Abstract
Active honeytokens are fake digital data objects planted among real data objects and used in an attempt to detect data misuse by insiders. In this article, we are interested in understanding how users (e.g., employees) behave when interacting with honeytokens, specifically addressing the following questions: Can users distinguish genuine data objects from honeytokens? And, how does the user's behavior and tendency to misuse data change when he or she is aware of the use of honeytokens? First, we present an automated and generic method for generating the honeytokens that are used in the subsequent behavioral studies. The results of the first study indicate that it is possible to automatically generate honeytokens that are difficult for users to distinguish from real tokens. The results of the second study unexpectedly show that users did not behave differently when informed in advance that honeytokens were planted in the database and that these honeytokens would be monitored to detect illegitimate behavior. These results can inform security system designers about the type of environmental variables that affect people's data misuse behavior and how to generate honeytokens that evade detection.
- M. Bercovitch, M. Renford, L. Hasson, A. Shabtai, L. Rokach, and Y. Elovici. 2011. HoneyGen: An automated honeytokens generator. In Proceedings of the IEEE International Conference on Intelligence and Security Informatics. 131--136.Google Scholar
- K. Borders, X. Zhao, and A. Prakash. 2006. Siren: Catching evasive malware (short paper). In Proceedings of 2006 IEEE Symposium on Security and Privacy. 78--85. Google Scholar
Digital Library
- B. Bowen, S. Hershkop, A. Keromytis, and S. Stolfo. 2009. Baiting inside attackers using decoy documents. In Security and Privacy in Communication Networks. 51--70.Google Scholar
- A. Cenys, D. Rainys, L. Radvilavicius, and N. Goranin. 2005. Implementation of honeytoken module in dbms oracle 9ir2 enterprise edition for internal malicious activity detection. In IEEE Computer Society's TC on Security and Privacy. 1--13.Google Scholar
- B. Contos. 2010. Top-10 guide for protecting sensitive data from malicious insiders. White Paper, Imperva.Google Scholar
- H. A. David. 1988. The Method of Paired Comparisons. New York: Oxford University Press.Google Scholar
- K. Duncan and D. Wells. 1999. Rule based data cleansing. Journal of Data Warehousing 4, 3, 2--15.Google Scholar
- I. Mokube and M. Adams. 2007. Honeypots: Concepts, approaches, and challenges. In Proceeding of the 45th Annual Southeast Regional Conference. 321--326. Google Scholar
Digital Library
- R. G. Newcombe. 1992. Latin square designs for crossover studies balanced for carryover effects. Statistics in Medicine 11, 4, 560--560.Google Scholar
Cross Ref
- P. Papadimitriou and H. Garcia-Molina. 2010. Data leakage detection. IEEE Transactions on Knowledge and Data Engineering 23, 1, 51--63. Google Scholar
Digital Library
- M. B. Salem and S. J. Stolfo. 2011. Decoy document deployment for effective masquerade attack detection. In Proceedings of Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA) Conference. 35--54. Google Scholar
Digital Library
- A. Shabtai, M. Bercovitch, L. Rokach, and Y. Elovici. 2014. Optimizing data misuse detection. ACM Transactions on Knowledge Discovery from Data (TKDD) 8, 3, 16. Google Scholar
Digital Library
- A. F. Shariff and A. Norenzayan. 2007. God is watching you: Priming God concepts increases prosocial behavior in an anonymous economic game. Psychological Science 18, 9, 803--809.Google Scholar
Cross Ref
- E. Shmueli, T. Zrihen, R. Yahalom, and T. Tassa. 2014. Constrained obfuscation of relational databases. Information Sciences 286, 35--62. Google Scholar
Digital Library
- L. Spitzner. 2003a. Honeypots: Tracking hackers. Addison-Wesley Professional, 49--72. Google Scholar
Digital Library
- L. Spitzner. 2003b. Honeytokens: The other honeypot. Security Focus, 21.Google Scholar
- L. Spitzner. 2003c. Honeypots: Catching the insider threat. In Proceedings of the 19th Annual Computer Security Applications Conference. 170--179. Google Scholar
Digital Library
- D. Storey. 2009. Catching flies with honey tokens. Network Security 2009, 11, 15--18. Google Scholar
Digital Library
- C. Valli. 2007. Honeypot technologies and their applicability as a strategic internal countermeasure. International Journal of Information and Computer Security 1, 4, 430--436. Google Scholar
Digital Library
- J. White. 2010. Creating personally identifiable honeytokens. In Innovations and Advances in Computer Sciences and Engineering. Springer Netherlands, 227--232.Google Scholar
- C. Yue and H. Wang. 2010. Bogusbiter: A transparent protection against phishing attacks. ACM Transactions on Internet Technology 10, 2, 6:1--6:31. Google Scholar
Digital Library
Index Terms
Behavioral Study of Users When Interacting with Active Honeytokens
Recommendations
Towards systematic honeytoken fingerprinting
SIN 2020: 13th International Conference on Security of Information and NetworksWith the continuous rise in the numbers and sophistication of cyber-attacks, defenders are moving towards more proactive lines of defense. Deception methods such as honeypots and moving target defense paradigms, are nowadays utilized in a multitude of ...
Detecting data misuse by applying context-based data linkage
Insider Threats '10: Proceedings of the 2010 ACM workshop on Insider threatsDetecting data leakage/misuse poses a great challenge for organizations. Whether caused by malicious intent or an inadvertent mistake, data leakage/misuse can diminish a company's brand, reduce shareholder value, and damage the company's goodwill and ...
Active Credential Leakage for Observing Web-Based Attack Cycle
RAID 2013: Proceedings of the 16th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 8145A user who accesses a compromised website is usually redirected to an adversary's website and forced to download malware. Additionally, the adversary steals the user's credentials by using information-stealing malware. Furthermore, the adversary may try ...






Comments