[Bro] Insider Abuse Use Case

Matthias Vallentin vallentin at icir.org
Thu Jul 21 08:40:33 PDT 2016

> There is a Use Case for Insider Abuse, I am interested in this and am a
> beginner to Bro IDS scripting. Is there any existing script dealing with
> some form of Insider Abuse that I can use as an example?

Rather than having a script for one particular instance of insider
abuse, I wanted to highlight overall approach towards in this talk. What
makes insider abuse hard to detect, is that often each individual action
in isolation is legit, but only constitute a policy violation when
analyzed in sequence. The challenge lies in analyzing chains of actions.
Doing so live (i.e., while analyzing traffic in real time) may not be
feasible because such actions often manifest over longer time periods.
Therefore, detection angles often rely on summaries of past activity,
such as behavior profiles. But this goes quickly into distilling
patterns of normality and then flagging deviations (with all its
pitfalls [1]).

That said, I'm sure there are simpler, concrete instances of insider
abuse which can be readily coded up in Bro. It all depends on the policy
of your site and the assets you're trying to protect.


[1] http://www.icir.org/robin/papers/oakland10-ml.pdf

More information about the Bro mailing list