Abstract
User models are generally created to personalise information or share user experiences among like-minded individuals. An individual’s characteristics are compared to those of some canonical user type, and the user included in various user groups accordingly. Those user groups might be defined according to academic ability or recreational interests, but the aim is to include the user in relevant groups where appropriate. The user model described here operates on the principle of exclusion, not inclusion, and its purpose is to detect atypical behaviour, seeing if a user falls outside a category, rather than inside one. That is, it performs anomaly detection against either an individual user model or a typical user model. Such a principle can be usefully applied in many ways, such as early detection of illness, or discovering students with learning issues. In this paper, we apply the anomaly detection principle to the detection of intruders on a computer system masquerading as real users, by comparing the behaviour of the intruder with the expected behaviour of the user as characterised by their user model. This behaviour is captured in characteristics such as typing habits, Web page usage and application usage. An experimental intrusion detection system (IDS) was built with user models reflecting these characteristics, and it was found that comparison with a small number of key characteristics from a user model can very quickly detect anomalies and thus identify an intruder.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, J.: Computer Security Threat Monitoring and Surveillance. James P. Anderson Co., Fort Washington (1980)
Balajinath, B., Raghavan, S.V.: Intrusion detection through learning behavior model. Computer Communications 24(12), 1202–1212 (2001)
Bergadano, F., Gunetti, D., Picardi, C.: Identity verification through dynamic keystroke analysis. Intelligent Data Analysis 7(5), 469–496 (2003)
Brusilovsky, P.: Methods and techniques of Adaptive Hypermedia. User Modeling and User Adapted Interaction 6(2-3), 87–129 (1995)
Denning, D.E.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for Unix processes. In: Proc. 1996 IEEE Symposium on Security and Privacy, pp. 120–128. IEEE Computer Society, Washington (1996)
Gu, G., Cardenas, A.A., Lee, K.: Principled reasoning and practical applications of alert fusion in intrusion detection systems. In: Proc. ASIACCS ’08, pp. 136–147. ACM, New York (2008)
Gunetti, D., Ruffo, G.: Intrusion Detection through Behavioral Data. In: Hand, D.J., Kok, J.N., Berthold, M.R. (eds.) IDA 1999. LNCS, vol. 1642, pp. 383–394. Springer, Heidelberg (1999)
Iglesias, J.A., Ledezma, A., Sanchis, A.: Creating User Profiles From a Command-Line Interface: A Statistical Approach. In: Houben, G.-J., McCalla, G., Pianesi, F., Zancanaro, M. (eds.) UMAP 2009. LNCS, vol. 5535, pp. 90–101. Springer, Heidelberg (2009)
Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proc. 8th ACM SIGKDD Int. Conf. on Knowledge discovery and data mining, pp. 366–375. ACM, New York (2002)
Lunt, T.F.: Real-time intrusion detection. In: COMPCON Spring ’89. 34th IEEE Computer Society Int. Conference: Intellectual Leverage, Digest of Papers, pp. 348–353. IEEE Press, Washington (1989)
Mazzariello, C., Oliviero, F.: An Autonomic Intrusion Detection System Based on Behavioral Network Engineering. In: Proc. INFOCOM 2006, pp. 1–2. IEEE Press, Washington (2006)
Pusara, M., Brodley, C.E.: User re-authentication via mouse movements. In: ACM workshop on Visualization and data mining for computer security, pp. 1–8. ACM, New York (2004)
Shavlik, J., Shavlik, M.: Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage. In: Proc. 10th ACM SIGKDD, pp. 276–285. ACM, New York (2004)
Smaha, S.E.: Haystack: an intrusion detection system. In: 4th ACSAC, pp. 37–44. IEEE Press, Washington (1988)
Tan, K.: The application of neural networks to UNIX computer security. In: IEEE International Conference on Neural Networks, Proc., vol. 1, pp. 476–481. IEEE Press, Washington (1995)
Vizer, L.M., Zhou, L., Sears, A.: Automated stress detection using keystroke and linguistic features: An exploratory study. IJHCS 67(10), 870–886 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pannell, G., Ashman, H. (2010). User Modelling for Exclusion and Anomaly Detection: A Behavioural Intrusion Detection System. In: De Bra, P., Kobsa, A., Chin, D. (eds) User Modeling, Adaptation, and Personalization. UMAP 2010. Lecture Notes in Computer Science, vol 6075. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13470-8_20
Download citation
DOI: https://doi.org/10.1007/978-3-642-13470-8_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-13469-2
Online ISBN: 978-3-642-13470-8
eBook Packages: Computer ScienceComputer Science (R0)