffic originating from the systems within the organisation, which are destined for the external hosts. Such a configuration enables the malicious insider to use his machine (from within the organization) to attack other hosts or transfer confidential information to the competitor organisation. Often there are significant policy issues to consider such as conflicts in the provision of higher privilege access to users within an organisation. In some cases, there may be a necessity to provide higher privilege administrative access to certain users for whom security issues might be secondary (though it should not be!). For example, software developers may legitimately require administrative access for their machines as part of software development process. In some cases, even some applications such as VoipCheap may require administrative privileges for its users. Hence malicious insiders can use these reasons to request higher privileges and then use these higher privileges later to generate attacks. Furthermore, it is very common for users to use different devices such as USB for sharing files. Hence malicious insider can include malicious files in such shared devices to compromise multiple systems within an organisation. It could be that the internal users (insiders) are deliberately malicious whereas in some other cases, the internal users may not be security conscious and resort to installing applications without the knowledge of the security administrators and procedures. Furthermore, use of applications such as instant messaging, Skype and facebook makes the client machines more vulnerable to attacks since malicious files can be easily distributed to other users within the organisation. Clicking the links that are sent through emails or instant message services can compromise the client machines; then the malicious attacker is able to get complete access to such machines. Although it is easy for the users to identify suspicious links sent by unknown persons, there is a greater possibility for the users to click on the links that are sent by known persons within an organization. There is a greater chance for users to know about other users within the organisation, as there can be meetings and several social events that are attended by all the employees. Hence there is greater possibility for the several users within the organisation to click on the links or emails sent by a malicious insider. Furthermore, one of the techniques used by a malicious insider to protect anonymity is to send the suspicious links with a false identity, for instance, using the identity of other internal users. For example, if the malicious insider sends a link with the spoofed identity of the security administrator, there is a greater probability for the attack to succeed. The focus of the work described in this paper is to address the problem of malicious insiders who misuse their privileges to generate attacks. We propose a novel trust 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications 978-0-7695-5022-0/13 $26.00 © 2013 IEEE DOI 10.1109/TrustCom.2013.8 552