Oslo clever clogs craft code to scan di mavens and snare dodgy staff

There's Norway you can escape detection, thanks to computers, software, and skills

Researchers from the University of Oslo in Norway have developed a system that tries to combat rogue employees and inside jobs – by combining cyber and real-world security knowhow.

Known as PS0, the framework [PDF] combines traditional PC and network security systems with input from physical sensors and other surveillance hardware such as cameras and ID badges, eventually combining all of it into a single database that could be queried by administrators.

The idea, say the researchers, would be to give companies the ability to connect multiple events to help give them a picture of how an attack, particularly one from inside the organization, unfolded over time – and possibly stop one happening in the first place.

PS0 system diagram

"In an idealistic environment any type of malicious activity should be prevented or detected and mitigated but this is almost never the case, especially when the attacker is a trusted authority," the report reads.

"It is the case that many times malicious activity goes undetected for a long period and incidents are not reported in a timely manner."

In one example, researchers said an administrator would respond to an incident by querying the system in SPARQL semantic query language with a set of parameters including things like access logs, device permissions, and surveillance or sensor records. The system will then produce the results with records or a provenance graph showing how the fields intersect.


NSA dev in the clink for 5.5 years after letting Kaspersky, allegedly Russia slurp US exploits


The result would be a clear picture of who was where and what they were doing, both within the network and on the floor of the office itself. The latter, the researchers suggest, is the key to catching insider threats. Even someone with elevated permissions that may never trigger an alarm on the network or servers could get caught on cameras or physical logs.

While the system seems complex, the researchers say that early trials with student volunteer admins showed that the entire system was surprisingly easy to learn. In many cases the volunteers would learn how to perform basic queries on the system and solve the attack scenarios with minimal training.

"All eleven analysts without having any prior experience with the system succeeded to identify the insiders," the researchers said.

"This is mainly based on the intuitive approach the analysts followed to investigate the incidents."

In the end, the researchers believe the framework could be followed by organizations to create systems that would be more flexible than existing security offerings and give a deeper insight into logs and records, allowing admins to catch both isolated incidents and long-running espionage operations. ®

Other stories you might like

  • Graviton 3: AWS attempts to gain silicon advantage with latest custom hardware

    Key to faster, more predictable cloud

    RE:INVENT AWS had a conviction that "modern processors were not well optimized for modern workloads," the cloud corp's senior veep of Infrastructure, Peter DeSantis, claimed at its latest annual Re:invent gathering in Las Vegas.

    DeSantis was speaking last week about AWS's Graviton 3 Arm-based processor, providing a bit more meat around the bones, so to speak – and in his comment the word "modern" is doing a lot of work.

    The computing landscape looks different from the perspective of a hyperscale cloud provider; what counts is not flexibility but intensive optimization and predictable performance.

    Continue reading
  • The Omicron dilemma: Google goes first on delaying office work

    Hurrah, employees can continue to work from home and take calls in pyjamas

    Googlers can continue working from home and will no longer be required to return to campuses on 10 January 2022 as previously expected.

    The decision marks another delay in getting more employees back to their desks. For Big Tech companies, setting a firm return date during the COVID-19 pandemic has been a nightmare. All attempts were pushed back so far due to rising numbers of cases or new variants of the respiratory disease spreading around the world, such as the new Omicron strain.

    Google's VP of global security, Chris Rackow, broke the news to staff in a company-wide email, first reported by CNBC. He said Google would wait until the New Year to figure out when campuses in the US can safely reopen for a mandatory return.

    Continue reading
  • This House believes: A unified, agnostic software environment can be achieved

    How long will we keep reinventing software wheels?

    Register Debate Welcome to the latest Register Debate in which writers discuss technology topics, and you the reader choose the winning argument. The format is simple: we propose a motion, the arguments for the motion will run this Monday and Wednesday, and the arguments against on Tuesday and Thursday. During the week you can cast your vote on which side you support using the poll embedded below, choosing whether you're in favour or against the motion. The final score will be announced on Friday, revealing whether the for or against argument was most popular.

    This week's motion is: A unified, agnostic software environment can be achieved. We debate the question: can the industry ever have a truly open, unified, agnostic software environment in HPC and AI that can span multiple kinds of compute engines?

    Our first contributor arguing FOR the motion is Nicole Hemsoth, co-editor of The Next Platform.

    Continue reading

Biting the hand that feeds IT © 1998–2021