Modeling user search behavior for masquerade detection

Authors:
Malek Ben Salem;Salvatore J. Stolfo
Affiliations:
Computer Science Department, Columbia University, New York;Computer Science Department, Columbia University, New York
Venue:
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Year:
2011

Citing 8
Cited 4

The nature of statistical learning theory

The nature of statistical learning theory
Handling concept drifts in incremental learning with support vector machines

KDD '99 Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining
Masquerade Detection Using Truncated Command Lines

DSN '02 Proceedings of the 2002 International Conference on Dependable Systems and Networks
Intrusion Detection: A Bioinformatics Approach

ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Estimating the Support of a High-Dimensional Distribution

Neural Computation
Sequence alignment for masquerade detection

Computational Statistics & Data Analysis
ELICIT: a system for detecting insiders who violate need-to-know

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
LIBSVM: A library for support vector machines

ACM Transactions on Intelligent Systems and Technology (TIST)

On the design and execution of cyber-security user studies: methodology, challenges, and lessons learned

CSET'11 Proceedings of the 4th conference on Cyber security experimentation and test
Masquerade attacks based on user's profile

Journal of Systems and Software
A survey of anomaly intrusion detection techniques

Journal of Computing Sciences in Colleges
The Windows-Users and -Intruder simulations Logs dataset (WUIL): An experimental framework for masquerade detection mechanisms

Expert Systems with Applications: An International Journal

Quantified Score

Hi-index	0.00

Visualization

Abstract

Masquerade attacks are a common security problem that is a consequence of identity theft. This paper extends prior work by modeling user search behavior to detect deviations indicating a masquerade attack. We hypothesize that each individual user knows their own file system well enough to search in a limited, targeted and unique fashion in order to find information germane to their current task. Masqueraders, on the other hand, will likely not know the file system and layout of another user's desktop, and would likely search more extensively and broadly in a manner that is different than the victim user being impersonated. We identify actions linked to search and information access activities, and use them to build user models. The experimental results show that modeling search behavior reliably detects all masqueraders with a very low false positive rate of 1.1%, far better than prior published results. The limited set of features used for search behavior modeling also results in large performance gains over the same modeling techniques that use larger sets of features.