Abstract
We show that masquerade detection, based on sequences of commands executed by the users, can be effectively and efficiently done by the construction of a customized grammar representing the normal behavior of a user. More specifically, we use the Sequitur algorithm to generate a context-free grammar which efficiently extracts repetitive sequences of commands executed by one user – which is mainly used to generate a profile of the user. This technique identifies also the common scripts implicitly or explicitly shared between users – a useful set of data for reducing false positives. During the detection phase, a block of commands is classified as either normal or a masquerade based on its decomposition in substrings using the grammar of the alleged user. Based on experimental results using the Schonlau datasets, this approach shows a good detection rate across all false positive rates – they are the highest among all published results inpknown to the author.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Coull, S., Branch, J., Szymanski, B., Breimer, E.: Intrusion detection: A bioinformatics approach. In: ACSAC 2003: Proceedings of the 19th Annual Computer Security Applications Conference, p. 24. IEEE Computer Society, Los Alamitos (2003)
Ju, W.H., Vardi, Y.: Profiling UNIX users and processes based on rarity of occurrence statistics with applications to computer intrusion detection. Technical Report ALR-2001-002, Avaya Labs Research (March 2001)
Maxion, R., Townsend, T.: Masquerade detection using truncated command lines. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2002), Washington, D.C, June 2002, pp. 219–228. IEEE Computer Society Press, Los Alamitos (2002)
Nevill-Manning, C., Witten, I.: Identifying hierarchical structure in sequences: A linear-time algorithm. Journal of Artificial Intelligence Research 7, 67–82 (1997)
Oka, M., Oyama, Y., Abe, H., Kato, K.: Anomaly detection using layered networks based on eigen co-occurrence matrix. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 223–237. Springer, Heidelberg (2004)
Schonlau, M., DuMouchel, W., Ju, W., Karr, A., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16(1), 1–17 (2001)
Wang, K., Stolfo, S.J.: One-class training for masquerade detection. In: 3rd IEEE Workshop on Data Mining for Computer Security, DMSEC 2003 (November 2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Latendresse, M. (2005). Masquerade Detection via Customized Grammars. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_9
Download citation
DOI: https://doi.org/10.1007/11506881_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26613-6
Online ISBN: 978-3-540-31645-9
eBook Packages: Computer ScienceComputer Science (R0)