Towards Building a Masquerade Detection Method Based on User File System Navigation

Given that information is an extremely valuable asset, it is vital to timely detect whether one's computer (session) is being illegally seized by a masquerader. Masquerade detection has been actively studied for more than a decade, especially after the seminal work of Schonlau's group, who suggested that, to profile a user, one should model the history of the commands she would enter into a UNIX session. Schonlau's group have yielded a masquerade dataset, which has been the standard for comparing masquerade detection methods. However, the performance of these methods is not conclusive, and, as a result, research on masquerade detection has resorted to other sources of information for profiling user behaviour. In this paper, we show how to build an accurate user profile by looking into how the user structures her own file system and how she navigates such structure. While preliminary, our results are encouraging and suggest a number of ways in which new methods can be constructed.

[1]  Malek Ben Salem,et al.  Modeling User Search Behavior for Masquerade Detection , 2011, RAID.

[2]  Alexander Gelbukh,et al.  MICAI 2006: Advances in Artificial Intelligence, 5th Mexican International Conference on Artificial Intelligence, Apizaco, Mexico, November 13-17, 2006, Proceedings , 2006, MICAI.

[3]  Roy A. Maxion,et al.  Masquerade detection using enriched command lines , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[4]  Shambhu J. Upadhyaya,et al.  RACOON: rapidly generating user command data for anomaly detection from customizable template , 2004, 20th Annual Computer Security Applications Conference.

[5]  Erland Jonsson,et al.  Recent Advances in Intrusion Detection: 7th International Symposium, RAID 2004 , 2004 .

[6]  Matthias Schonlau,et al.  Detecting masquerades in intrusion detection based on unpopular commands , 2000, Inf. Process. Lett..

[7]  Salvatore J. Stolfo,et al.  Insider Attack and Cyber Security - Beyond the Hacker , 2008, Advances in Information Security.

[8]  Roy A. Maxion,et al.  Why Did My Detector Do That?! - Predicting Keystroke-Dynamics Error Rates , 2010, RAID.

[9]  Mario Latendresse,et al.  Masquerade Detection via Customized Grammars , 2005, DIMVA.

[10]  Ian H. Witten,et al.  Identifying Hierarchical Structure in Sequences: A linear-time algorithm , 1997, J. Artif. Intell. Res..

[11]  Salvatore J. Stolfo,et al.  One-Class Training for Masquerade Detection , 2003 .

[12]  A. Garg,et al.  Profiling Users in GUI Based Systems for Masquerade Detection , 2006, 2006 IEEE Information Assurance Workshop.

[13]  Malek Ben Salem,et al.  A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[14]  Kazuhiko Kato,et al.  Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix , 2004, RAID.

[15]  Juan Arturo Nolazco-Flores,et al.  Hybrid Method for Detecting Masqueraders Using Session Folding and Hidden Markov Models , 2006, MICAI.

[16]  P. I. Fierens,et al.  A Survey on Masquerader Detection Approaches , 2009 .

[17]  Shambhu J. Upadhyaya,et al.  Detecting Masquerading Users in a Document Management System , 2006, 2006 IEEE International Conference on Communications.

[18]  Raúl Monroy,et al.  Masquerade attacks based on user's profile , 2012, J. Syst. Softw..

[19]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[20]  Roy A. Maxion,et al.  Masquerade detection using truncated command lines , 2002, Proceedings International Conference on Dependable Systems and Networks.

[21]  Roy A. Maxion,et al.  Masquerade detection augmented with error analysis , 2004, IEEE Transactions on Reliability.