Insiders pose a major problem for the security industry. Since by definition they exist inside traditional perimeter security, most defenses are based on a form of behavioral analysis or anomaly detection on the network. Fog computing is an attempt to improve that behavioral analysis by enticement – an attempt to make malicious insiders show their presence. Developed for DARPA by Allure Security Technology, a Columbia University spinout company, it intersperses legitimate documents with enticing deceptive documents (DDs); and then watches who accesses them.
The system knows the DDs. Detection of which employees are attracted to the DDs highlights those users who are a potential insider threat. In this sense fog computing turns an organization’s database into a honeypot trap for its own employees. “Two small problems,” notes a report published Tuesday in Wired’s Danger Room: “Some of the researchers’ techniques are barely distinguishable from spammers’ tricks. And they could wind up undermining trust among the nation’s secret-keepers, rather than restoring it.”
Wired is discussing a document issued by the U.S. Army Aviation and Missile Command, produced by Allure for DARPA and titled Final Report: Anomaly Detection At Multiple Scales. It is a high level design of the Allure Defender System – an implementation of fog computing. It shows, for example, how one potential weakness in the concept is handled. The system itself must be able to distinguish DDs from genuine documents. If an attacker (an insider or an external hacker who has gained access to the network) can also tell which is which, the whole process fails.
“One approach we use in creating decoys,” says the Allure document, “relies on a document marking scheme in which all documents contain embedded markings such that decoys are tagged with HMACs (i.e., a keyed cryptographic hash function) and non-decoys are tagged with indistinguishable randomness... and the only attacker capable of distinguishing them is one with the key, perhaps the highly privileged insider.” The integrity of the system is thus reduced to protection of the key that differentiates between genuine and decoy documents.
While this particular document discusses a system designed for military or government implementation, subsequent documents from Allure demonstrate a wider applicability for the concept. Commerce is moving into the cloud. In a cloud concept, everyone with access to the internet is effectively an ‘insider’. Fog Computing: Mitigating Insider Data Theft Attacks in the Cloud shows that Allure sees a general applicability for fog computing. It proposes the addition of decoy documents to a user’s cloud store. “Once unauthorized data access or exposure is suspected, and later verified, with challenge questions for instance,” it says, “we inundate the malicious insider with bogus information in order to dilute the user’s real data. Such preventive attacks that rely on disinformation technology, could provide unprecedented levels of security in the Cloud and in social networks.”