论文信息 - Masquerade detection using enriched command lines

Masquerade detection using enriched command lines

A masquerade attack, in which one user impersonates another, is among the most serious forms of computer abuse, largely because such attacks are often mounted by insiders, and can be very difficult to detect. Automatic discovery of masqueraders is sometimes undertaken by detecting significant departures from normal user behavior, as represented by user profiles based on users’ command histories. A series of experiments performed by Schonlau et al. [12] achieved moderate success in masquerade detection based on a data set comprised of truncated command lines, i.e., single commands, stripped of any accompanying flags, arguments or elements of shell grammar such as pipes or semi-colons. Using the same data, Maxion and Townsend [8] improved on the Schonlau et al. results by 56%, raising the detection rate from 39.4% to 61.5% at false-alarm rates near 1%. The present paper extends this work by testing the hypothesis that a limitation of these approaches is the use of truncated command-line data, as opposed to command lines enriched with flags, shell grammar, arguments and information about aliases. Enriched command lines were found to facilitate correct detection at the 82% level, far exceeding previous results, with a corresponding 30% reduction in the overall cost of errors, and only a small increase in false alarms. Descriptions of pathological cases illustrate strengths and limitations of both the data and the detection algorithm.

Roy A. Maxion | R. Maxion

[1] Saul Greenberg,et al. USING UNIX: COLLECTED TRACES OF 168 USERS , 1988 .

[2] Roy A. Maxion,et al. Masquerade detection augmented with error analysis , 2004, IEEE Transactions on Reliability.

[3] Thomas G. Dietterich. What is machine learning? , 2020, Archives of Disease in Childhood.

[4] Pedro M. Domingos,et al. Beyond Independence: Conditions for the Optimality of the Simple Bayesian Classifier , 1996, ICML.

[5] R. Jagannathan,et al. A prototype real-time intrusion-detection expert system , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[6] Roy A. Maxion,et al. Masquerade detection using truncated command lines , 2002, Proceedings International Conference on Dependable Systems and Networks.

[7] Teresa F. Lunt,et al. A survey of intrusion detection techniques , 1993, Comput. Secur..

[8] A. Karr,et al. Computer Intrusion: Detecting Masquerades , 2001 .

[9] Keven G. Ruby,et al. The Insider Threat to Information Systems , 2022 .

[10] Andrew McCallum,et al. A comparison of event models for naive bayes text classification , 1998, AAAI 1998.

[11] John A. Swets,et al. Evaluation of diagnostic systems : methods from signal detection theory , 1982 .