MITRE/Purdue Mobile Masquerading User Experiment
Mark Guido - MITRE
Sep 17, 2014Size: 183.2MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractPeriodic Mobile Forensics (PMF) is a MITRE research project investigating user behavioral measurement on mobile devices by applying both traditional and mobile forensics processes. We applied our research to an enterprise mobile infrastructure, where we utilize a mobile on-device agent named TractorBeam. This agent periodically collects changed storage locations from each device to allow for later image reconstruction and analysis. We collaborated with Purdue University to perform a three-month experiment where we evaluated TractorBeam's operation in a simulated operational setting to identify masquerading users (i.e., users operating the devices other than the enterprise designated mobile device user). We surmised that even if a masquerading user on an enterprise mobile device lacked malicious intent; this masquerader would still be undesirable to the enterprise. On campus, we provided a set of human-subject volunteers the following: preconfigured mobile devices with cellular voice and data plans, also with the TractorBeam agent pre-installed; a simple acceptable use policy; and deceptive project background information to stimulate normal behavior. As a result of the experiment, we collected enough data to successfully reconstruct 821 forensic images, extract over 1 million audit events, and perform masquerading user analysis. This presentation describes PMF and characterizes the collected experiment corpus, the extracted audit events, and the performance of TractorBeam throughout the protocol. Then our approach for advanced masquerading detection will be discussed.
About the SpeakerMr. Mark Guido is a principal cyber engineer and researcher at The MITRE Corporation, a non-profit organization chartered to work in the public interest. His main focus areas are on mobile forensics and insider threat (user behavioral measurement).
Mr. Guido has worked for MITRE in the defense, intelligence, and law enforcement communities for more than twelve years. Mr. Guido has supported technology research and development both within MITRE via its internal research program and through various customer programs. He has supported various government customers to stand up capabilities for auditing and monitoring. Mr. Guido served as the lead engineer supporting an operational insider threat monitoring and mitigation program, and has worked onsite at various security operations centers and forensics laboratories. Mr. Guido has operationally supported numerous incidents and investigations.
Mr. Guido has a bachelor's degree in computer science from Springfield College and a master's degree in computer science from the George Washington University.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.