Ben Liebald, Dan Roth, Neelay Shah and Vivek Srikumar (Authors listed alphabetically)
University of Illinois Technical Report 2007.


Insider attacks are a significant threat to IT infrastructures and are difficult to detect. The problem is exacerbated if the attacker explicitly tries to masquerade as a legitimate user and evade detection. In this paper, we describe a novel approach for detecting these attacks, where the intrusion detection system (IDS) proactively influences the user's perception of the system. The IDS does so by switching among a set of situational contexts and observing the user's reaction to these changes. This is done in a way that poses no significant problem to legitimate users, but creates difficulties for attackers that have learned the system in specific contexts, and therefore cannot improvise well enough to avoid being detected. We present a framework for a generic proactive IDS that shows promising experimental results, suggesting that this method can indeed be effective in detecting masquerade attacks in a variety of domains. We also present an implementation of this idea in a behavioral biometrics domain, where we show that making the IDS proactive enables detection of masquerades.


Bib Entry

  author = {B. Liebald, D. Roth, N. Shah and V. Srikumar},
  title = {Proactive Detection of Insider Attacks},
  number = {UIUCDCS-R-2007-2879}, 
  institution = {University of Illinois},
  year = {2007}