Gargoyle: a network-based insider attack resilient framework for organizations

Arash Shaghaghi, Salil S. Kanhere, Mohamed Ali Kaafar, Elisa Bertino, Sanjay Jha

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionResearchpeer-review

Abstract

Anytime, Anywhere' data access model has become a widespread IT policy in organizations making insider attacks even more complicated to model, predict and deter. Here, we propose Gargoyle, a network-based insider attack resilient framework against the most complex insider threats within a pervasive computing context. Compared to existing solutions, Gargoyle evaluates the trustworthiness of an access request context through a new set of contextual attributes called Network Context Attribute (NCA). NCAs are extracted from the network traffic and include information such as the user's device capabilities, security-level, current and prior interactions with other devices, network connection status, and suspicious online activities. Retrieving such information from the user's device and its integrated sensors are challenging in terms of device performance overheads, sensor costs, availability, reliability and trustworthiness. To address these issues, Gargoyle leverages the capabilities of Software-Defined Network (SDN) for both policy enforcement and implementation. In fact, Gargoyle's SDN App can interact with the network controller to create a 'defence-in-depth' protection system. For instance, Gargoyle can automatically quarantine a suspicious data requestor in the enterprise network for further investigation or filter out an access request before engaging a data provider. Finally, instead of employing simplistic binary rules in access authorizations, Gargoyle incorporates Function-based Access Control (FBAC) and supports the customization of access policies into a set of functions (e.g., disabling copy, allowing print) depending on the perceived trustworthiness of the context. Our extensive evaluation results prove the practicality of Gargoyle with better performance metrics compared to existing solutions.

LanguageEnglish
Title of host publication43rd IEEE Conference on Local Computer Networks, LCN 2018
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Pages553-561
Number of pages9
Volume2018-October
ISBN (Electronic)9781538644133
ISBN (Print)9781538644140
DOIs
Publication statusPublished - 8 Feb 2019
Event43rd IEEE Conference on Local Computer Networks, LCN 2018 - Chicago, United States
Duration: 1 Oct 20184 Oct 2018

Conference

Conference43rd IEEE Conference on Local Computer Networks, LCN 2018
CountryUnited States
CityChicago
Period1/10/184/10/18

Fingerprint

Sensors
Ubiquitous computing
Application programs
Access control
Availability
Controllers
Costs
Industry

Cite this

Shaghaghi, A., Kanhere, S. S., Kaafar, M. A., Bertino, E., & Jha, S. (2019). Gargoyle: a network-based insider attack resilient framework for organizations. In 43rd IEEE Conference on Local Computer Networks, LCN 2018 (Vol. 2018-October, pp. 553-561). [8638245] Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.1109/LCN.2018.8638245
Shaghaghi, Arash ; Kanhere, Salil S. ; Kaafar, Mohamed Ali ; Bertino, Elisa ; Jha, Sanjay. / Gargoyle : a network-based insider attack resilient framework for organizations. 43rd IEEE Conference on Local Computer Networks, LCN 2018. Vol. 2018-October Institute of Electrical and Electronics Engineers (IEEE), 2019. pp. 553-561
@inproceedings{d04ea6e274af4479ada08e234cf5489d,
title = "Gargoyle: a network-based insider attack resilient framework for organizations",
abstract = "Anytime, Anywhere' data access model has become a widespread IT policy in organizations making insider attacks even more complicated to model, predict and deter. Here, we propose Gargoyle, a network-based insider attack resilient framework against the most complex insider threats within a pervasive computing context. Compared to existing solutions, Gargoyle evaluates the trustworthiness of an access request context through a new set of contextual attributes called Network Context Attribute (NCA). NCAs are extracted from the network traffic and include information such as the user's device capabilities, security-level, current and prior interactions with other devices, network connection status, and suspicious online activities. Retrieving such information from the user's device and its integrated sensors are challenging in terms of device performance overheads, sensor costs, availability, reliability and trustworthiness. To address these issues, Gargoyle leverages the capabilities of Software-Defined Network (SDN) for both policy enforcement and implementation. In fact, Gargoyle's SDN App can interact with the network controller to create a 'defence-in-depth' protection system. For instance, Gargoyle can automatically quarantine a suspicious data requestor in the enterprise network for further investigation or filter out an access request before engaging a data provider. Finally, instead of employing simplistic binary rules in access authorizations, Gargoyle incorporates Function-based Access Control (FBAC) and supports the customization of access policies into a set of functions (e.g., disabling copy, allowing print) depending on the perceived trustworthiness of the context. Our extensive evaluation results prove the practicality of Gargoyle with better performance metrics compared to existing solutions.",
author = "Arash Shaghaghi and Kanhere, {Salil S.} and Kaafar, {Mohamed Ali} and Elisa Bertino and Sanjay Jha",
year = "2019",
month = "2",
day = "8",
doi = "10.1109/LCN.2018.8638245",
language = "English",
isbn = "9781538644140",
volume = "2018-October",
pages = "553--561",
booktitle = "43rd IEEE Conference on Local Computer Networks, LCN 2018",
publisher = "Institute of Electrical and Electronics Engineers (IEEE)",
address = "United States",

}

Shaghaghi, A, Kanhere, SS, Kaafar, MA, Bertino, E & Jha, S 2019, Gargoyle: a network-based insider attack resilient framework for organizations. in 43rd IEEE Conference on Local Computer Networks, LCN 2018. vol. 2018-October, 8638245, Institute of Electrical and Electronics Engineers (IEEE), pp. 553-561, 43rd IEEE Conference on Local Computer Networks, LCN 2018, Chicago, United States, 1/10/18. https://doi.org/10.1109/LCN.2018.8638245

Gargoyle : a network-based insider attack resilient framework for organizations. / Shaghaghi, Arash; Kanhere, Salil S.; Kaafar, Mohamed Ali; Bertino, Elisa; Jha, Sanjay.

43rd IEEE Conference on Local Computer Networks, LCN 2018. Vol. 2018-October Institute of Electrical and Electronics Engineers (IEEE), 2019. p. 553-561 8638245.

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionResearchpeer-review

TY - GEN

T1 - Gargoyle

T2 - a network-based insider attack resilient framework for organizations

AU - Shaghaghi, Arash

AU - Kanhere, Salil S.

AU - Kaafar, Mohamed Ali

AU - Bertino, Elisa

AU - Jha, Sanjay

PY - 2019/2/8

Y1 - 2019/2/8

N2 - Anytime, Anywhere' data access model has become a widespread IT policy in organizations making insider attacks even more complicated to model, predict and deter. Here, we propose Gargoyle, a network-based insider attack resilient framework against the most complex insider threats within a pervasive computing context. Compared to existing solutions, Gargoyle evaluates the trustworthiness of an access request context through a new set of contextual attributes called Network Context Attribute (NCA). NCAs are extracted from the network traffic and include information such as the user's device capabilities, security-level, current and prior interactions with other devices, network connection status, and suspicious online activities. Retrieving such information from the user's device and its integrated sensors are challenging in terms of device performance overheads, sensor costs, availability, reliability and trustworthiness. To address these issues, Gargoyle leverages the capabilities of Software-Defined Network (SDN) for both policy enforcement and implementation. In fact, Gargoyle's SDN App can interact with the network controller to create a 'defence-in-depth' protection system. For instance, Gargoyle can automatically quarantine a suspicious data requestor in the enterprise network for further investigation or filter out an access request before engaging a data provider. Finally, instead of employing simplistic binary rules in access authorizations, Gargoyle incorporates Function-based Access Control (FBAC) and supports the customization of access policies into a set of functions (e.g., disabling copy, allowing print) depending on the perceived trustworthiness of the context. Our extensive evaluation results prove the practicality of Gargoyle with better performance metrics compared to existing solutions.

AB - Anytime, Anywhere' data access model has become a widespread IT policy in organizations making insider attacks even more complicated to model, predict and deter. Here, we propose Gargoyle, a network-based insider attack resilient framework against the most complex insider threats within a pervasive computing context. Compared to existing solutions, Gargoyle evaluates the trustworthiness of an access request context through a new set of contextual attributes called Network Context Attribute (NCA). NCAs are extracted from the network traffic and include information such as the user's device capabilities, security-level, current and prior interactions with other devices, network connection status, and suspicious online activities. Retrieving such information from the user's device and its integrated sensors are challenging in terms of device performance overheads, sensor costs, availability, reliability and trustworthiness. To address these issues, Gargoyle leverages the capabilities of Software-Defined Network (SDN) for both policy enforcement and implementation. In fact, Gargoyle's SDN App can interact with the network controller to create a 'defence-in-depth' protection system. For instance, Gargoyle can automatically quarantine a suspicious data requestor in the enterprise network for further investigation or filter out an access request before engaging a data provider. Finally, instead of employing simplistic binary rules in access authorizations, Gargoyle incorporates Function-based Access Control (FBAC) and supports the customization of access policies into a set of functions (e.g., disabling copy, allowing print) depending on the perceived trustworthiness of the context. Our extensive evaluation results prove the practicality of Gargoyle with better performance metrics compared to existing solutions.

UR - http://www.scopus.com/inward/record.url?scp=85062883940&partnerID=8YFLogxK

U2 - 10.1109/LCN.2018.8638245

DO - 10.1109/LCN.2018.8638245

M3 - Conference proceeding contribution

SN - 9781538644140

VL - 2018-October

SP - 553

EP - 561

BT - 43rd IEEE Conference on Local Computer Networks, LCN 2018

PB - Institute of Electrical and Electronics Engineers (IEEE)

ER -

Shaghaghi A, Kanhere SS, Kaafar MA, Bertino E, Jha S. Gargoyle: a network-based insider attack resilient framework for organizations. In 43rd IEEE Conference on Local Computer Networks, LCN 2018. Vol. 2018-October. Institute of Electrical and Electronics Engineers (IEEE). 2019. p. 553-561. 8638245 https://doi.org/10.1109/LCN.2018.8638245