skip to main content
research-article

Behavioral Study of Users When Interacting with Active Honeytokens

Authors Info & Claims
Published:09 February 2016Publication History
Skip Abstract Section

Abstract

Active honeytokens are fake digital data objects planted among real data objects and used in an attempt to detect data misuse by insiders. In this article, we are interested in understanding how users (e.g., employees) behave when interacting with honeytokens, specifically addressing the following questions: Can users distinguish genuine data objects from honeytokens? And, how does the user's behavior and tendency to misuse data change when he or she is aware of the use of honeytokens? First, we present an automated and generic method for generating the honeytokens that are used in the subsequent behavioral studies. The results of the first study indicate that it is possible to automatically generate honeytokens that are difficult for users to distinguish from real tokens. The results of the second study unexpectedly show that users did not behave differently when informed in advance that honeytokens were planted in the database and that these honeytokens would be monitored to detect illegitimate behavior. These results can inform security system designers about the type of environmental variables that affect people's data misuse behavior and how to generate honeytokens that evade detection.

References

  1. M. Bercovitch, M. Renford, L. Hasson, A. Shabtai, L. Rokach, and Y. Elovici. 2011. HoneyGen: An automated honeytokens generator. In Proceedings of the IEEE International Conference on Intelligence and Security Informatics. 131--136.Google ScholarGoogle Scholar
  2. K. Borders, X. Zhao, and A. Prakash. 2006. Siren: Catching evasive malware (short paper). In Proceedings of 2006 IEEE Symposium on Security and Privacy. 78--85. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. B. Bowen, S. Hershkop, A. Keromytis, and S. Stolfo. 2009. Baiting inside attackers using decoy documents. In Security and Privacy in Communication Networks. 51--70.Google ScholarGoogle Scholar
  4. A. Cenys, D. Rainys, L. Radvilavicius, and N. Goranin. 2005. Implementation of honeytoken module in dbms oracle 9ir2 enterprise edition for internal malicious activity detection. In IEEE Computer Society's TC on Security and Privacy. 1--13.Google ScholarGoogle Scholar
  5. B. Contos. 2010. Top-10 guide for protecting sensitive data from malicious insiders. White Paper, Imperva.Google ScholarGoogle Scholar
  6. H. A. David. 1988. The Method of Paired Comparisons. New York: Oxford University Press.Google ScholarGoogle Scholar
  7. K. Duncan and D. Wells. 1999. Rule based data cleansing. Journal of Data Warehousing 4, 3, 2--15.Google ScholarGoogle Scholar
  8. I. Mokube and M. Adams. 2007. Honeypots: Concepts, approaches, and challenges. In Proceeding of the 45th Annual Southeast Regional Conference. 321--326. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. R. G. Newcombe. 1992. Latin square designs for crossover studies balanced for carryover effects. Statistics in Medicine 11, 4, 560--560.Google ScholarGoogle ScholarCross RefCross Ref
  10. P. Papadimitriou and H. Garcia-Molina. 2010. Data leakage detection. IEEE Transactions on Knowledge and Data Engineering 23, 1, 51--63. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. M. B. Salem and S. J. Stolfo. 2011. Decoy document deployment for effective masquerade attack detection. In Proceedings of Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) Conference. 35--54. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. A. Shabtai, M. Bercovitch, L. Rokach, and Y. Elovici. 2014. Optimizing data misuse detection. ACM Transactions on Knowledge Discovery from Data (TKDD) 8, 3, 16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. A. F. Shariff and A. Norenzayan. 2007. God is watching you: Priming God concepts increases prosocial behavior in an anonymous economic game. Psychological Science 18, 9, 803--809.Google ScholarGoogle ScholarCross RefCross Ref
  14. E. Shmueli, T. Zrihen, R. Yahalom, and T. Tassa. 2014. Constrained obfuscation of relational databases. Information Sciences 286, 35--62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. L. Spitzner. 2003a. Honeypots: Tracking hackers. Addison-Wesley Professional, 49--72. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. L. Spitzner. 2003b. Honeytokens: The other honeypot. Security Focus, 21.Google ScholarGoogle Scholar
  17. L. Spitzner. 2003c. Honeypots: Catching the insider threat. In Proceedings of the 19th Annual Computer Security Applications Conference. 170--179. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. D. Storey. 2009. Catching flies with honey tokens. Network Security 2009, 11, 15--18. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. C. Valli. 2007. Honeypot technologies and their applicability as a strategic internal countermeasure. International Journal of Information and Computer Security 1, 4, 430--436. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. J. White. 2010. Creating personally identifiable honeytokens. In Innovations and Advances in Computer Sciences and Engineering. Springer Netherlands, 227--232.Google ScholarGoogle Scholar
  21. C. Yue and H. Wang. 2010. Bogusbiter: A transparent protection against phishing attacks. ACM Transactions on Internet Technology 10, 2, 6:1--6:31. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Behavioral Study of Users When Interacting with Active Honeytokens

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Information and System Security
          ACM Transactions on Information and System Security  Volume 18, Issue 3
          April 2016
          69 pages
          ISSN:1094-9224
          EISSN:1557-7406
          DOI:10.1145/2891450
          Issue’s Table of Contents

          Copyright © 2016 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 9 February 2016
          • Revised: 1 November 2015
          • Accepted: 1 November 2015
          • Received: 1 June 2014
          Published in tissec Volume 18, Issue 3

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!