Date of Award
6-14-2012
Document Type
Thesis
Degree Name
Master of Science
Department
Department of Electrical and Computer Engineering
First Advisor
Gilbert L. Peterson, PhD.
Abstract
Existing insider threat defensive technologies focus on monitoring network traffic or events generated by activities on a user's workstation. This research develops a methodology for signaling potentially malicious insider behavior using virtual machine introspection (VMI). VMI provides a novel means to detect potential malicious insiders because the introspection tools remain transparent and inaccessible to the guest and are extremely difficult to subvert. This research develops a four step methodology for development and validation of malicious insider threat alerting using VMI. Six core use cases are developed along with eighteen supporting scenarios. A malicious attacker taxonomy is used to decompose each scenario to aid identification of observables for monitoring for potentially malicious actions. The effectiveness of the identified observables is validated through the use of two data sets, one containing simulated normal and malicious insider user behavior and the second from a computer network operations exercise. Compiled Memory Analysis Tool - Virtual (CMAT-V) and Xen hypervisor capabilities are leveraged to perform VMI and insider threat detection. Results of the research show the developed methodology is effective in detecting all defined malicious insider scenarios used in this research on Windows guests.
AFIT Designator
AFIT-GCO-ENG-12-15
DTIC Accession Number
ADA562792
Recommended Citation
Crawford, Martin H., "Insider Threat Detection on the Windows Operating System using Virtual Machine Introspection" (2012). Theses and Dissertations. 1098.
https://scholar.afit.edu/etd/1098