Detection of anomalies from user profiles generated from system logs

Authors:
Malcolm Corney;George Mohay;Andrew Clark
Affiliations:
Queensland University of Technology, Brisbane, Australia;Queensland University of Technology, Brisbane, Australia;Queensland University of Technology, Brisbane, Australia
Venue:
AISC '11 Proceedings of the Ninth Australasian Information Security Conference - Volume 116
Year:
2011

Citing 14
Cited 1

UNICORN: misuse detection for UNICOS

Supercomputing '95 Proceedings of the 1995 ACM/IEEE conference on Supercomputing
DEMIDS: a misuse detection system for database systems

Integrity and internal control information systems
Security in Computing

Security in Computing
Misuse detection for information retrieval systems

CIKM '03 Proceedings of the twelfth international conference on Information and knowledge management
Techniques and tools for analyzing intrusion alerts

ACM Transactions on Information and System Security (TISSEC)
Using relevance feedback to detect misuse for information retrieval systems

Proceedings of the thirteenth ACM international conference on Information and knowledge management
On off-topic access detection in information systems

Proceedings of the 14th ACM international conference on Information and knowledge management
Automated recognition of event scenarios for digital forensics

Proceedings of the 2006 ACM symposium on Applied computing
Insider attack and real-time data mining of user behavior

IBM Journal of Research and Development - Business optimization
The design of framework for detecting an insider's leak of confidential information

Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop
Defining the insider threat

Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead
A logic-based model to support alert correlation in intrusion detection

Information Fusion
An Active Defense Model and Framework of Insider Threats Detection and Sense

IAS '09 Proceedings of the 2009 Fifth International Conference on Information Assurance and Security - Volume 01
Addressing the Insider Threat

IEEE Security and Privacy

A proposed model for data warehouse user behaviour using intrusion detection system

ACM SIGSOFT Software Engineering Notes

Quantified Score

Hi-index	0.00

Visualization

Abstract

We describe research into the identification of anomalous events and event patterns as manifested in computer system logs. Prototype software has been developed with a capability that identifies anomalous events based on usage patterns or user profiles, and alerts administrators when such events are identified. To reduce the number of false positive alerts we have investigated the use of different user profile training techniques and introduce the use of abstractions to group together applications which are related. Our results suggest that the number of false alerts that are generated is significantly reduced when a growing time window is used for user profile training and when abstraction into groups of applications is used.