Abstract
Masquerade attack or Impersonation attack refers to an act of illegitimate user gaining unauthorized privileges of the system. Detecting these attacks is more complex due to the fact that the insiders carry out most of these attacks. Masquerade attack is detected by profiling users system usage. If his/her normal profile deviates from his/her original behavior, he is detected as a masquerader. Most of the research was done using command line data & GUI Usage analysis. The command line data which contains commands, logs, system calls and the GUI profiling using keyboard and mouse activities, can not capture the complete event behavior of the users, Due to the reason that users are not fixed to a single application in their usage period. Hence it is very difficult to detect masquerader in the existing systems. In this paper we have proposed a new framework to capture the data across multiple applications to build the user profile. We have developed our own tool to capture the event data across multiple applications. Our experimental result shows that our framework is better in detection than the existing methods. We have applied four different classifiers, K-Nearest Neighbor, SVM, BayesNet and NaïveBase on the collected user profiles. Our results show that K-NN is the best classifier for the collected Multi application GUI data.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Garg, A., Rahalkar, R., Upadhyaya, S.: Kevin Kwait: Profiling Users in GUI Based Systems for Masquerade Detection. In: Proceedings of 7th Annual IEEE Information Assurance Workshop (IAW 2006), June 21-23, United States Military Academy, West Point (2006)
Bhukya, W.N., Kommuru, S.K., Negi, A.: Masquerade Detection Based Upon GUI User Profiling in Linux Systems. In: Cervesato, I. (ed.) ASIAN 2007. LNCS, vol. 4846, pp. 228–239. Springer, Heidelberg (2007)
Imsand, E.S., Hamilton Jr., J.A.: GUI Usage Analysis for Masquerade Detection. In: Proceedings of 2007 IEEE, Information Assurance Workshop (IAW 2007), June 21-23, United States Military Academy, West Point (2007)
Li, L.: Manikopoulos.: Windows NT One-class Masquerade Detection. In: Proceedings of 2004 IEEE,Information Assurance Workshop (IAW 2004), June 2004, United States Military Academy, West Point (2004)
Pusara, M., Brodley, C.: User Re-authentication via mouse movements. In: Proceedings of the 2004 ACM workshop on visualization and data mining for computer security, Washington D.C., USA, October 29 (2004)
Schonlau, M., DuMouchel, W., Ju, W.-H., Karr, A.F., Vardi, M.T.: Computer Intrusion: Detecting Masquerades. Statistical Science 16, 58–74 (2001)
Maxion, R.A., Townsend, T.N.: Masquerade Detection Using Truncated Command Lines. In: Proceedings of International Conference on Dependable Systems and Networks (DSN 2002), pp. 219–228 (2002)
Maxion, R.A.: Masquerade Detection Using Enriched Command Lines. In: Proceedings of International Conference on Dependable Systems and Networks (DSN 2003), San Francisco, CA (June 2003)
Lane, T., Brodley, C.E.: An Application of Machine Learning to Anomaly Detection. In: Proceedings of Twentieth National Information Systems Security Conference, Gaithersburgh, MD, vol. 1, pp. 366–380 (1997)
Lane, T., Brodley, C.: Sequence Matching and Learning in Anomaly Detection for Computer Security. In: Proceedings of AAAI 1997 Workshop on AI Approaches to Fraud Detection and Risk Management, pp. 43–49 (1997)
Wang, K., Stolfo, S.J.: One Class Training for Masquerade Detection. In: ICDM Workshop on Data Mining for Computer Security, DMSEC 2003 (2003)
Pusara, M., Brodley, C.: User Re-authentication via mouse movements. In: Proceedings of the 2004 ACM workshop on visualization and data mining for computer security, Washington D.C., USA, October 29 (2004)
Monrose, F., Rubin, A.: Authentication via Keystroke Dynamics. In: ACM Conference on Computer and Communications Security, pp. 48–56 (1997)
Shavlik, J., Shavlik, M., Fahland, M.: Evaluating Software Sensors for Actively Profiling Windows 2000 Computer Users. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, Springer, Heidelberg (2001)
CERT. 2010 e-crimes watch survey (2010)
Platt, J.: Fast Training of Support Vector Machines using Sequential Minimal Optimization. In: Schlkopf, B., Burges, C., Smola, A. (eds.) Advances in Kernel Methods - Support Vector Learning.MIT Press, Cambridge (1998)
Keerthi, S.S., Shevade, S.K., Bhattacharyya, C., Murthy, K.R.K.: Improvements to Platt’s SMO Algorithm for SVM Classifier Design. Technical Report CD-99-14. Control Division, Dept of Mechanical and Production Engineering, National University of Singapore (1999)
Aha, D., Kibler, D.: Instance-based learning algorithms. Machine Learning 6, 37–66 (1991)
John, G.H., Langley, P.: Estimating Continuous Distributions in Bayesian Classifiers. In: Proceedings of the Eleventh Conference on Uncertainty in Artificial Intelligence, pp. 338–345. Morgan Kaufmann, San Mateo (1995)
Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion Detection Using Sequences of System Calls. Journal of Computer Security 6(3), 151–180 (1998)
Lee, W., Stolfo, S., Mok, K.: A Data Mining Framework for Building Intrusion Detection Models. In: IEEE Symposium on Security and Privacy, pp. 120–132 (1999)
Forrest, S., Hofmeyr, S.A., Somayaji, A.: Computer Immunology. Communications of the ACM 40(10), 88–96 (1997)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions using System Calls: Alternative Data Models. In: IEEESymposium on Security and Privacy (Oakland, CA), pp. 133–145 (1999)
Ilgun, K., Kemmerer, R., Porras, P.: State Transition Analysis: A Rule-Based Intrusion Detection Approach. Software Engineering 21(3), 181–199 (1995)
Li, Y., Wu, N., Jajodia, S., Wang, S.: Enhancing Profiles for Anomaly Detection Using Time Granularities. Journal of Computer Security 10(1,2), 137–157 (2002)
Javitz, H.S., Valdes, A.: The SRI IDES Statistical Anomaly Detector. In: Proceedings of the IEEE Research in Security and Privacy (,Oakland, CA), pp. 316–376 (May 1991)
Wespi, A., Dacier, M., Debar, H.: Intrusion detection using variable-length audit trail patterns. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 110. Springer, Heidelberg (2000)
Ye, N.: A Markov Chain Model of Temporal Behavior for Anomaly Detection. In: Proceedings of the 2000 IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, pp. 171–174 (2000)
Ghosh, A., Schwartzbard, Schatz, M.: Learning Program Behavior Profiles for Intrusion Detection. First USENIX Workshop on Intrusion Detection and Network Monitoring, 51–62 (1999)
Levitt, K., Ko, C., Fink, G.: Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring. In: Computer Security Application Conference (1994)
Marceau, C.: Characterizing the behavior of a program using multiple-length N-grams. In: Proceedings of the 2000 workshop on New security Paradigms, Ballycotton, County Cork, Ireland, pp. 101–110 (2000)
Michael, C., Ghosh, A.: Using Finite Automata to Mine Execution Data for Intrusion Detection: A Preliminary Report. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 66. Springer, Heidelberg (2000)
Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: IEEE Symposium on Security and Privacy, pp. 156–169 (2001)
Rajagopalan, M., Debray, S., Hiltunen, M., Schlichting, R.: Profile-directed Optimization of Event-based Programs. In: Proceedings of ACM SIGPLAN (2002)
Feng, H., Kolesnikov, O., Fogla, P., Lee, W., Gong, W.: Anomaly Detection using Call Stack Information. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, California (May 2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Saljooghinejad, H., Rathore, W.N. (2011). Multi Application User Profiling for Masquerade Attack Detection. In: Abraham, A., Lloret Mauri, J., Buford, J.F., Suzuki, J., Thampi, S.M. (eds) Advances in Computing and Communications. ACC 2011. Communications in Computer and Information Science, vol 191. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22714-1_70
Download citation
DOI: https://doi.org/10.1007/978-3-642-22714-1_70
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22713-4
Online ISBN: 978-3-642-22714-1
eBook Packages: Computer ScienceComputer Science (R0)