Abstract
Given that information is an extremely valuable asset, it is vital to timely detect whether one’s computer (session) is being illegally seized by a masquerader. Masquerade detection has been actively studied for more than a decade, especially after the seminal work of Schonlau’s group, who suggested that, to profile a user, one should model the history of the commands she would enter into a UNIX session. Schonlau’s group have yielded a masquerade dataset, which has been the standard for comparing masquerade detection methods. However, the performance of these methods is not conclusive, and, as a result, research on masquerade detection has resorted to other sources of information for profiling user behaviour. In this paper, we show how to build an accurate user profile by looking into how the user structures her own file system and how she navigates such structure. While preliminary, our results are encouraging and suggest a number of ways in which new methods can be constructed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Schonlau, M., DuMouchel, W., Ju, W., Karr, A., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16, 58–74 (2001)
Schonlau, M.: Masquerading user data (2008), http://www.schonlau.net
Maxion, R.A., Townsend, T.N.: Masquerade detection augmented with error analysis. IEEE Transactions on Reliability 53, 124–147 (2004)
Oka, M., Oyama, Y., Abe, H., Kato, K.: Anomaly Detection using Layered Networks based on Eigen Co-occurrence Matrix. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 223–237. Springer, Heidelberg (2004)
Latendresse, M.: Masquerade Detection via Customized Grammars. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 141–159. Springer, Heidelberg (2005)
Posadas, R., Mex-Perera, C., Monroy, R., Nolazco-Flores, J.: Hybrid Method for Detecting Masqueraders using Session Folding and Hidden Markov Models. In: Gelbukh, A., Reyes-Garcia, C.A. (eds.) MICAI 2006. LNCS (LNAI), vol. 4293, pp. 622–631. Springer, Heidelberg (2006)
Maxion, R.A.: Masquerade detection using enriched command lines. In: Proceedings of the International Conference on Dependable Systems and Networks, DSN 2003, pp. 5–14. IEEE Computer Society Press, San Francisco (2003)
Garg, A., Rahalkar, R., Upadhyaya, S., Kwiat, K.: Profiling users in GUI based systems masquerade detection. In: Proceedings of the 7th IEEE Information Assurance Workshop, pp. 48–54. IEEE Computer Society Press (2006)
Killourhy, K.S., Maxion, R.A.: Why did my detector do that?! - Predicting Keystroke-Dynamics Error Rates. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 256–276. Springer, Heidelberg (2010)
Sankaranarayanan, V., Pramanik, S., Upadhyaya, S.: Detecting masquerading users in a document management system. In: Proceedings of the IEEE International Conference on Communications, ICC 2006, vol. 5, pp. 2296–2301. IEEE Computer Society Press (2006)
Chinchani, R., Muthukrishnan, A., Chandrasekaran, M., Upadhyaya, S.: RACOON: Rapidly generating user command data for anomaly detection from customizable templates. In: Proceedings of the 20th Annual Computer Security Applications Conference, ACSAC 2004, pp. 189–204. IEEE Computer Society Press (2004)
Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Stolfo, S.J., Bellovin, S.M., Hershkop, S., Keromytis, A., Sinclair, S., Smith, S.W. (eds.) Insider Attack and Cyber Security: Beyond the Hacker. Advances in Information Security, pp. 69–90. Springer, Heidelberg (2008)
Bertacchini, M., Fierens, P.: A survey on masquerader detection approaches. In: Proceedings of V Congreso Iberoamericano de Seguridad Informática, Universidad de la República de Uruguay, pp. 46–60 (2008)
Schonlau, M., Theus, M.: Detecting masquerades in intrusion detection based on unpopular commands. Information Processing Letters 76, 33–38 (2000)
Nevill-Manning, C.G., Witten, I.H.: Identifying hierarchical structure in sequences: a linear-time algorithm. Journal of Artificial Intelligence Research, JAIR 7, 67–82 (1997)
Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: Proceedings of the International Conference on Dependable Systems & Networks, pp. 219–228. IEEE Computer Society Press, Washington, DC (2002)
Wang, K., Stolfo, S.: One-class training for masquerade detection. In: Proceedings of the 3rd IEEE Conference Data Mining Workshop on Data Mining for Computer Security. IEEE (2003)
Razo-Zapata, I., Mex-Perera, C., Monroy, R.: Masquerade attacks based on user’s profile. Journal of Systems and Software ?, ?–? (2011) (submitted for evaluation)
Ben-Salem, M., Stolfo.: Modeling user search behavior for masquerade detection. Computer Science Technical Reports 033, Columbia University (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Camiña, B., Monroy, R., Trejo, L.A., Sánchez, E. (2011). Towards Building a Masquerade Detection Method Based on User File System Navigation. In: Batyrshin, I., Sidorov, G. (eds) Advances in Artificial Intelligence. MICAI 2011. Lecture Notes in Computer Science(), vol 7094. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25324-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-25324-9_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25323-2
Online ISBN: 978-3-642-25324-9
eBook Packages: Computer ScienceComputer Science (R0)