A variable-length model for masquerade detection

Masquerade detection is now one of the major concerns of system security research and its difficulty is to model user behavior on the nonstationary audit data. Many previous works represent the user behavior based on fixed-length models. In this paper, we propose a variable-length model to overcome their weakness in the precision and adaptability of user profiling. In the model, the user's normal behavior is profiled by Markov chain with states of variable-length sequences. At first multiple shell command streams of different lengths are generated and different shell command sequences are hierarchically merged into several sets to form the library of general sequences. Then the variable-length behavioral patterns of a valid user are mined and the Markov chain is constructed. While performing detection, the probabilities of short state sequences are calculated, smoothed with sliding windows, and finally used to classify the monitored user's activity as normal or abnormal. Our experiments with standard datasets such as Purdue data and SEA data reveal that the proposed model can achieve higher detection accuracy, require less memory and take shorter time than the other traditional methods and is amenable for real-time intrusion detection.

[1]  R. Jagannathan,et al.  A prototype real-time intrusion-detection expert system , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[2]  Roy A. Maxion,et al.  Masquerade detection using truncated command lines , 2002, Proceedings International Conference on Dependable Systems and Networks.

[3]  Xueqi Cheng,et al.  Masquerade Detection Based on Shell Commands and Multiple Behavior Pattern Mining: Masquerade Detection Based on Shell Commands and Multiple Behavior Pattern Mining , 2010 .

[4]  Sun Hong An Improved Anomaly Detection Model for IDS , 2003 .

[5]  Salvatore J. Stolfo,et al.  One-Class Training for Masquerade Detection , 2003 .

[6]  Kazuhiko Kato,et al.  Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix , 2004, RAID.

[7]  Malek Ben Salem,et al.  Detecting Masqueraders: A Comparison of One-Class Bag-of-Words User Behavior Modeling Techniques , 2010, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[8]  S. E. Smaha Haystack: an intrusion detection system , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[9]  Carla E. Brodley,et al.  An Empirical Study of Two Approaches to Sequence Learning for Anomaly Detection , 2003, Machine Learning.

[10]  Boleslaw K. Szymanski,et al.  Sequence alignment for masquerade detection , 2008, Comput. Stat. Data Anal..

[11]  C.Y. Shim,et al.  Practical User Identification for Masquerade Detection , 2008, Advances in Electrical and Electronics Engineering - IAENG Special Edition of the World Congress on Engineering and Computer Science 2008.

[12]  Fatih Murat Porikli,et al.  Clustering Variable Length Sequences by Eigenvector Decomposition Using HMM , 2004, SSPR/SPR.

[13]  Xiangliang Zhang,et al.  Processing of massive audit data streams for real-time anomaly intrusion detection , 2008, Comput. Commun..

[14]  Boleslaw K. Szymanski,et al.  Recursive data mining for masquerade detection and author identification , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[15]  Sun,et al.  Anomaly Detection of User Behavior Based on Shell Commands and Homogeneous Markov Chains , 2008 .

[16]  Xin-guang Tian,et al.  A Method for Anomaly Detection of User Behaviors Based on Machine Learning , 2006 .

[17]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[18]  Shou-Hsuan Stephen Huang,et al.  Masquerade Detection Using Command Prediction and Association Rules Mining , 2009, 2009 International Conference on Advanced Information Networking and Applications.

[19]  Tian Xin Masquerade Detection Based on Shell Commands and Multiple Behavior Pattern Mining , 2010 .

[20]  Sung Deok Cha,et al.  Empirical evaluation of SVM-based masquerade detection using UNIX commands , 2005, Comput. Secur..

[21]  Carla E. Brodley,et al.  Machine learning techniques for the computer security domain of anomaly detection , 2000 .

[22]  Ved P. Kafle,et al.  Locator ID Separation for Mobility Management in the New Generation Network , 2010, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[23]  Arun K. Pujari,et al.  Adaptive Naive Bayes method for masquerade detection , 2011, Secur. Commun. Networks.

[24]  Samuel Karlin,et al.  A First Course on Stochastic Processes , 1968 .