It sounds like you should be enforcing a security policy to the access of
the information. If you are making this information completely publicly
available, but have concerns with aggregation to confidential, you should
have access controls in place modelled after the policy. It seems like a bit
of a contradiction to offer information and then scrutinize its use to
finger (ahem) researchers (or competitors) of your public information. What
do you propose to do to those you feel are snooping to deeply or widely? If
you intend to prosecute, you need to provide a warning advertisement to the
effect, but I don't think you would win anyway from the sound of it. I must
be missing something here.

Now if these researchers are hacking into your information, then you need
better defences than the simple data-mining detection. A distributed
data-mining attack over relatively long time framed (below the normal noise
level) would beat anything an IDS could do for you, I'd bet. Your database
access logs should be adequate, assuming they capture enough relevant
information about the accesses.

OTOH, maybe, you could use this type of knowledge to feed fictitious
information to special targets once identified, assuming that they are even
valid and not spoofed somehow. ;)

You need to examine, who needs to know this price and availability
information and set up secure channels of trust between your data and them,
based on some form of risk assessment and acceptance. The onus is on the
owner of the sensitive info to protect it from such potential attacks.
Detection (after the fact) is not prevention. One real good nugget (read
aggregated needle in a haystack) could spell the end of an organization!
(Even if you can't see the aggregation yourself!!!)

Mike Ruscher, ITS Specialist I2, CSE/CST
mgruschercse-cst.gc.ca
Phone: +1 613 991-8040
ED/C200
http://www.cse-cst.gc.ca

> -----Original Message-----
> From: Eric Hacker [mailto:ehackerLUCENT.COM]
> Sent: Thursday, January 18, 2001 11:19 AM
> To: FOCUS-IDSSECURITYFOCUS.COM
> Subject: Data Mining IDS detection.
>
>
> Hello,
>
> Does anyone know of IDS tools that attempt to detect
> data-mining activity,
> especially with regards to web traffic?
>
> Here is the scenario: An organization has a database driven B
> to (C or B)
> website that contains product information (price/availability
> etc.) that is
> variable. In individual quantities, this information is
> mostly harmless and
> necessary to give to the customer. However, in aggregate,
> this data may give
> competitors information that would otherwise be confidential.
>
> The idea would be to detect data-mining efforts of
> competitors to aggregate
> the data. One must assume that efforts will be made on the part of the
> competitor to disguise such activity. It would seem to me,
> however, that
> there are practical limitations on the disguising capability
> and that IDS
> technology looking for anomalous traffic patterns may detect such.
>
> Anyone have any leads/ideas?
>
> Due to time constraints, I'm asking this question without
> being able to do
> much research. I apologize if I missed something obvious.
>
> Thank you,
> Eric Hacker, CISSP, GCIA, MCSE, CCSE
> Network Security Consultant
> Lucent Worldwide Services
> "Long gone are the days when one's surname referred to the role
> one had in the community."
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]