User Modelling for Exclusion and Anomaly Detection: A Behavioural Intrusion Detection System

User models are generally created to personalise information or share user experiences among like-minded individuals An individual's characteristics are compared to those of some canonical user type, and the user included in various user groups accordingly Those user groups might be defined according to academic ability or recreational interests, but the aim is to include the user in relevant groups where appropriate The user model described here operates on the principle of exclusion, not inclusion, and its purpose is to detect atypical behaviour, seeing if a user falls outside a category, rather than inside one That is, it performs anomaly detection against either an individual user model or a typical user model Such a principle can be usefully applied in many ways, such as early detection of illness, or discovering students with learning issues In this paper, we apply the anomaly detection principle to the detection of intruders on a computer system masquerading as real users, by comparing the behaviour of the intruder with the expected behaviour of the user as characterised by their user model This behaviour is captured in characteristics such as typing habits, Web page usage and application usage An experimental intrusion detection system (IDS) was built with user models reflecting these characteristics, and it was found that comparison with a small number of key characteristics from a user model can very quickly detect anomalies and thus identify an intruder.

[1]  Araceli Sanchis,et al.  Creating User Profiles from a Command-Line Interface: A Statistical Approach , 2009, UMAP.

[2]  S. V. Raghavan,et al.  Intrusion detection through learning behavior model , 2001, Comput. Commun..

[3]  Andrew Sears,et al.  Automated stress detection using keystroke and linguistic features: An exploratory study , 2009, Int. J. Hum. Comput. Stud..

[4]  Giancarlo Ruffo,et al.  Intrusion Detection through Behavioral Data , 1999, IDA.

[5]  David J. Hand,et al.  Advances in intelligent data analysis , 2000 .

[6]  Claudio Mazzariello,et al.  An Autonomic Intrusion Detection System Based on Behavioral Network Engineering , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[7]  Daniel A. Keim,et al.  On Knowledge Discovery and Data Mining , 1997 .

[8]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[9]  Peter Brusilovsky,et al.  Adaptive Hypermedia , 2001, User Modeling and User-Adapted Interaction.

[10]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[11]  Claudia Picardi,et al.  Identity verification through dynamic keystroke analysis , 2003, Intell. Data Anal..

[12]  Alvaro A. Cárdenas,et al.  Principled reasoning and practical applications of alert fusion in intrusion detection systems , 2008, ASIACCS '08.

[13]  S. E. Smaha Haystack: an intrusion detection system , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[14]  Jude W. Shavlik,et al.  Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage , 2004, KDD.

[15]  K. Tan,et al.  The application of neural networks to UNIX computer security , 1995, Proceedings of ICNN'95 - International Conference on Neural Networks.

[16]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[17]  T.F. Lunt,et al.  Real-time intrusion detection , 1989, Digest of Papers. COMPCON Spring 89. Thirty-Fourth IEEE Computer Society International Conference: Intellectual Leverage.

[18]  Carla E. Brodley,et al.  User re-authentication via mouse movements , 2004, VizSEC/DMSEC '04.

[19]  Peter Brusilovsky,et al.  Methods and techniques of adaptive hypermedia , 1996, User Modeling and User-Adapted Interaction.