Effective mitigation of the Insider Threat in complex organizations is not simply a matter of 'fire-and-forget'. Thorough routines are required to minimize the chances of malicious insiders going ...undetected. While detecting policy violations and signatures of known-bad behavior are essential to a broader threat mitigation strategy, it is clear that behavior-based measurements, including anomaly detection and social network analysis, will be crucial to detecting technically savvy malicious users with legitimate network and data access. Due to the large number of potentially malicious behaviors users may display, the main thrust of detection falls in the hands of an analyst capable of correlating these behaviors. Based on our BANDIT system, we offer a 10-step analyst program, which offers a common-sense approach to limiting the damage a malicious trusted user can achieve.
Past active Internet worms have caused widespread damage. Knowing the connection characteristics of such a worm very early in its proliferation cycle might provide first responders with an ...opportunity to intercept a global scale epidemic. We are presenting a scalable framework for detecting, in near-real-time, active Internet worms on global networks, both public and private. By aggregating network error messages resulting from failed attempts at packet delivery, we are able to infer deviant connection behavior of hosts on interconnected networks. The Internet Control Message Protocol (ICMP) provides such error notification. Using a potentially unlimited number of collectors and analyzers, we identify 'blooms' of activity. The connection characteristics of these 'blooms' are then correlated to identify worm-like behavior, and an alert is raised. Promising results have been produced with a simulated Internet worm, demonstrating that new worms can be detected within the first few minutes after release, depending on the level of participating router coverage.
In this paper we present a new server monitoring method based on a new and powerful approach to dynamic data analysis: process query systems (PQS). PQS enables user-space monitoring of servers and, ...by using advanced behavioral models, makes accurate and fast decisions regarding server and service state. Data to support state estimation come from multiple sensor feeds located within a server network. By post-processing a system's state estimates, it becomes possible to identify, isolate and/or restart anomalous systems, thus avoiding cross-infection or prolonging performance degradation. The PQS system we use is a generic process detection software platform. It builds on the wide variety of system-level information that past autonomic computing research has studied by implementing a highly flexible, scalable and efficient process-based analytic engine for turning raw system information into actionable system and service state estimates
We present the results of a spectral analysis of 5 Swift XRT and UVOT
observations of the BL Lac object PKS 0548-322 carried out over the period
April-June 2005. The X-ray flux of this high energy ...peaked BL Lac (HBL) source
was found to be approximately constant at a level of F(2-10 keV) ~ 4x10^-11 erg
cm^-2 s^-1, a factor of 2 brighter than when observed by BeppoSAX in 1999 and
close to the maximum intensity reported in the Einstein Slew Survey. The very
good statistics obtained in the 0.3-10 keV Swift X-ray spectrum allowed us to
detect highly significant deviations from a simple power law spectral
distribution. A log-parabolic model describes well the X-ray data and gives a
best fit curvature parameter of 0.18 and peak energy in the Spectral Energy
Distribution of about 2 keV. The UV spectral data from Swift UVOT join well
with a power law extrapolation of the soft X-ray data points suggesting that
the same component is responsible for the observed emission in the two bands.
The combination of synchrotron peak in the X-ray band and high intensity state
confirms PKS 0548-322 as a prime target for TeV observations. X-ray monitoring
and coordinated TeV campaigns are highly advisable.