Where can an Insider attack?

Christian W. Probst, René Rydhof Hansen, Flemming Nielson

    Research output: Chapter in Book/Report/Conference proceedingArticle in proceedingsResearchpeer-review


    By definition, an insider has better access, is more trusted, and has better information about internal procedures, high-value targets, and potential weak spots in the security, than an outsider. Consequently, an insider attack has the potential to cause significant, even catastrophic, damage to the targeted organisation. While the problem is well recognised in the security community as well as in law-enforcement and intelligence communities, the main resort still is to audit log files \$\backslash\$emph{after the fact}. There has been little research into developing models, automated tools, and techniques for analysing and solving (parts of) the problem. In this paper we first develop a formal model of systems, that can describe real-world scenarios. These high-level models are then mapped to acKlaim, a process algebra with support for access control, that is used to study and analyse properties of the modelled systems. Our analysis of processes identifies which actions may be performed by whom, at which locations, accessing which data. This allows to compute a superset of audit results---before an incident occurs.
    Original languageEnglish
    Title of host publicationWorkshop on Formal Aspects in Security and Trust (FAST 2006)
    Publication date2006
    Publication statusPublished - 2006
    Event4th International Conference on Formal Aspects in Security and Trust - Hamilton, Canada
    Duration: 26 Aug 200627 Aug 2006
    Conference number: 4


    Conference4th International Conference on Formal Aspects in Security and Trust

    Cite this