Research Student Profile

Home People Profile...

Dr Aung Phyo PhD

Research Student

Brief biographical information

Access thesis on-line

A Generic Architecture for Insider Misuse Monitoring in IT Systems

Intrusion Detection Systems (IDS) have been widely deployed within many organisations' IT nenvorks to delect network penetration attacks by outsiders and privilege escalation attacks by insiders. However, traditional IDS are ineffective for detecting o f abuse o f legitimate privileges by authorised users within the organisation i.e. the detection of misfeasance. In essence insider IT abuse does not violate system level controls, yet violates acceptable usage policy, business controls, or code of conduct defined by the organisation. However, the acceptable usage policy can vary from one organisation to another, and the acceptability o f user activities can also change depending upon the user(s), application, machine, data, and other contextual conditions associated with the entities involved. The fact that the perpetrators are authorised users and that the insider misuse activities do not violate system level controls makes detection of insider abuse more complicated than detection o f attacks by outsiders. The overall aim o f the research is to determine novel methods by which monitoring and detection may be improved to enable successful detection of insider IT abuse. The discussion begins with a comprehensive investigation o f insider IT misuse, encompassing the breadth and scale of the problem. Consideration is then given to the sufficiency of existing safeguards, with the conclusion that they provide an inadequate basis for detecting many o f the problems. This finding is used as the justification for considering research into alternative approaches. The realisation of the research objective includes the development of a taxonomy for identification o f various levels within the system from which the relevant data associated with each type of misuse can be collected, and formulation of a checklist for identification of applications that requires misfeasor monitoring. Based upon this foundation a novel architecture for monitoring o f insider IT misuse, has been designed. The design offers new analysis procedures to be added, while providing methods to include relevant contextual parameters from dispersed systems for analysis and reference. The proposed system differs from existing IDS in the way that it focuses on detecting contextual misuse of authorised privileges and legitimate operations, rather than detecting exploitation o f network protocols and system level \ailnerabilities. The main concepts of the new architecture were validated through a proof-of-concept prototype system. A number o f case scenarios were used to demonstrate the validity of analysis procedures developed and how the contextual data from dispersed databases can be used for analysis of various types of insider activities. This helped prove that the existing detection technologies can be adopted for detection o f insider IT misuse, and that the research has thus provided valuable contribution to the domain.

Dr Aung Phyo

Director of studies: Prof Steven M Furnell
Other supervisors: Prof Emmanuel Ifeachor

Journal papers

Considering the Problem of Insider IT Misuse
Furnell SM, Phyo AH
Australian Journal of Information Systems, vol. 10, no. 2, pp134-138, 2003
More details | Download PDF

1 Journal papers

Conference papers

A Framework for Monitoring Insider Misuse of IT Applications
Phyo AH, Furnell SM, Ifeachor E
Proceedings of the ISSA 2004 Enabling Tomorrow Conference, South Africa, 30 June-2 July, 2004
More details

A Framework For Role-Based Monitoring of Insider Misuse
Phyo AH, Furnell SM, Portilla F
Proceedings of IFIP/SEC 2004 - 18th International Conference on Information Security, Toulouse, France, 23-26 August, pp51-65, 2004
More details

A Conceptual Framework for Monitoring Insider Misuse
Phyo AH, Furnell SM
Proceedings of Euromedia 2004, Hasselt, Belgium, 21-23 April, pp90-95, 2004
More details

A Detection-Oriented Classification of Insider IT Misuse
Phyo AH, Furnell SM
Proceedings of the 3rd Security Conference, Las Vegas, USA, 14-15 April, 2004
More details

Data Gathering for Insider Misuse Monitoring
Phyo AH, Furnell SM
Proceedings of the 2nd European Conference on Information Warfare and
Security, Reading, UK, 30 June - 1 July, pp247-254, 2003
More details | Download PDF

Watching your own: The problem of insider IT misuse
Furnell SM, Phyo AH
Proceedings of AiCE 2002 ? Third Australian Institute of Computer
Ethics Conference, Sydney, Australia, 30 September 2002, pp17-24, 2002
More details | Download PDF

6 Conference papers

Internal publications

Prerequisites for monitoring insider IT misuse
Phyo AH, Furnell SM, Phippen AD
Proceedings of the Third Collaborative Research Symposium on Security, E-learning, Internet and Networking (SEIN 2007), Plymouth, UK, ISBN: 978-1-8410-2173-7, pp41-52, 2007
Can be ordered on-line.
More details | Download PDF

Analysis of insider misuse in commercial applications
Portilla F, Furnell SM, Phyo AH
Advances in Network & Communication Engineering, pp46-54, 2004
More details

A Generic Framework for the Prevention and Detection of Insider Misuse
Coussa MJ, Phyo AH, Furnell SM
Advances in Network & Communication Engineering, pp38-45, 2004
More details

3 Internal publications

10 publication(s) - all categories.