Masquerade Detection Using a Taxonomy-Based Multinomial Modeling Approach in UNIX Systems

Abstract

This paper presents one-class Hellinger distance-based and one-class SVM modeling techniques that use a set of features to reveal user intent. The specific objective is to model user command profiles and detect deviations indicating a masquerade attack. The approach aims to model user intent, rather than only modeling sequences of user issued commands. We hypothesize that each individual user will search in a targeted and limited fashion in order to find information germane to their current task. Masqueraders, on the other hand, will likely not know the file system and layout of another user's desktop, and would likely search more extensively and broadly. Hence, modeling a user search behavior to detect deviations may more accurately detect masqueraders. To that end, we extend prior research that uses UNIX command sequences issued by users as the audit source by relying upon an abstraction of commands. We devised a taxonomy of UNIX commands that is used to abstract command sequences. The experimental results show that the approach does not lose information and performs comparably to or slightly better than the modeling approach based on simple UNIX command frequencies.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Aug 25, 2008
Accession Number
ADA519454

Entities

People

  • Malek B. Salem
  • Salvatore J. Stolfo

Organizations

  • Columbia University

Tags

DTIC Thesaurus Topics

  • Abstracts
  • Accuracy
  • Algorithms
  • Anomaly Detection
  • Computational Science
  • Computer Science
  • Control Systems
  • Data Sets
  • Detection
  • Detectors
  • Kernel Functions
  • Machine Learning
  • Probability
  • Standards
  • Supervised Machine Learning
  • Test And Evaluation
  • Warning Systems

Fields of Study

  • Computer science

Readers

  • Computer Vision.
  • Regression Analysis.
  • Systems Analysis and Design