Preventing Misuse of Operator Privilege (PMOP)

摘要

This document is the final report for PMOP, a project of the DARPA/IPTO Self-Regenerative Systems (SRS) program performed by MIT and Teknowledge. Insiders are distinguished by the fact that they have been granted access to the system being defended, have been granted privileges on that system, and know how it operates. This means that traditional security mechanisms are ineffective against insiders. PMOP assumes that the insider has all the access needed for an attack, and focuses on detecting malicious behavior. Detection is based on unique sensors that monitor application-level user actions and an analyzer of the application-level user history relative to a role-based model of expected behavior that identifies both the types of behavior expected in a situation and the means for assessing the appropriateness of the behavior observed. The analyzer detects both intentional and accidental actions that harm the system. A suspicious behavior detector differentiates the two by inferring user goals and identifying plans consistent with that behavior. A level of suspicion is established by the relative degree to which the user's actions fit the role-based plans to the exclusion of the attack plans. The effects of suspected insider attacks are contained to protect the system.