User Pro ling for Intrusion Detection in Windows NT

In User Pro ling, we observe the normal behavior of computer users and from this, seek to automatically learn models that characterize this behavior. Then for a new session, these models are used to either authenticate the login name, or to identify a malicious insider. A related problem is Program Pro ling, in which models for normal activity of an application program are learned, then used to identify attacks. This is a somewhat easier problem because humans do not come with "specs", so compared to programs, our behavior is in nitely less predictable. In fact, a certain level of anomalous activity in human behavior is inevitable and must be taken into account. Most if not all published work on this subject has used command line activity as its data source, collected on a Unix system. In this environment there are multiple ways to do most things, leaving much room for individual expression, yet even so the reported results have been less than stellar. Now consider today's point and click world, where command line activity is virtually nonexistent. Even worse, the Windows suite of interlinked applications provides a "path of least resistance", with the result that people look more alike than ever. Add to this the fact that much of the activity occurring on a host, especially if it's networked, is generated by the operating system and not user related. This requires massive ltering, but how to it accurately can be far from obvious. These considerations underscore the inherent di culty of the problem. For nearly two years we have been monitoring real users doing their daily work on an operational Windows NT network. This talk will describe the data we collect and methods we have used to analyze it, and present results obtained to date.