The preliminary version of this paper was published at the proceedings of the ACM Workshop on Insider Threat, Chicago, IL, 8 October 2010.
Special Issue Paper
Enhancing directory virtualization to detect insider activity†
Article first published online: 23 AUG 2011
Copyright © 2011 John Wiley & Sons, Ltd.
Security and Communication Networks
Special Issue: Defending Against Insider Threats and Internal Data Leakage
Volume 5, Issue 8, pages 873–886, August 2012
How to Cite
Claycomb, W., Shin, D. and Ahn, G.-J. (2012), Enhancing directory virtualization to detect insider activity. Security Comm. Networks, 5: 873–886. doi: 10.1002/sec.362
- Issue published online: 25 JUL 2012
- Article first published online: 23 AUG 2011
- Manuscript Accepted: 2 JUN 2011
- Manuscript Revised: 8 APR 2011
- Manuscript Received: 1 SEP 2010
- National Science Foundation. Grant Numbers: NSF-IIS-0916875, NSF-IIS-0900970, NSF-CNS-0831360
- National Science Foundation
- virtual directories;
- insider threat;
One of the critical yet lingering issues in computer security is insider threat, and it often takes advantage of some security services based on directory services such as authentication and access control. Detecting these threats is quite challenging because malicious users with the technical ability to leverage these services often have sufficient knowledge and expertise to conceal unauthorized activity. In this article, we present an approach using directory virtualization to monitor various systems across an enterprise for the purpose of detecting malicious insider activity. Specifically, a policy engine that leverages directory virtualization services is proposed to enhance monitoring and detecting capabilities by allowing greater flexibility in analyzing changes for malicious intent. The resulting architecture is a system-based approach, where the relationships and dependencies between data sources and directory services are used to detect an insider threat, rather than simply relying on point solutions. This paper presents such an architecture in detail, including a description of implementation results. Copyright © 2011 John Wiley & Sons, Ltd.