"RUU (pronounced Are You You?) is the Columbia IDS Insider Threat Detection project. The goal of the project is to create technologies aimed at monitoring and detecting malicious insider activity in the context of host based systems.

Want to help?? See our user study

Background of this Project
The problem of a malicious insider within an organization is an all too real problem. Insiders primarily include two distinct classes of users: Masqueraders and Traitors.

Masqueraders, or identity thieves, have stolen a legitimate user's credentials and misuse the victim's account for malicious purposes. A Masquerader may know a user's stolen credentials, but they may not know the user's behavior. Hence, we approach the problem by profiling user behavior and measuring in real-time any significant deviations from normal user behavior. We also seek to differentiate between malicious actions and innocent mistakes. We also approach the problem of Masquerader attack detection by modeling user intent to reveal the malicious user.

Traitors are users within an organization granted legitimate access to systems and resources but whose actions are counter to the organizations policies and interests. A traitor is assumed to have full knowledge of the local system and policies. Malicious traitors may perform arbitrary nefarious acts that may appear to be entirely normal from prior user behavior.

The technology developed under the project includes host-based sensors for profiling user behavior (for Masquerade detection), and decoy, trap-based sensors (for Traitor detection).

This project is a collaborative effort funded by the I3P organization. The I3P Human Behavior, Insider Threat and Awareness project is a joint project with 6 other universities and research organizations; funding is provided under contract from the Department of Homeland Security. Further detail about the I3P can be found HERE .

Publications
  • Malek Ben Salem and Salvatore J. Stolfo. "Detecting Masqueraders: A Comparison of One-Class Bag-of-Words User Behavior Modeling Techniques". Proceedings of the Second International Workshop on Managing Insider Security Threats, MIST'10, Morioka, Iwate, Japan. June 2010. (Best Paper Award). [PDF]
  • Brian M. Bowen, Malek Ben Salem and Salvatore J. Stolfo. "Monitoring Technologies for Mitigating Insider Threats". In Insider Threats in Cyber Security and Beyond, Springer, pp 197-218, In Print.
  • Salvatore J. Stolfo, Brian M. Bowen, and Malek Ben Salem and. "Insider Threat Defense". In Encyclopedia of Cryptography and Security (2nd Ed.), Springer, (To appear 2010).
  • Malek Ben Salem, Salvatore J. Stolfo. "Masquerade Attack Detection Using a Search-Behavior Modeling Approach". Columbia University Computer Science Department, Technical Report # cucs-027-09, 2009 [PDF]
  • Brian M. Bowen, Shlomo Hershkop, Angelos D. Keromytis, and Salvatore J. Stolfo.. "Baiting inside attackers using decoy documents". In Proceedings of the 5th International ICST Conference, SecureComm 2009, pages 5170, September 2009 [PDF]
  • Brian M. Bowen, Malek Ben Salem, Shlomo Hershkop, Angelos D. Keromytis, and Salvatore J. Stolfo.. "Designing host and network sensors to mitigate the insider threat". IEEE Security and Privacy, September 2009 [PDF]
  • Insider Attack and Cyber Security: Beyond the Hacker (Advances in Information Security) (Hardcover)
    by Salvatore Stolfo, Steven M. Bellovin, Shlomo Hershkop, Angelos D. Keromytis, Sara Sinclair , Sean W. Smith, Springer
    2008
  • Malek Ben Salem, Shlomo Hershkop, Salvatore J. Stolfo. "A Survey of Insider Attack Detection Research" in Insider Attack and Cyber Security: Beyond the Hacker, Springer, 2008 [PDF]
  • Malek Ben Salem, Salvatore J. Stolfo. "Masquerade Detection Using a Taxonomy-Based Multinomial Modeling Approach in Unix Systems". Columbia University Computer Science Department, Technical Report # cucs-021-08, 2008 [PDF]
  • Ke Wang, Salvatore J. Stolfo. "One Class Training for Masquerade Detection ". 3rd IEEE Conf Data Mining Workshop on Data Mining for Computer Security, Florida, Nov. 19, 2003 [ PDF]
Other Areas: