Protecting Documents from the Insider Threat: A Multiphase Approach

Suranjan Pramanik
Department of Computer Science and Engineering, State University of New York at Buffalo


Perimeter based security has been effectively used to protect critical resources from external attacks. Tools such as Firewalls, Intrusion Detection Systems, and Network Monitoring Systems have been developed with the implicit goal of detecting and protecting resources from external attacks. However, recent security surveys have highlighted the fact that cyber attacks in secure environments originate not only from outside the environment perimeter, but also from inside - specifically, malicious insiders are quoted to be responsible for the majority of the attacks. The sophistication of a malicious insider can range from being an innocuous entity, to a disgruntled employee, to an intentionally placed mole. Traditional attack models do not generalize to insider threats. This talk will focus on the detection and prevention of such insider attacks in a Document Management System. Since documents are the main placeholders of information, they are usually the ultimate target of attackers seeking financial gain. Malicious Insiders in this domain are uniquely positioned to leak important documents despite commercial products (Authentica, Office IRM) that protect them. This talk first presents a new multiphase approach consisting of a pre-document access phase, mid-document access phase, and post-document access phase to prevent, monitor, and audit document abuse by insiders. Masquerade detection algorithms using Bayesian classifiers on user level actions will be presented next. This will be followed by the dynamic policy specification and enforcement framework for document access that is specifically tailored for preventing insider abuse. The framework uses a graph theoretic approach to detect information leak between documents to generate dynamic policies. The talk will also describe the prototype developed in the Microsoft (MS) Windows platform to monitor and prevent insider abuse on the popular MS Word documents. The masquerade detection and the policy enforcement tools are implemented and analyzed in this experimental setup. Results of a field experiment with real users in a laboratory setting will be presented. Complete details of the project and the results are available at At the conclusion of the talk, other relevant work on program vulnerability detection and fault-tolerance will be listed, followed by future research plans.