The goal of this thesis is not to improve upon detection methods, rather, demon- strate a new process in handling insider threat. With that said, detection within the SAAF controller prototype is worth discussing. The SAAF prototype utilises detectors to identify known types of attacks, typically focused on thresholds, which is a common approach in detection of malicious behaviour [37, 144].
Adopting a threshold approach to detection has the advantage of clearly de- tecting extremes in user behaviour, as it is assumed detection rules are formed by experts certain in the perception of normal and abnormal behaviour. Therefore, if user behaviour violates these rules, malicious behaviour is identified. However, it does require experts to be absolute in their decision for malicious behaviour, which could be seen as restrictive. In addition, if a rule is incorrect or inappro- priate for the current state of the system, there is the potential for many false positives. For example, a subject that conforms to current behaviour rules speci- fied for their role may be assigned to a new project. As a result, their legitimate behaviour may violate behaviour rules. Clearly a challenge for SAAF is to employ detection techniques that can evolve and accommodate such legitimate changes in behaviour.
Past approaches
In preliminary implementations of SAAF [5, 6], violations led to the immediate decision to perform an adaptation. This is problematic, as different violations may yield variable impact to an organisation (e.g., a subject abusing their access rights on resource ‘X’ poses far greater impact over resource ‘Y’). Moreover, the culmination of different behaviours may require a solution with a greater impact (e.g., the complete removal of access of a subject) over one with a smaller impact (e.g., warning the subject or removing a single access right).
Therefore, to enable appropriate selection of solutions, SAAF’s current ap- proach utilises cost sensitive modelling [136] to assess subject impact and impact of solutions. This approach has allowed the aggregation of multiple violations be- fore enacting an appropriate solution. Multiple occurrences of violations arguably strengthens the perception in the subject being malicious2, as well as judge the
extent of appropriate adaptation. Lastly, through this approach, the deploying
2One exception to this is if the behaviour rules specified are incorrect, which is addressed as
organisation has the ability to fine tune the enactment of solutions, through spec- ification of cost of behaviour and solutions.
Triggering Adaptation from Observation of Access
In the experiments discussed, the SAAF prototype considers the metric of rate of access requests as the primary environment property in identifying malicious behaviour. Whilst using this metric has shown to be successful in identifying attacks, for it to be efficient the level of access control must be fine grained. In addition, a subject’s ability to access a resource should be determined by short term (or one time use) credentials issued by their identity provider.
This presents two concerns. Firstly, if it is not possible to implement fine grained access control, a greater emphasis must be placed on resource probes. For example, a subject granted holistic ‘access’ to the empDB resource initiates an authorised session in which the subject can ‘read’, ‘write’, ‘delete’, and ‘create’ multiple times. Utilising a probe on the authorisation service alone would simply identify a single access request, foregoing a large amount of information that could be used to detect attacks. In this instance, a resource probe is essential for capturing the missing information3.
Secondly, if access is awarded based on long term credentials (e.g., a digital certificate), the ability to stop a subject’s future access is delayed until the end of a subject’s authenticated session (within their identity provider). Whilst the case study does not demonstrate the use of long term credentials, it is an important aspect to consider, as adaptation in this case requires actions (at effector level) to revoke long term credentials (e.g., revocation of subject X.509 certificates, and update to a revocation list). In effect, the action must result in a resource policy enforcement point (PEP) requesting the release of a subject’s attributes (access rights) as they are updated. This can be achieved through additional effectors within the identity provider, yet would require the resource PEPs to make use of such revocation lists.
Similarly, in these experiments the prototype controller only considers success- ful access (i.e., permitted access) to identify malicious behaviour. This focuses on the adaptation of subject access in accordance to the use of valid access rights that subjects’ own. Multiple deny requests could indicate malicious behaviour whereby a subject is trying to identify vulnerabilities in access, similar to a sub- ject scanning a network for open ports [120].
CHAPTER 5. SIMULATING INSIDER THREAT 158
Selecting Solutions for Adaptation
The experiment demonstrated the selection and escalation of solutions in response to detected violations. Whilst this was successful and ultimately viewed as en- acting ‘appropriate’ solutions to violations, the cost sensitive modelling approach employed has several limitations.
Notably, the approach relies upon weighting solutions by a perceived cost of negative impact to an organisation, which is then compared to a perceived cost of subject activity (as conveyed by Table B.4). Although not observed within the experiment itself, there is potential for multiple solutions in conjunction with observed behaviour to present identical costs (i.e., benefits) to an organisation. In SAAF’s current form, no solution would be prioritised, and as a default the last solution processed (of equal measure) is selected. This strengthens the need to improve upon the cost sensitive modelling approach, where additional criteria (beyond cost) is factored into solution selection.
Bottlenecks in Adaptation
One property not exemplified by the discussed experiments, is the presence of bottlenecks. Given that this implementation of SAAF is a prototype, a notable deficiency in its design is its inability to consider multiple violations during a single iteration of its feedback loop. If violations are detected during the prototype’s current analysis of behaviour, multiple violations are queued, analysed, planned and executed in a sequential manner. The result of this is increased response times in mitigating behaviour identified in the aforementioned manner, due to failed or redundant adaptations if a previous adaptation has already resolved the violation.
This is a general challenge facing self-adaptive systems, whereby a self-adaptive system should address how to handle change whilst it is already responding to pre- vious change. In regards to SAAF, it is necessary for future refinements to group and analyse violations at every step within its feedback loop (as demonstrated by the Rainbow Framework [53]), reviewing any updates to the state of access and detected violations prior to mitigation. Adaptation time is still likely to in- crease. However, this would allow SAAF to make more informed decisions and avoid enacting redundant adaptations.