Dynamic Sample Size Detection in Learning Command Line Sequence for Continuous Authentication

Continuous authentication (CA) consists of authenticating the user repetitively throughout a session with the goal of detecting and protecting against session hijacking attacks. While the accuracy of the detector is central to the success of CA, the detection delay or length of an individual authentication period is important as well since it is a measure of the window of vulnerability of the system. However, high accuracy and small detection delay are conflicting requirements that need to be balanced for optimum detection. In this paper, we propose the use of sequential sampling technique to achieve optimum detection by trading off adequately between detection delay and accuracy in the CA process. We illustrate our approach through CA based on user command line sequence and naïve Bayes classification scheme. Experimental evaluation using the Greenberg data set yields encouraging results consisting of a false acceptance rate (FAR) of 11.78% and a false rejection rate (FRR) of 1.33%, with an average command sequence length (i.e., detection delay) of 37 commands. When using the Schonlau (SEA) data set, we obtain FAR = 4.28% and FRR = 12%.

[1]  Sung Deok Cha,et al.  Empirical evaluation of SVM-based masquerade detection using UNIX commands , 2005, Comput. Secur..

[2]  Roy A. Maxion,et al.  Masquerade detection using truncated command lines , 2002, Proceedings International Conference on Dependable Systems and Networks.

[3]  Dewan Md. Farid,et al.  Combining Naive Bayes and Decision Tree for Adaptive Intrusion Detection , 2010, ArXiv.

[4]  Jian Zhou,et al.  Masquerade detection by boosting decision stumps using UNIX commands , 2007, Comput. Secur..

[5]  Hongjoong Kim,et al.  A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods , 2006, IEEE Transactions on Signal Processing.

[6]  Ahmed Awad E. Ahmed Security monitoring through human computer interaction devices , 2008 .

[7]  Roy A. Maxion,et al.  Masquerade detection augmented with error analysis , 2004, IEEE Transactions on Reliability.

[8]  Jie Liu,et al.  A Framework of Combining Intrusion Detection and Continuous Authentication in Mobile Ad Hoc Networks , 2008, 2008 IEEE International Conference on Communications.

[9]  Saul Greenberg,et al.  USING UNIX: COLLECTED TRACES OF 168 USERS , 1988 .

[10]  Sandeep Kumar,et al.  Continuous Verification Using Multimodal Biometrics , 2007, IEEE Trans. Pattern Anal. Mach. Intell..

[11]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[12]  Issa Traore,et al.  Continuous Authentication Using Biometrics: Data, Models, and Metrics , 2011 .

[13]  Stefania Marrara,et al.  Impostor Users Discovery Using a Multimodal Biometric Continuous Authentication Fuzzy System , 2008, KES.

[14]  Martha E. Crosby,et al.  Continuous identity authentication using multimodal physiological sensors , 2004, SPIE Defense + Commercial Sensing.

[15]  Claudia Picardi,et al.  Keystroke analysis of free text , 2005, TSEC.

[16]  Roy A. Maxion,et al.  Masquerade detection using enriched command lines , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[17]  Kazuhiko Kato,et al.  Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix , 2004, RAID.

[18]  Jie Liu,et al.  Optimal combined intrusion detection and biometric-based continuous authentication in high security mobile ad hoc networks , 2009, IEEE Transactions on Wireless Communications.

[19]  Mohammad S. Obaidat,et al.  Verification of computer users using keystroke dynamics , 1997, IEEE Trans. Syst. Man Cybern. Part B.

[20]  Mario Latendresse,et al.  Masquerade Detection via Customized Grammars , 2005, DIMVA.

[21]  Manas Ranjan Patra,et al.  NETWORK INTRUSION DETECTION USING NAÏVE BAYES , 2007 .

[22]  Sung Deok Cha,et al.  Masquerade detection based on SVM and sequence-based user commands profile , 2007, ASIACCS '07.

[23]  Jian Zhou,et al.  A Hybrid Command Sequence Model for Anomaly Detection , 2007, PAKDD.

[24]  Issa Traoré,et al.  Improving Mouse Dynamics Biometric Performance Using Variance Reduction via Extractors With Separate Features , 2010, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[25]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[26]  Nur Izura Udzir,et al.  A K-Means and Naive Bayes Learning Approach for Better Intrusion Detection , 2011 .

[27]  Ahmed Awad E. Ahmed,et al.  A New Biometric Technology Based on Mouse Dynamics , 2007, IEEE Transactions on Dependable and Secure Computing.

[28]  Carla E. Brodley,et al.  An Empirical Study of Two Approaches to Sequence Learning for Anomaly Detection , 2003, Machine Learning.