Toward an Insider Threat Detection Framework Using Honey Permissions

The insider threat remains one of the most serious challenges to computer security. An insider attack occurs when an authorized user misuses his privileges and causes damages to the organization. Deception techniques have served as a common solution to insider threat detection, and several techniques, such as approaches based on honey entities, have been proposed. On the other hand, access control systems lack the ability to detect insider threats. In this paper, we focus on integrating deception into the role-based access control (RBAC) model, which is one of the most widely used access control models. We introduce the notion of “honey permission” and use it to extend RBAC to help in insider threat detection. We define honey permissions as permissions that exceed the authorized access, and are assigned to a subset of roles known as “candidate roles”. Objects included in honey permissions are fake versions of sensitive objects that are enticing for malicious users. In this way, an attempt to access sensitive resources by unauthorized users would be detected. We extend the RBAC model by adding honey permissions, indicating candidate roles, and adding a monitoring unit which monitors the sessions in which the owners of the sessions activate a subset of candidate roles and have access to an object through a honey permission. We propose an algorithm to select candidate roles and assign honey permissions to them. Furthermore, we provide security analysis and consider the overhead that would be added to the RBAC system for evaluation.