Accession Number : ADA546464

Title :   Combining Trust and Behavioral Analysis to Detect Security Threats in Open Environments

Descriptive Note : Conference paper


Personal Author(s) : McCusker, Owen ; Glanfield, Joel ; Brunza, Scott ; Gates, Carrie ; McHugh, John ; Paterson, Diana

Full Text :

Report Date : Nov 2010

Pagination or Media Count : 23

Abstract : Open computing environments are under a deluge of network attacks from complex threats. These threats are distributed, decentralized , dynamic, and operate over multiple timescales. Trusted Computing environments provide a means to manage cryptographic identity and authentication operations in the form of static assertions, but were not developed to provide complete end-to-end security for heterogeneous environments such as the NATO Architecture Framework (NAF). There is a gap in the contextual understanding of trust that reaches beyond identity to the behavior of that identity. The challenge in deriving trust, and ultimately risk, from network behavior is that it is inherently subjective compared to identity. Trust is defined as the assured reliance on the character, ability, strength, or truth of someone or something. When we trust a person there is the notion of identity. Structural identity alone cannot be used to define measure of an entity's trust; behavior must be taken into account. Trust then becomes a layered concept. In assessing the trustworthiness of an entity, a cyber defense strategy should take into account various signals regarding identity and behavior that promote attestation of a digital self and non-self. We describe a model and approach through which a detection capability can derive trust, and rate the trustworthiness of hosts, based on aggregated network behaviors. This approach is rooted in the context of a global/enterprise identity management and cryptographic key management (IdM/CKM) which serves as a bridge between the sensor network and the user/administrator/ISP. It offers a mechanism for aggregated behavioral analysis of network flow data. Our unique view into network behaviors can be used to provide a basis for language to define the various behaviors that threats exhibit over time. We conclude that a more formal model of trust is needed that couples identity with behavior along with the identity of the user of a computer.


Subject Categories : Computer Programming and Software
      Computer Systems
      Computer Systems Management and Standards

Distribution Statement : APPROVED FOR PUBLIC RELEASE