Documents in the NTIS Technical Reports collection are the results of federally funded research. They are directly submitted to or collected by NTIS from Federal agencies for permanent accessibility to industry, academia and the public.  Before purchasing from NTIS, you may want to check for free access from (1) the issuing organization's website; (2) the U.S. Government Printing Office's Federal Digital System website; (3) the federal government Internet portal; or (4) a web search conducted using a commercial search engine such as
Accession Number ADA562792
Title Insider Threat Detection on the Windows Operating System using Virtual Machine Introspection.
Publication Date Jun 2012
Media Count 213p
Personal Author M. H. Crawford
Abstract Existing insider threat defensive technologies focus on monitoring network traffic or events generated by activities on a user's workstation. This research develops a methodology for signaling potentially malicious insider behavior using virtual machine introspection (VMI). VMI provides a novel means to detect potential malicious insiders because the introspection tools remain transparent and inaccessible to the guest and are extremely difficult to subvert. This research develops a four step methodology for development and validation of malicious insider threat alerting using VMI. Six core use cases are developed along with eighteen supporting scenarios. A malicious attacker taxonomy is used to decompose each scenario to aid identification of observables for monitoring for potentially malicious actions. The effectiveness of the identified observables is validated through the use of two data sets, one containing simulated normal and malicious insider user behavior and the second from a computer network operations exercise. Compiled Memory Analysis Tool - Virtual (CMAT-V) and Xen hypervisor capabilities are leveraged to perform VMI and insider threat detection. Results of the research show the developed methodology is effective in detecting all defined malicious insider scenarios used in this research on Windows guests.
Keywords Behavior
Case studies
Computer crimes
Computer network defense techniques
Computer security
Cyber security
Insider threat
Registry forensics
Virtual machine
Virtual machine introspection
Xen hypervisor

Source Agency Non Paid ADAS
NTIS Subject Category 62B - Computer Software
62D - Information Processing Standards
Corporate Author Air Force Inst. of Tech., Wright-Patterson AFB, OH. Graduate School of Engineering and Management.
Document Type Thesis
Title Note Master's thesis.
NTIS Issue Number 1225
Contract Number N/A

Science and Technology Highlights

See a sampling of the latest scientific, technical and engineering information from NTIS in the NTIS Technical Reports Newsletter

Acrobat Reader Mobile    Acrobat Reader