Skip to main content
SpringerLink
Log in

Towards a Masquerade Detection System Based on User’s Tasks

  • Conference paper
Research in Attacks, Intrusions and Defenses (RAID 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8688))

Included in the following conference series:

Abstract

Nowadays, computers store critical information, prompting the development of mechanisms aimed to timely detect any kind of intrusion. Some of such mechanisms, called masquerade detectors, are often designed to signal an alarm whenever they detect an anomaly in system behavior. Usually, the profile of ordinary system behavior is built out of a history of command execution. However, in [1,2], we suggested that it is not a command, but the object upon which it is carried out what may distinguish a masquerade from user participation; also, we hypothesized that this approach provides a means for building masquerade detectors that work at a higher-level of abstraction. In this paper, we report on a successful step towards this hypothesis validation. The crux of our abstraction stems from that a directory often holds closely related objects, resembling a user task; thus, we do not have to account for the accesses to individual objects; instead, we simply take it to be an access to some ancestor directory of it, the user task. Indeed, we shall prove that by looking into the access to only a few such user tasks, we can build a masquerade detector, just as powerful as if we looked into the access to every single file system object. The advantages of this abstraction are paramount: it eases the construction and maintenance of a masquerade detection mechanism, as it yields much shorter models. Using the WUIL dataset [2], we have conducted two experiments for distinguishing the performance of two one-class classifiers, namely: Naïve Bayes and Markov chains, considering single objects and our abstraction to user tasks. We shall see that in both cases, the task-based masquerader detector outperforms the individual object-based one.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Camiña, B., Monroy, R., Trejo, L.A., Sánchez, E.: Towards building a masquerade detection method based on user file system navigation. In: Batyrshin, I., Sidorov, G. (eds.) MICAI 2011, Part I. LNCS (LNAI), vol. 7094, pp. 174–186. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  2. Camiña, J.B., Hernández-Gracidas, C., Monroy, R., Trejo, L.: The windows-users and -intruder simulations logs dataset (WUIL): An experimental framework for masquerade detection mechanisms. Expert Systems with Applications 41(3), 919–930 (2014)

    Article  Google Scholar 

  3. Schonlau, M., DuMouchel, W., Ju, W., Karr, A., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16(1), 58–74 (2001)

    Article  MATH  MathSciNet  Google Scholar 

  4. Razo-Zapata, I., Mex-Perera, C., Monroy, R.: Masquerade attacks based on user’s profile. Journal of Systems and Software 85(11), 2640–2651 (2012)

    Article  Google Scholar 

  5. Pusara, M., Brodley, C.: User re-authentication via mouse movements. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, VizSEC/DMSEC 2004, pp. 1–8. ACM (October 2004)

    Google Scholar 

  6. Killourhy, K., Maxion, R.: Why did my detector do that?! - predicting keystroke-dynamics error rates. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 256–276. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  7. Sankaranarayanan, V., Pramanik, S., Upadhyaya, S.: Detecting masquerading users in a document management system. In: Proceedings of the IEEE International Conference on Communications, ICC 2006, vol. 5, pp. 2296–2301. IEEE Computer Society Press (June 2006)

    Google Scholar 

  8. Salem, M.B., Stolfo, S.J.: Modeling user search behavior for masquerade detection. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 181–200. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  9. Posadas, R., Mex-Perera, J.C., Monroy, R., Nolazco-Flores, J.A.: Hybrid method for detecting masqueraders using session folding and hidden Markov models. In: Gelbukh, A., Reyes-Garcia, C.A. (eds.) MICAI 2006. LNCS (LNAI), vol. 4293, pp. 622–631. Springer, Heidelberg (2006)

    Google Scholar 

  10. Garg, A., Rahalkar, R., Upadhyaya, S., Kwiat, K.: Profiling users in GUI based systems masquerade detection. In: 2006 IEEE Information Assurance Workshop, pp. 48–54. IEEE Computer Society Press (June 2006)

    Google Scholar 

  11. Weiss, A., Ramapanicker, A., Shah, P., Noble, S., Immohr, L.: Mouse movements biometric identification: A feasibility study. In: Student/Faculty Research Day. CSIS, Pace University, pp. 1–8 (May 2007)

    Google Scholar 

  12. Messerman, A., Mustafic, T., Camtepe, S., Albayrak, S.: Continuous and non-intrusive identity verification in real-time environments based on free-text keystroke dynamics. In: Proceedings of the International Joint Conference on Biometrics, IJCB 2011, pp. 1–8. IEEE Computer Society Press (October 2011)

    Google Scholar 

  13. Song, Y., Ben-Salem, M., Hershkop, S., Stolfo, S.: System level user behavior biometrics using fisher features and gaussian mixture models. In: Security and Privacy Workshops, SPW 2013, pp. 52–59. IEEE Computer Society Press (May 2013)

    Google Scholar 

  14. Denning, D.E.: An intrusion-detection model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)

    Article  Google Scholar 

  15. Schonlau, M.: Masquerading user data (Matthias Schonlau’s home page) (1998), http://www.schonlau.net

  16. Maxion, R., Townsend, T.: Masquerade detection using truncated command lines. In: Proceedings of the International Conference on Dependable Systems and Networks, DSN 2002, vol. 600, pp. 219–228. EEE Computer Society Press (June 2002)

    Google Scholar 

  17. Maxion, R.: Masquerade detection using enriched command lines. In: Proceedings of the International Conference on Dependable Systems and Networks, DSN 2003, vol. 22, pp. 5–14. IEEE Computer Society Press (June 2003)

    Google Scholar 

  18. gGreenberg, S.: Using Unix: Collected traces of 168 users. Technical Report 88/333/45, Department of Computer Science, University of Calgary (1988)

    Google Scholar 

  19. Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Stolfo, S.J., Bellovin, S.M., Hershkop, S., Keromytis, A., Sinclair, S., Smith, S.W. (eds.) Insider Attack and Cyber Security: Beyond the Hacker. Advances in Information Security, pp. 69–90. Springer (2008)

    Google Scholar 

  20. Bertacchini, M., Fierens, P.: A survey on masquerader detection approaches. In: Proceedings of V Congreso Iberoamericano de Seguridad Informática, CIBSI 2009. Universidad de la República de Uruguay, pp. 46–60 (November 2009)

    Google Scholar 

  21. Jha, S., Tan, K.M., Maxion, R.A.: Markov chains, classifiers, and intrusion detection. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop, CSFW 2001, pp. 206–219. IEEE Computer Society Press (June 2001)

    Google Scholar 

  22. Killourhy, K., Maxion, R.: Comparing anomaly-detection algorithms for keystroke dynamics. In: Proceedings of the International Conference on Dependable Systems Networks, DSN 2009, pp. 125–134. IEEE Computer Society Press (June 2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Tecnológico de Monterrey, Campus Estado de México, Carretera al Lago de Guadalupe Km. 3-5, Atizapán, Estado de México, 52926, México

    J. Benito Camiña, Jorge Rodríguez & Raúl Monroy

Authors
  1. J. Benito Camiña
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jorge Rodríguez
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Raúl Monroy
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Angelos Stavrou

  2. VU University Amsterdam, The Netherlands

    Herbert Bos

  3. Stevens Institute of Technology, NJ, USA

    Georgios Portokalidis

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Camiña, J.B., Rodríguez, J., Monroy, R. (2014). Towards a Masquerade Detection System Based on User’s Tasks. In: Stavrou, A., Bos, H., Portokalidis, G. (eds) Research in Attacks, Intrusions and Defenses. RAID 2014. Lecture Notes in Computer Science, vol 8688. Springer, Cham. https://doi.org/10.1007/978-3-319-11379-1_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11379-1_22

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11378-4

  • Online ISBN: 978-3-319-11379-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation