Masquerade Detection Based Upon GUI User Profiling in Linux Systems

Bhukya, Wilson Naik; Kommuru, Suneel Kumar; Negi, Atul

doi:10.1007/978-3-540-76929-3_21

Cited by 10 publications

(5 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moreover, their detection rate was not impressive. [2] designed a logger in the KDE environment. The disadvantages of their work were that they collected data only from a single window and did not consider the complexity of profiling multi applications.…”

Section: Background and Related Workmentioning

confidence: 99%

Layered Security Architecture for Masquerade Attack Detection

Saljooghinejad

Bhukya

2012

Data and Applications Security and Privacy XXVI

Self Cite

View full text Add to dashboard Cite

Abstract. Masquerade attack refers to an attack that uses a fake identity, to gain unauthorized access to personal computer information through legitimate access identification. Automatic discovery of masqueraders is sometimes undertaken by detecting significant departures from normal user behavior. If a user's normal profile deviates from their original behavior, it could potentially signal an ongoing masquerade attack. In this paper we proposed a new framework to capture data in a comprehensive manner by collecting data in different layers across multiple applications. Our approach generates feature vectors which contain the output gained from analysis across multiple layers such as Window Data, Mouse Data, Keyboard Data, Command Line Data, File Access Data and Authentication Data. We evaluated our approach by several experiments with a significant number of participants. Our experimental results show better detection rates with acceptable false positives which none of the earlier approaches has achieved this level of accuracy so far. Keywords:Masquerade Detection, Intrusion Detection System, Anomaly Detection, User Profiling. IntroductionMasquerade attacks are ranked second on the top five lists of electronic crimes perpetrated after viruses, worms or other malicious code attacks. The most common information, which can be used to detect masquerade attacks, is contained within the actions a masquerader performs. This set of actions is known as a behavioral profile. Behavior is not something that can be easily stolen. Masquerade detection techniques are based on the premise that when a masquerader attacks the system he will sufficiently deviate from the user's behavior and thus can be recognized using machine learning techniques [9]. In this paper we demonstrate an approach for detecting masqueraders in an efficient manner. We show how multiple layers of user data records together can construct a meaningful behavioral profile in order to have better detection results. The paper is organized as follows: next section introduces the related works on masquerade detection. Then, we describe architecture for the layered approach, which is followed by the experimental designs including data collection, feature extraction, learning and classification phases. Results of several experiments and conclusion are presented in last sections.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Layered Security Architecture for Masquerade Attack Detection

Saljooghinejad

Bhukya

2012

Data and Applications Security and Privacy XXVI

Self Cite

View full text Add to dashboard Cite

show abstract

“…Apart from command‐based masquerade detection, some researchers 27–29 investigate GUI analysis for masquerade detection. But, in this paper we concentrate on masquerade detection based on UNIX command data.…”

Section: Masquerade Detection Approachesmentioning

confidence: 99%

Adaptive Naive Bayes method for masquerade detection

Dash

Reddy

Pujari

2011

Security Comm Networks

View full text Add to dashboard Cite

Recently, researchers have proposed efficient detection mechanisms for masquerade attacks. Most of these techniques use machine learning methods to learn the behavioral patterns of users and to check if an observed behavior conforms to the learnt behavior of a user. Masquerade attack is detected when the observed behavior, reportedly of a specific user, does not match with the learnt pattern of this user's past data. A major shortcoming in this process is that the user may legitimately deviate temporarily from its past behavior. If the deviation is large and near-permanent, it is desirable that such deviations are captured in a detection mechanism. We propose, in this paper, a method that takes into consideration this aspect of user behavior while detecting masquerade attacks. Our scheme is based on the premise that the commands used by a legitimate user or an attacker may differ from the trained signature. But the deviation of the legitimate user is momentary whereas that of an attacker persists longer. By introducing this novel concept in the detection mechanism, the performance improves. We show this empirically using several benchmark datasets.

show abstract

“…Some researchers used Schonlau dataset to detect intrusion attacks using various techniques [5]. There also exists a lot of research work in the area of masquerade detection, which is a specific case of anomaly-based intrusion detection [3,4,9,17].…”

Section: Intrusion Detectionmentioning

confidence: 99%

“…However, these techniques are not directly applicable to modern GUI-based systems, where typical user activities include mouse movements and keystrokes. Thus, command line data alone cannot efficiently detect intrusion attacks on such systems [4].…”

Section: Chapter 1 Introductionmentioning

confidence: 99%

See 1 more Smart Citation

User Profiling in GUI based Windows Systems for Intrusion Detection

Agrawal

View full text Add to dashboard Cite

User Profiling in GUI based Windows Systems for Intrusion Detection by Arshi Agrawal Intrusion detection is the process of identifying any unauthorized access to a system. This process inspects user behavior to identify any possible attack or intrusion. There exists two type of intrusion detection systems (IDSs): signature-based IDS and anomaly-based IDS. This project concentrates on anomaly-based intrusion detection technique. This technique is based on the deviation of intruder's actions from the authenticated user's actions. Much previous research has focused on the deviation of command line input in UNIX systems. However, these techniques fail to detect attacks on modern GUIbased systems, where typical user activities include mouse movements and keystrokes. Our project aims to create a dataset suitable for testing intrusion detection strategies on GUI-based operating systems. We have developed an event logging tool to capture GUI-based user data on Windows systems. We have collected a large dataset which we analyze using a intrusion detection strategy based on hidden Markov models (HMM). ACKNOWLEDGMENTS I would like to thank Dr. Mark Stamp for his constant support, guidance and encouragement provided throughout the project. His patience and thoughtfulness was one of the biggest supporting factor for me in this project. I would also like to express my sincere gratitude to my committee members Dr. Chris Pollett and Dr. Sami Khuri for their valuable time and guidance. I am grateful to my friends and family for helping me in collecting a large amount of user data and spending their time and energy in making my project successful. Finally, I would like to thank my husband Mr. Arun Agrawal for his encouragement and unending patience throughout my Masters. v

show abstract

Masquerade Detection Based Upon GUI User Profiling in Linux Systems

Cited by 10 publications

References 16 publications

Layered Security Architecture for Masquerade Attack Detection

Layered Security Architecture for Masquerade Attack Detection

Adaptive Naive Bayes method for masquerade detection

User Profiling in GUI based Windows Systems for Intrusion Detection

Contact Info

Product

Resources

About