Molehunt: near-line semantic activity tracing

Wolthusen, Stephen D.

doi:10.1109/iaw.2005.1495981

Cited by 2 publications

(4 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The storage can be allocated on any file system, but to retain the invisibility of the system to the user, this is best achieved by allocating one or more separate file systems to it and hiding it (at the level of the file system filter driver) from the remainder of the operating system, and hence from both observation and manipulation by users and application programs. For reasons of performance (since the mechanism makes use of the VM architecture), it is desirable to locate these shadowing volumes on local storage (see Wolthusen [1] for a discussion of performance benchmarks).…”

Section: File Shadowing Mechanismmentioning

confidence: 99%

“…The mechanisms for interposition of an interception mechanism (with additional transparent in-line proxying for HTTPS (TLS) connections) have been described elsewhere [5,6]; by inserting kernel modules and driver components at several locations within the Windows NT network protocol stack, all inbound and outbound network traffic can be observed transparently without affecting application programs -for a discussion of the specific adaptations required for extracting sensor data refer to Wolthusen [1].…”

Section: Network Stack Instrumentationmentioning

confidence: 99%

“…Based on earlier research [1], we argue that in such cases it will often be acceptable and desirable to employ only minimal (or otherwise feasible) security controls, but to augment these controls with an audit mechanism which in turn is coupled both with a behavioural anomaly detection mechanism and with forensic capabilities. For legitimate usage that is typically clustered around a selected number of tasks with limited deviations, this can direct the attention of security administrators to anomalous behaviour without requiring excessive initial and ongoing policy definition and implementation efforts.…”

Section: Introductionmentioning

confidence: 98%

See 2 more Smart Citations

Automated extraction of behavioural profiles from document usage

Wolthusen¹

2007

BT Technol J

View full text Add to dashboard Cite

Both human analysts and particularly automated tool suites are capable of deriving sensitive information and conclusions from collections of data items that individually cannot be considered critical or sensitive. This activity of analysing and correlating material that is not immediately related is, in fact, highly desirable in many application areas and cannot be controlled precisely in advance. The decision whether a program or an analyst is performing searches and correlations beyond the scope of his authorisation or current mission can frequently be determined only ex post based on a heuristic analysis of documents accessed. In this paper we describe a mechanism for the instrumentation of operating systems to obtain information on the documents and resources accessed by arbitrary processes. Such a mechanism could be an important component of the infrastructure of an operational risk management system, generating an audit trail for compliance and forensic investigation, and acting as a sensor generating data for analysis. Addressing the latter application, the paper also outlines an approach for extracting textual information and metadata from accessed documents, regardless of the application program and workflow mechanisms used, without unduly impeding either workflows or operator performance. This information can then be subjected to an heuristic analysis based on natural language processing to extract the semantic context of each document or segment. Clustering this content and extracting the conceptual patterns that a user has accessed can then allow abnormal behaviour to be identified. This can then be refined further to determine heuristically whether the authorised remit of the user has been breached and whether an investigation is warranted. We argue that the risk of misbehaviour can be reduced while at the same time increasing productivity. This is made possible by enhancing the degree of freedom for individual users to act in the interest of their mission objectives and at the same time providing automated mechanisms for analysing user behaviour

show abstract

Section: File Shadowing Mechanismmentioning

confidence: 99%

Section: Network Stack Instrumentationmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 98%

See 1 more Smart Citation

Automated extraction of behavioural profiles from document usage

Wolthusen¹

2007

BT Technol J

View full text Add to dashboard Cite

show abstract

“…Core elements of the implementation mechanisms used on the Microsoft Windows NT/XP platform have been described in earlier publications [24,23]. In addition to administrative functions for generating and maintaining capability lists (which are beyond the scope of this paper), the implementation mechanism consists of two extensions to the base OS.…”

Section: Implementation Aspectsmentioning

confidence: 99%