Gargoyle: Innovative solution for preventing insider attacks

A group of researchers from UNSW Sydney, Macquarie University, and Purdue University has released a paper on a new and very promising network-based solution for preventing insider attacks.

Gargoyle preventing insider attacks

Dubbed Gargoyle, the solution:

  • Evaluates the trustworthiness of an access request context through a set of Network Context Attributes (NCAs) that are extracted from the network traffic
  • Leverages the capabilities of Software-Defined Network (SDN) for both policy enforcement and implementation
  • Takes advantage of the network controller for added protection/defense
  • Avoids a binary approach when making authorizations. Instead, depending on the context, some functions (e.g., copy, email) may be disallowed for the data requester.

The researchers mean for Gargoyle to be implemented as an application for SDN controllers (Gargoyle SDN, or GSDN). The app would take care of dynamic network-level access control.

For host-based access control they developed the Gargoyle mobile app (GAPP) capable of applying function restrictions for data objects.

Gargoyle’s architecture

Gargoyle works like this:

The data requester (user, potential insider) makes a data request via the Gargoyle mobile app.

GSDN’s Network Context Analyzer component extracts from the network traffic Network Context Attributes (NCAs) pertinent to the user (e.g., user’s device capabilities, security-level, current and prior interactions with other devices, network connection status, and suspicious online activities).

NCAs are retrieved by analyzing the network traffic collected for user devices using the Traffic Context Analyzer module. Reports from the SDN Data Plane Intrusion Prevention System (IPS) are integrated when evaluating the context trustworthiness.

Gargoyle preventing insider attacks

“Finally, the Risk Management component according to the policies specified by the Policy Repository and FBAC Repository forwards a set of access authorizations to the Advanced Enforcement Point (AEP) component,” the researchers explained.

“AEP’s instructions include actions for the ‘Host-based’ and ‘Network-based’ access control modules. The host-level access control involves allowing or restricting a set of functions for data objects, which are enforced by Gargoyle’s mobile Application (GAPP). The network-based access control module implements a set of restrictions at network-level through Gargoyle’s SDN Application (GSDN) – these are completely independent of the host-level restrictions and have a much higher granularity level. In other words, network-level access enforcements are not applied at file level or functions, but instead apply access restrictions such as disconnecting the device from the network altogether.”

How effective and viable is it?

Compared to other standalone approaches such as Role-based Access Control (RBAC), Function-based Access Control (FBAC), and Usage Control (UCON), Gargoyle proved to be considerably more effective at protecting resources against insider scenarios.

“In our simulated scenarios, more than half of access requests were granted despite detecting a threat. This proves the applicability of Gargoyle in the real-world context by enabling organizations to function securely even in the presence of threats,” the researchers added.

In addition to this, Gargoyle doesn’t impact network performance and the Gargoyle’s mobile application energy overhead is unnoticeable.

All of this shows much promise, and the researchers are now planning to investigate Gargoyle’s performance for larger networks. But, ultimately, they don’t mean for Gargoyle to do all the work of flagging insider threats. “Integrating Gargoyle as complimentary to existing solutions may be the most practical approach for real-world deployment,” they concluded.

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.