TY - GEN
T1 - Identifying compromised users in shared computing infrastructures
T2 - 2011 30th IEEE International Symposium on Reliable Distributed Systems, SRDS 2011
AU - Pecchia, Antonio
AU - Sharma, Aashish
AU - Kalbarczyk, Zbigniew
AU - Cotroneo, Domenico
AU - Iyer, Ravishankar K.
PY - 2011
Y1 - 2011
N2 - The growing demand for processing and storage capabilities has led to the deployment of high-performance computing infrastructures. Users log into the computing infrastructure remotely, by providing their credentials (e.g., username and password), through the public network and using well-established authentication protocols, e.g., SSH. However, user credentials can be stolen and an attacker (using a stolen credential) can masquerade as the legitimate user and penetrate the system as an insider. This paper deals with security incidents initiated by using stolen credentials and occurred during the last three years at the National Center for Supercomputing Applications (NCSA) at the University of Illinois. We analyze the key characteristics of the security data produced by the monitoring tools during the incidents and use a Bayesian network approach to correlate (i) data provided by different security tools (e.g., IDS and Net Flows) and (ii) information related to the users' profiles to identify compromised users, i.e., the users whose credentials have been stolen. The technique is validated with the real incident data. The experimental results demonstrate that the proposed approach is effective in detecting compromised users, while allows eliminating around 80% of false positives (i.e., not compromised user being declared compromised).
AB - The growing demand for processing and storage capabilities has led to the deployment of high-performance computing infrastructures. Users log into the computing infrastructure remotely, by providing their credentials (e.g., username and password), through the public network and using well-established authentication protocols, e.g., SSH. However, user credentials can be stolen and an attacker (using a stolen credential) can masquerade as the legitimate user and penetrate the system as an insider. This paper deals with security incidents initiated by using stolen credentials and occurred during the last three years at the National Center for Supercomputing Applications (NCSA) at the University of Illinois. We analyze the key characteristics of the security data produced by the monitoring tools during the incidents and use a Bayesian network approach to correlate (i) data provided by different security tools (e.g., IDS and Net Flows) and (ii) information related to the users' profiles to identify compromised users, i.e., the users whose credentials have been stolen. The technique is validated with the real incident data. The experimental results demonstrate that the proposed approach is effective in detecting compromised users, while allows eliminating around 80% of false positives (i.e., not compromised user being declared compromised).
KW - Bayesian network
KW - correlation
KW - credential stealing
KW - intrusion detection
KW - security
UR - http://www.scopus.com/inward/record.url?scp=83155160991&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=83155160991&partnerID=8YFLogxK
U2 - 10.1109/SRDS.2011.24
DO - 10.1109/SRDS.2011.24
M3 - Conference contribution
AN - SCOPUS:83155160991
SN - 9780769544502
T3 - Proceedings of the IEEE Symposium on Reliable Distributed Systems
SP - 127
EP - 136
BT - Proceedings - 2011 30th IEEE International Symposium on Reliable Distributed Systems, SRDS 2011
Y2 - 4 October 2011 through 7 October 2011
ER -