User Behavior Analysis in Masquerade Detection Using Principal Component Analysis

Network attackers usually compromise legitimate user account to gain access to host computer. To detect and prevent this kind of attacks, it is typical to build anomaly intrusion detection system (AIDS) to distinguish a legitimate user from an intruder, called masquerader. One important hypothesis of this type of detection is: different user exhibits different behavior in their online activities. The user behavior can be captured and compared. The efficiency of AIDS relies on the quality of the training data. Many prior studies encounter the problem of low hit rates and high false alarms. In this paper, we study the relationship between the user behavior in terms of operating system commands and the success rate of detection. We first used the principal component analysis (PCA) to select the commands that are highly effective in distinguishing users. Then we use these commands to classify users into categories. Our analysis shows a strong correlation between the false rate and the distance between these categories.

[1]  F. Cuppens,et al.  Efficient Intrusion Detection Using Principal Component Analysis , 2003 .

[2]  A. Pedro Duarte Silva,et al.  Discarding Variables in a Principal Component Analysis: Algorithms for All-Subsets Comparisons , 2002, Comput. Stat..

[3]  Marc Dacier,et al.  Intrusion Detection Using Variable-Length Audit Trail Patterns , 2000, Recent Advances in Intrusion Detection.

[4]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[5]  Matthias Schonlau,et al.  Detecting masquerades in intrusion detection based on unpopular commands , 2000, Inf. Process. Lett..

[6]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[7]  Ian T. Jolliffe,et al.  Discarding Variables in a Principal Component Analysis. I: Artificial Data , 1972 .

[8]  Eric R. Ziegel,et al.  Applied Multivariate Data Analysis , 2002, Technometrics.

[9]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[10]  Boleslaw K. Szymanski,et al.  Intrusion detection: a bioinformatics approach , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[11]  Kazuhiko Kato,et al.  Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix , 2004, RAID.

[12]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[13]  Lindsay I. Smith,et al.  A tutorial on Principal Components Analysis , 2002 .

[14]  B. Everitt,et al.  Applied Multivariate Data Analysis: Everitt/Applied Multivariate Data Analysis , 2001 .

[15]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[16]  Shou-Hsuan Stephen Huang,et al.  Detecting Masqueraders Using High Frequency Commands as Signatures , 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008).

[17]  Risto Miikkulainen,et al.  Intrusion Detection with Neural Networks , 1997, NIPS.

[18]  Kwong H. Yung,et al.  Using Self-Consistent Naive-Bayes to Detect Masquerades , 2004, PAKDD.

[19]  Roy A. Maxion,et al.  Masquerade detection using truncated command lines , 2002, Proceedings International Conference on Dependable Systems and Networks.

[20]  B. Everitt,et al.  Applied Multivariate Data Analysis. , 1993 .