Skip to main content
SpringerLink
Log in

Episode Based Masquerade Detection

  • Conference paper
Information Systems Security (ICISS 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3803))

Included in the following conference series:

Abstract

Masquerade detection is one of major concerns of system security research due to two main reasons. Such an attack cannot be detected at the time of access and any detection technique relies on user’s signature and even a legitimate user is likely to deviate from its usual usage pattern. In the recent years, there have been several proposals to efficiently detect masquerader while keeping the false alarm rate as low as possible. One of the recent technique, Naive Bayes with truncated command line, has been very successful in maintaining low false alarm rate. This method depends on probability of individual commands. It is more appropriate to consider meaningful groups of commands rather than individual commands. In this paper we propose a method of masquerade detection by considering episodes, meaningful subsequences of commands. The main contributions of the present work are (i) an algorithm to determine episode from a long sequence of commands, and (ii) a technique to use these episodes to detect masquerade block of commands. Our experiments with standard datasets such as SEA dataset reveal that the episode based detection is a more useful masquerade detection technique.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Chinchani, R., Muthukrishnan, A., Chandrasekaran, M., Upadhyaya, S.: RACOON: Rapidly generating user command data for anomaly detection from customizable templates. In: 20th Annual Computer Security Applications Conference (ACSAC), Tucson, AZ (December 2004)

    Google Scholar 

  2. Cohen, P., Heeringa, B., Adams, N.M.: An unsupervised algorithm for segmenting categorical timeseries into episodes. In: Proceedings of the ESF Exploratory Workshop on Pattern Detection and Discovery, London, UK, pp. 49–62 (September 2002)

    Google Scholar 

  3. Coull, S., Branch, J., Szymanski, B., Breimer, E.: Intrusion detection: A bioinformatics approach. In: 19th Annual Computer Security Applications Conference, Las Vegas, Nevada, December 8-12 (2003)

    Google Scholar 

  4. Davison, B.D., Hirsh, H.: Predicting sequences of user actions. Predicting the Future: AI Approaches to Time-Series Problems. AAAI Technical Report WS-98-07. AAAI Press, Menlo Park (1998)

    Google Scholar 

  5. Greenberg, S.: Using Unix: Collected traces of 168 users. Technical Report 88/333/45, Department of Computer Science, University of Calgary, Canada (1988)

    Google Scholar 

  6. Killhourhy, K.S., Maxion, R.A.: Investigating a possible flaw in a masquerade detection system. Technical Report CS-TR: 869, School of Computing Science, University of Newcastle (2004)

    Google Scholar 

  7. Kim, H.-S., Cha, S.-D.: Empirical evaluation of SVM-based masquerade detection using UNIX commands. Computers & Security 24, 160–168 (2005)

    Article  Google Scholar 

  8. Lane, T., Brodley, C.E.: Temporal Sequence Learning and Data Reduction for Anomaly Detection. In: Proceedings of the Fifth ACM Conference on Computer and Communications Security, San Francisco, California, pp. 150–158, November 3-5 (1998)

    Google Scholar 

  9. Maxion, R.A., Townsend, T.N.: Masquerade detection augmented with error analysis. IEEE Transactions on Reliability 53(1), 124–147 (2004)

    Article  Google Scholar 

  10. Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2002), Washington, D.C., pp. 219–228 (June 23-26 2002)

    Google Scholar 

  11. Maxion, R.A.: Masquerade detection using enriched command lines. In: International Conference on Dependable Systems and Networks (DSN 2003), San Francisco, CA, USA (June 2003)

    Google Scholar 

  12. McCallum, A., Nigam, K.: A comparison of event models for Naive-Bayes text classification. In: AAAI 1998 Workshop on Learning for Text Categorization, Madison, Wisconsin (1998)

    Google Scholar 

  13. Schonlau, M., DuMouchel, W., Ju, W., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16(1), 58–74 (2001)

    Article  MATH  MathSciNet  Google Scholar 

  14. Schonlau, M., Theus, M.: Detecting masqueraders in intrusion detection based on unpopular commands. Information Processing Letters 76(1-2), 33–38 (2000)

    Article  Google Scholar 

  15. Wagner, R.A., Fisher, M.J.: The string-to-string correction problem. Journal of the ACM 21, 168–173 (1974)

    Article  MATH  Google Scholar 

  16. Wang, K., Stolfo, S.J.: One-class training for masquerade detection. In: 3rd ICDM Workshop on Data Mining for Computer Security (DMSEC), Florida (November 2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. AI Lab, University of Hyderabad, Hyderabad, 500 046, India

    Subrat Kumar Dash, Krupa Sagar Reddy & Arun K. Pujari

Authors
  1. Subrat Kumar Dash
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Krupa Sagar Reddy
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Arun K. Pujari
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Center for Secure Information Systems, George Mason University, VA 22030, Fairfax, USA

    Sushil Jajodia

  2. Jadavpur University, 7000032, Kolkata, India

    Chandan Mazumdar

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dash, S.K., Reddy, K.S., Pujari, A.K. (2005). Episode Based Masquerade Detection. In: Jajodia, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2005. Lecture Notes in Computer Science, vol 3803. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11593980_19

Download citation

  • DOI: https://doi.org/10.1007/11593980_19

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-30706-8

  • Online ISBN: 978-3-540-32422-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation