Bagging-TPMiner: a classifier ensemble for masquerader detection based on typical objects

The goal of a masquerade detection system is to determine whether a given computer activity does not correspond to a target user, thereby inferring that a masquerader has stolen the computer session of a user. Masquerade detection should be addressed as a one-class classification problem, where only user information is available for classifier construction. This might be mandatory when it is difficult to account for all types of attack patterns or collect enough evidence thereof. In this paper, we introduce a masquerader detection method, named Bagging-TPMiner, a one-class classifier ensemble. As the name suggests, Bagging-TPMiner bootstraps the training dataset of genuine user behavior in order to find typical objects. In the classification phase, it renders a new sample of computer behavior to be a masquerade if that behavior is distinct from the typical objects. Critically, unlike existing clustering techniques, Bagging-TPMiner gives similar attention to both types of regions, dense and sparse, thus capturing the (hidden) structure of ordinary user behavior. We have successfully tested Bagging-TPMiner on WUIL, a repository of datasets for masquerader detection that contain more faithful masquerade attempts. Our experimental results show that Bagging-TPMiner improves classification accuracy when compared to other classifiers and that it is significantly better at identifying bursts of attacks, called persistent attacks, or at continuously updating from prior mistakes.

[1]  Salvatore J. Stolfo,et al.  One-Class Training for Masquerade Detection , 2003 .

[2]  Malek Ben Salem,et al.  A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[3]  Juan Arturo Nolazco-Flores,et al.  Hybrid Method for Detecting Masqueraders Using Session Folding and Hidden Markov Models , 2006, MICAI.

[4]  Vladimir Vapnik,et al.  Statistical learning theory , 1998 .

[5]  Fabio Roli,et al.  Intrusion detection in computer networks by a modular ensemble of one-class classifiers , 2008, Inf. Fusion.

[6]  Przemyslaw Kudlacik,et al.  Fuzzy approach for intrusion detection based on user’s commands , 2016, Soft Comput..

[7]  Sahin Albayrak,et al.  Continuous and non-intrusive identity verification in real-time environments based on free-text keystroke dynamics , 2011, 2011 International Joint Conference on Biometrics (IJCB).

[8]  David G. Stork,et al.  Pattern Classification , 1973 .

[9]  Subhash C. Bagui,et al.  Combining Pattern Classifiers: Methods and Algorithms , 2005, Technometrics.

[10]  A. Garg,et al.  Profiling Users in GUI Based Systems for Masquerade Detection , 2006, 2006 IEEE Information Assurance Workshop.

[11]  Robert P. W. Duin,et al.  Combining One-Class Classifiers , 2001, Multiple Classifier Systems.

[12]  Carla E. Brodley,et al.  User re-authentication via mouse movements , 2004, VizSEC/DMSEC '04.

[13]  Roy A. Maxion,et al.  Why Did My Detector Do That?! - Predicting Keystroke-Dynamics Error Rates , 2010, RAID.

[14]  Tom Fawcett,et al.  An introduction to ROC analysis , 2006, Pattern Recognit. Lett..

[15]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[16]  Luis A. Trejo,et al.  Towards Building a Masquerade Detection Method Based on User File System Navigation , 2011, MICAI.

[17]  Janez Demsar,et al.  Statistical Comparisons of Classifiers over Multiple Data Sets , 2006, J. Mach. Learn. Res..

[18]  Ian H. Witten,et al.  Identifying Hierarchical Structure in Sequences: A linear-time algorithm , 1997, J. Artif. Intell. Res..

[19]  Matthias Schonlau,et al.  Detecting masquerades in intrusion detection based on unpopular commands , 2000, Inf. Process. Lett..

[20]  Raúl Monroy,et al.  Masquerade attacks based on user's profile , 2012, J. Syst. Softw..

[21]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[22]  Roy A. Maxion,et al.  Masquerade detection using truncated command lines , 2002, Proceedings International Conference on Dependable Systems and Networks.

[23]  Malek Ben Salem,et al.  System Level User Behavior Biometrics using Fisher Features and Gaussian Mixture Models , 2013, 2013 IEEE Security and Privacy Workshops.

[24]  Salim Hariri,et al.  DDSGA: A Data-Driven Semi-Global Alignment Approach for Detecting Masquerade Attacks , 2015, IEEE Transactions on Dependable and Secure Computing.

[25]  Malek Ben Salem,et al.  Modeling User Search Behavior for Masquerade Detection , 2011, RAID.

[26]  Roy A. Maxion,et al.  Masquerade detection using enriched command lines , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[27]  S. García,et al.  An Extension on "Statistical Comparisons of Classifiers over Multiple Data Sets" for all Pairwise Comparisons , 2008 .

[28]  Luis A. Trejo,et al.  The Windows-Users and -Intruder simulations Logs dataset (WUIL): An experimental framework for masquerade detection mechanisms , 2014, Expert Syst. Appl..

[29]  Mario Latendresse,et al.  Masquerade Detection via Customized Grammars , 2005, DIMVA.