A variable-length model for masquerade detection

  • Authors:

  • Xi Xiao;Xinguang Tian;Qibin Zhai;Shutao Xia

  • Affiliations:

  • Graduate School at Shenzhen, Tsinghua University, 518055 Shenzhen, China and State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, 100049 Beijing, China;Key Laboratory of Network Science and Technology, Institute of Computing Technology, Chinese Academy of Sciences, 100190 Beijing, China;State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, 100049 Beijing, China;Graduate School at Shenzhen, Tsinghua University, 518055 Shenzhen, China

  • Venue:
  • Journal of Systems and Software
  • Year:
  • 2012

Quantified Score

Hi-index 0.00

Visualization

Abstract

Masquerade detection is now one of the major concerns of system security research and its difficulty is to model user behavior on the nonstationary audit data. Many previous works represent the user behavior based on fixed-length models. In this paper, we propose a variable-length model to overcome their weakness in the precision and adaptability of user profiling. In the model, the user's normal behavior is profiled by Markov chain with states of variable-length sequences. At first multiple shell command streams of different lengths are generated and different shell command sequences are hierarchically merged into several sets to form the library of general sequences. Then the variable-length behavioral patterns of a valid user are mined and the Markov chain is constructed. While performing detection, the probabilities of short state sequences are calculated, smoothed with sliding windows, and finally used to classify the monitored user's activity as normal or abnormal. Our experiments with standard datasets such as Purdue data and SEA data reveal that the proposed model can achieve higher detection accuracy, require less memory and take shorter time than the other traditional methods and is amenable for real-time intrusion detection.