Abstract
Intruders and masqueraders are a plague in computer networks. To recognize an intruder, one firstly needs to know what is the normal behavior of a legitimate user. To find it out, we propose to build pairs of profiles called ‘command and block profiles’. Schonlau data (SEA) are used for illustration of the concept and its usability in work with real data. The elaborated data contain observations for 50 users; for each of them a sequence of 15,000 system calls was recorded. Data for 21 users are pure; data for the remaining 29 users are contaminated with activities of alien (illegitimate) users. We consider only the uncontaminated data (for the 21 users). 5 out of 21 investigated users seem to change their profiles during work time. Some trials have shown that the proposed simple method may also recognize a big part of alien implanted blocks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Schonlau, M.: Masquerading used data, web page, http://www.schonlau.net
Schonlau, M., et al.: Computer intrusion: detecting masquerades. Statistical Science 16, 1–17 (2001)
Bartkowiak, A.M.: Anomaly, novelty, one-class classification: a comprehensive introduction. International Journal of Computer Systems and Industrial Management Applications 3, 061–071 (2011), http://www.mirlabs.net/ijcisim/index.html
Kim, H.-S., Cha, S.-S.: Empirical evaluation of SVM-based masquerade detection using UNIX command. Computers & Security 24, 160–168 (2005)
Guan, X., Wang, W., Zhang, X.: Fast intrusion detection based on non-negative matrix factorization model. J. of Network and Computer Applications 32, 31–44 (2009)
Wang, W., Guan, X., Zhang, X.: Processing of massive audit data streams for real-time anomaly intrusion detection. Computer Communications 31, 58–72 (2008)
DiGesu, V., LoBosco, G., Friedman, J.H.: Intruders pattern identification, pp. 1–4. IEEE (2008) 978-1-4244-2175-6/08 ©2008
Sodiya, A.S., Folorunso, O., Onashoga, S.A., Ogunderu, O.P.: An improved semi-global alignement algorithm for masquerade detection. Int. J. for Network Security 13, 31–40 (2011)
Bertacchini, M., Fierens, P.I.: Preliminary results on masquerader detection using compression based similarity metrics. Electronic Journal of SADIO 7(1), 31–42 (2007), http://www.dc.uba.ar/sadio/ejs
Posadas, R., Mex-Perera, C., Monroy, R., Nolazco-Flores, J.: Hybrid Method for Detecting Masqueraders Using Session Folding and Hidden Markov Models. In: Gelbukh, A., Reyes-Garcia, C.A. (eds.) MICAI 2006. LNCS (LNAI), vol. 4293, pp. 622–631. Springer, Heidelberg (2006)
Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Insider Attack and Cyber Security: Beyond the Hacker, pp. 69–90. Springer, Heidelberg (2008)
Bartkowiak, A.: Outliers in biometrical data: what’s old, what’s new. Int. J. of Biometrics 2(1), 2–18 (2010)
Kohonen, T.: Self-organising maps. Springer, Heidelberg (1995)
Vesanto, J., Himberg, J., Alhoniemi, E., Parhankangas, J.: SOM Toolbox for Matlab 5. Som Toolbox team, Helsinki University of Technology, Finland, Libella Oy, Espoo, 1–54 (2000), http://www.cis.hut.fi/projects/somtoolbox/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bartkowiak, A.M. (2011). Command and Block Profiles for Legitimate Users of a Computer Network. In: Chaki, N., Cortesi, A. (eds) Computer Information Systems – Analysis and Technologies. Communications in Computer and Information Science, vol 245. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27245-5_35
Download citation
DOI: https://doi.org/10.1007/978-3-642-27245-5_35
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27244-8
Online ISBN: 978-3-642-27245-5
eBook Packages: Computer ScienceComputer Science (R0)