Skip to main content
SpringerLink
Log in
Book cover

International Conference on Advances in Computing and Communications

ACC 2011: Advances in Computing and Communications pp 676–684Cite as

Multi Application User Profiling for Masquerade Attack Detection

  • Conference paper

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 191))

Abstract

Masquerade attack or Impersonation attack refers to an act of illegitimate user gaining unauthorized privileges of the system. Detecting these attacks is more complex due to the fact that the insiders carry out most of these attacks. Masquerade attack is detected by profiling users system usage. If his/her normal profile deviates from his/her original behavior, he is detected as a masquerader. Most of the research was done using command line data & GUI Usage analysis. The command line data which contains commands, logs, system calls and the GUI profiling using keyboard and mouse activities, can not capture the complete event behavior of the users, Due to the reason that users are not fixed to a single application in their usage period. Hence it is very difficult to detect masquerader in the existing systems. In this paper we have proposed a new framework to capture the data across multiple applications to build the user profile. We have developed our own tool to capture the event data across multiple applications. Our experimental result shows that our framework is better in detection than the existing methods. We have applied four different classifiers, K-Nearest Neighbor, SVM, BayesNet and NaïveBase on the collected user profiles. Our results show that K-NN is the best classifier for the collected Multi application GUI data.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Garg, A., Rahalkar, R., Upadhyaya, S.: Kevin Kwait: Profiling Users in GUI Based Systems for Masquerade Detection. In: Proceedings of 7th Annual IEEE Information Assurance Workshop (IAW 2006), June 21-23, United States Military Academy, West Point (2006)

    Google Scholar 

  2. Bhukya, W.N., Kommuru, S.K., Negi, A.: Masquerade Detection Based Upon GUI User Profiling in Linux Systems. In: Cervesato, I. (ed.) ASIAN 2007. LNCS, vol. 4846, pp. 228–239. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  3. Imsand, E.S., Hamilton Jr., J.A.: GUI Usage Analysis for Masquerade Detection. In: Proceedings of 2007 IEEE, Information Assurance Workshop (IAW 2007), June 21-23, United States Military Academy, West Point (2007)

    Google Scholar 

  4. Li, L.: Manikopoulos.: Windows NT One-class Masquerade Detection. In: Proceedings of 2004 IEEE,Information Assurance Workshop (IAW 2004), June 2004, United States Military Academy, West Point (2004)

    Google Scholar 

  5. Pusara, M., Brodley, C.: User Re-authentication via mouse movements. In: Proceedings of the 2004 ACM workshop on visualization and data mining for computer security, Washington D.C., USA, October 29 (2004)

    Google Scholar 

  6. Schonlau, M., DuMouchel, W., Ju, W.-H., Karr, A.F., Vardi, M.T.: Computer Intrusion: Detecting Masquerades. Statistical Science 16, 58–74 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  7. Maxion, R.A., Townsend, T.N.: Masquerade Detection Using Truncated Command Lines. In: Proceedings of International Conference on Dependable Systems and Networks (DSN 2002), pp. 219–228 (2002)

    Google Scholar 

  8. Maxion, R.A.: Masquerade Detection Using Enriched Command Lines. In: Proceedings of International Conference on Dependable Systems and Networks (DSN 2003), San Francisco, CA (June 2003)

    Google Scholar 

  9. Lane, T., Brodley, C.E.: An Application of Machine Learning to Anomaly Detection. In: Proceedings of Twentieth National Information Systems Security Conference, Gaithersburgh, MD, vol. 1, pp. 366–380 (1997)

    Google Scholar 

  10. Lane, T., Brodley, C.: Sequence Matching and Learning in Anomaly Detection for Computer Security. In: Proceedings of AAAI 1997 Workshop on AI Approaches to Fraud Detection and Risk Management, pp. 43–49 (1997)

    Google Scholar 

  11. Wang, K., Stolfo, S.J.: One Class Training for Masquerade Detection. In: ICDM Workshop on Data Mining for Computer Security, DMSEC 2003 (2003)

    Google Scholar 

  12. Pusara, M., Brodley, C.: User Re-authentication via mouse movements. In: Proceedings of the 2004 ACM workshop on visualization and data mining for computer security, Washington D.C., USA, October 29 (2004)

    Google Scholar 

  13. Monrose, F., Rubin, A.: Authentication via Keystroke Dynamics. In: ACM Conference on Computer and Communications Security, pp. 48–56 (1997)

    Google Scholar 

  14. Shavlik, J., Shavlik, M., Fahland, M.: Evaluating Software Sensors for Actively Profiling Windows 2000 Computer Users. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, Springer, Heidelberg (2001)

    Google Scholar 

  15. CERT. 2010 e-crimes watch survey (2010)

    Google Scholar 

  16. Platt, J.: Fast Training of Support Vector Machines using Sequential Minimal Optimization. In: Schlkopf, B., Burges, C., Smola, A. (eds.) Advances in Kernel Methods - Support Vector Learning.MIT Press, Cambridge (1998)

    Google Scholar 

  17. Keerthi, S.S., Shevade, S.K., Bhattacharyya, C., Murthy, K.R.K.: Improvements to Platt’s SMO Algorithm for SVM Classifier Design. Technical Report CD-99-14. Control Division, Dept of Mechanical and Production Engineering, National University of Singapore (1999)

    Google Scholar 

  18. Aha, D., Kibler, D.: Instance-based learning algorithms. Machine Learning 6, 37–66 (1991)

    MATH  Google Scholar 

  19. John, G.H., Langley, P.: Estimating Continuous Distributions in Bayesian Classifiers. In: Proceedings of the Eleventh Conference on Uncertainty in Artificial Intelligence, pp. 338–345. Morgan Kaufmann, San Mateo (1995)

    Google Scholar 

  20. http://www.cs.waikato.ac.nz/ml/weka/

  21. Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion Detection Using Sequences of System Calls. Journal of Computer Security 6(3), 151–180 (1998)

    Article  Google Scholar 

  22. Lee, W., Stolfo, S., Mok, K.: A Data Mining Framework for Building Intrusion Detection Models. In: IEEE Symposium on Security and Privacy, pp. 120–132 (1999)

    Google Scholar 

  23. Forrest, S., Hofmeyr, S.A., Somayaji, A.: Computer Immunology. Communications of the ACM 40(10), 88–96 (1997)

    Article  Google Scholar 

  24. Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions using System Calls: Alternative Data Models. In: IEEESymposium on Security and Privacy (Oakland, CA), pp. 133–145 (1999)

    Google Scholar 

  25. Ilgun, K., Kemmerer, R., Porras, P.: State Transition Analysis: A Rule-Based Intrusion Detection Approach. Software Engineering 21(3), 181–199 (1995)

    Article  Google Scholar 

  26. Li, Y., Wu, N., Jajodia, S., Wang, S.: Enhancing Profiles for Anomaly Detection Using Time Granularities. Journal of Computer Security 10(1,2), 137–157 (2002)

    Article  Google Scholar 

  27. Javitz, H.S., Valdes, A.: The SRI IDES Statistical Anomaly Detector. In: Proceedings of the IEEE Research in Security and Privacy (,Oakland, CA), pp. 316–376 (May 1991)

    Google Scholar 

  28. Wespi, A., Dacier, M., Debar, H.: Intrusion detection using variable-length audit trail patterns. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 110. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  29. Ye, N.: A Markov Chain Model of Temporal Behavior for Anomaly Detection. In: Proceedings of the 2000 IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, pp. 171–174 (2000)

    Google Scholar 

  30. Ghosh, A., Schwartzbard, Schatz, M.: Learning Program Behavior Profiles for Intrusion Detection. First USENIX Workshop on Intrusion Detection and Network Monitoring, 51–62 (1999)

    Google Scholar 

  31. Levitt, K., Ko, C., Fink, G.: Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring. In: Computer Security Application Conference (1994)

    Google Scholar 

  32. Marceau, C.: Characterizing the behavior of a program using multiple-length N-grams. In: Proceedings of the 2000 workshop on New security Paradigms, Ballycotton, County Cork, Ireland, pp. 101–110 (2000)

    Google Scholar 

  33. Michael, C., Ghosh, A.: Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 66. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  34. Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: IEEE Symposium on Security and Privacy, pp. 156–169 (2001)

    Google Scholar 

  35. Rajagopalan, M., Debray, S., Hiltunen, M., Schlichting, R.: Profile-directed Optimization of Event-based Programs. In: Proceedings of ACM SIGPLAN (2002)

    Google Scholar 

  36. Feng, H., Kolesnikov, O., Fogla, P., Lee, W., Gong, W.: Anomaly Detection using Call Stack Information. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, California (May 2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer and Information Science, University of Hyderabad, Hyderabad, India

    Hamed Saljooghinejad & Wilson Naik Rathore

Authors
  1. Hamed Saljooghinejad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wilson Naik Rathore
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Machine Intelligence Research Labs (MIR Labs), Auburn, 98071-2259, Washington, USA

    Ajith Abraham

  2. Departamento de Comunicaciones, Universidad Politcnica de Valencia, 46071, Valencia, Spain

    Jaime Lloret Mauri

  3. Avaya Labs Research, Basking Ridge, NJ, USA

    John F. Buford

  4. University of Massachusetts, 100 Morrissey Blvd., 02125-3393, Boston, MA, USA

    Junichi Suzuki

  5. Rajagiri School of Engineering and Technology, Rajagiri Valley, Kakkanad, 682 039, Kochi, India

    Sabu M. Thampi

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Saljooghinejad, H., Rathore, W.N. (2011). Multi Application User Profiling for Masquerade Attack Detection. In: Abraham, A., Lloret Mauri, J., Buford, J.F., Suzuki, J., Thampi, S.M. (eds) Advances in Computing and Communications. ACC 2011. Communications in Computer and Information Science, vol 191. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22714-1_70

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-22714-1_70

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-22713-4

  • Online ISBN: 978-3-642-22714-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation