Masquerade Detection Using Command Prediction and Association Rules Mining

Masqueraders commonly impersonate legitimate user’s account to gain access to computer systems that they are not authorized to enter. Normally users exhibit some regularity in their behavior such as command usage. We propose a new approach to mine user command associations. Since each user may have different usage behavior, using the built behavior pattern to predict a masquerader’s next command will result in low success rate. We devise an algorithm to identify masqueraders by evaluating the accuracy of the predictions. Furthermore our detection method can be used in real-time without having to wait for a log of a large number of commands. Experimental results show that the association rules mining performs very well in detecting masqueraders.

[1]  Roy A. Maxion,et al.  Masquerade detection using truncated command lines , 2002, Proceedings International Conference on Dependable Systems and Networks.

[2]  R. Suganya,et al.  Data Mining Concepts and Techniques , 2010 .

[3]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  Kwong H. Yung,et al.  Using Self-Consistent Naive-Bayes to Detect Masquerades , 2004, PAKDD.

[5]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[6]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[7]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[8]  Boleslaw K. Szymanski,et al.  Intrusion detection: a bioinformatics approach , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[9]  Matthias Schonlau,et al.  Detecting masquerades in intrusion detection based on unpopular commands , 2000, Inf. Process. Lett..

[10]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[11]  Shou-Hsuan Stephen Huang,et al.  Detecting Masqueraders Using High Frequency Commands as Signatures , 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008).

[12]  Risto Miikkulainen,et al.  Intrusion Detection with Neural Networks , 1997, NIPS.

[13]  Marc Dacier,et al.  Intrusion Detection Using Variable-Length Audit Trail Patterns , 2000, Recent Advances in Intrusion Detection.

[14]  Shou-Hsuan Stephen Huang,et al.  User Behavior Analysis in Masquerade Detection Using Principal Component Analysis , 2008, 2008 Eighth International Conference on Intelligent Systems Design and Applications.

[15]  Kazuhiko Kato,et al.  Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix , 2004, RAID.

[16]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[17]  Brian D. Davison,et al.  Predicting Sequences of User Actions , 1998 .