A System Architecture for the Detection of Insider Attacks in Big Data Systems

TL;DR

This paper presents a novel system architecture for detecting insider attacks in big data systems by analyzing replicated data and process instructions, demonstrating effective detection with minimal overhead.

Contribution

It introduces a new architecture utilizing data replication and a two-step detection algorithm to identify insider threats in big data environments.

Findings

Detects insider attacks using data replication and instruction sequence matching.

Requires analyzing only 20% of code per program, reducing overhead.

Achieves 3.28% time overhead in initial experiments.

Abstract

In big data systems, the infrastructure is such that large amounts of data are hosted away from the users. In such a system information security is considered as a major challenge. From a customer perspective, one of the big risks in adopting big data systems is in trusting the provider who designs and owns the infrastructure from accessing user data. Yet there does not exist much in the literature on detection of insider attacks. In this work, we propose a new system architecture in which insider attacks can be detected by utilizing the replication of data on various nodes in the system. The proposed system uses a two-step attack detection algorithm and a secure communication protocol to analyze processes executing in the system. The first step involves the construction of control instruction sequences for each process in the system. The second step involves the matching of these instruction sequences among the replica nodes. Initial experiments on real-world hadoop and spark tests show that the proposed system needs to consider only 20% of the code to analyze a program and incurs 3.28% time overhead. The proposed security system can be implemented and built for any big data system due to its extrinsic workflow.