Results 1 - 10
of
40
A Survey of Insider Attack Detection Research
"... This paper surveys proposed solutions for the problem of insider attack detection appearing in the computer security research literature. We distinguish between masqueraders and traitors as two distinct cases of insider attack. After describing the challenges of this problem and highlighting current ..."
Abstract
-
Cited by 21 (0 self)
- Add to MetaCart
This paper surveys proposed solutions for the problem of insider attack detection appearing in the computer security research literature. We distinguish between masqueraders and traitors as two distinct cases of insider attack. After describing the challenges of this problem and highlighting current approaches and techniques pursued by the research community for insider attack detection, we suggest directions for future research.
Sequence Alignment for Masquerade Detection
"... The masquerade attack, where an attacker takes on the identity of a legitimate user to maliciously utilize that user’s privileges, poses a serious threat to the security of information systems. Such attacks completely undermine traditional security mechanisms due to the trust imparted to user accoun ..."
Abstract
-
Cited by 10 (0 self)
- Add to MetaCart
(Show Context)
The masquerade attack, where an attacker takes on the identity of a legitimate user to maliciously utilize that user’s privileges, poses a serious threat to the security of information systems. Such attacks completely undermine traditional security mechanisms due to the trust imparted to user accounts once they have been authenticated. Many attempts have been made at detecting these attacks, yet achieving high levels of accuracy remains an open challenge. In this paper, we discuss the use of a specially tuned sequence alignment algorithm, typically used in bioinformatics, to detect instances of masquerading in sequences of computer audit data. By using the alignment algorithm to align sequences of monitored audit data with sequences known to have been produced by the user, the alignment algorithm can discover areas of similarity and derive a metric that indicates the presence or absence of masquerade attacks. Additionally, we present several scoring systems, methods for accommodating variations in user behavior, and heuristics for decreasing the computational requirements of the algorithm. Our technique is evaluated against the standard masquerade detection dataset provided by Schonlau et al. [14, 13], and the results show that the use of the sequence alignment technique provides, to our knowledge, the best results of all masquerade detection techniques to date.
MORPHEUS: Motif Oriented Representations to Purge Hostile Events from Unlabeled Sequences
- In Proc. of the ACM workshop on Visualization and Data Mining for Computer Security
, 2004
"... Most of the prevalent anomaly detection systems use some training data to build models. These models are then utilized to capture any deviations resulting from possible intrusions. The efficacy of such systems is highly dependent upon a training data set free of attacks. “Clean ” or labeled training ..."
Abstract
-
Cited by 8 (1 self)
- Add to MetaCart
(Show Context)
Most of the prevalent anomaly detection systems use some training data to build models. These models are then utilized to capture any deviations resulting from possible intrusions. The efficacy of such systems is highly dependent upon a training data set free of attacks. “Clean ” or labeled training data is hard to obtain. This paper addresses the very practical issue of refinement of unlabeled data to obtain a clean data set which can then train an online anomaly detection system. Our system, called MORPHEUS, represents a system call sequence using the spatial positions of motifs (subsequences) within the sequence. We also introduce a novel representation called sequence space to denote all sequences with respect to a reference sequence. Experiments on well known data sets indicate that our sequence space can be effectively used to purge anomalies from unlabeled sequences. Although an unsupervised anomaly detection system in itself, our technique is used for data purification. A “clean ” training set thus obtained improves the performance of existing online host-based anomaly detection systems by increasing the number of attack detections.
Modeling user search behavior for masquerade detection
- In Recent Advances in Intrusion Detection
, 2011
"... Abstract. Masquerade attacks are a common security problem that is a consequence of identity theft. This paper extends prior work by modeling user search behavior to detect deviations indicating a masquerade attack. We hypothesize that each individual user knows their own file system well enough to ..."
Abstract
-
Cited by 7 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Masquerade attacks are a common security problem that is a consequence of identity theft. This paper extends prior work by modeling user search behavior to detect deviations indicating a masquerade attack. We hypothesize that each individual user knows their own file system well enough to search in a limited, targeted and unique fashion in order to find information germane to their current task. Masqueraders, on the other hand, will likely not know the file system and layout of another user’s desktop, and would likely search more extensively and broadly in a manner that is different than the victim user being impersonated. We identify actions linked to search and information access activities, and use them to build user models. The experimental results show that modeling search behavior reliably detects all masqueraders with a very low false positive rate of 1.1%, far better than prior published results. The limited set of features used for search behavior modeling also results in large performance gains over the same modeling techniques that use larger sets of features. ∗
Detecting Masqueraders: A Comparison of One-Class Bag-of-Words User Behavior Modeling Techniques
"... A masquerade attack is a consequence of identity theft. In such attacks, the impostor impersonates a legitimate insider while performing illegitimate activities. These attacks are very hard to detect and can cause considerable damage to an organization. Prior work has focused on user command modelin ..."
Abstract
-
Cited by 6 (0 self)
- Add to MetaCart
(Show Context)
A masquerade attack is a consequence of identity theft. In such attacks, the impostor impersonates a legitimate insider while performing illegitimate activities. These attacks are very hard to detect and can cause considerable damage to an organization. Prior work has focused on user command modeling to identify abnormal behavior indicative of impersonation. In this paper, we investigate the performance of two one-class user behavior profiling techniques: one-class Support Vector Machines (ocSVMs) and a Hellinger distance-based user behavior profiling technique. Both techniques model bags of words or commands and do not model sequences of commands. We use both techniques for masquerade detection and compare the experimental results. The objective is to evaluate which modeling technique is most suitable for use in an operational monitoring system, hence our focus is on accuracy and operational performance characteristics. We show that one-class SVMs are most practical for deployment in sensors developed for masquerade detection in the general case. We also show that for specific users whose profile fits the average user profile, one-class SVMs may not be the best modeling approach. Such users pose a more serious threat since they may be easier to mimic.
Fuzzy Roc Curves For The 1 Class Svm: Application To Intrusion Detection
, 2005
"... A novel method for receiver operating characteristic (ROC) curve analysis and anomoly detection is proposed. The ROC curve provides a measure of effectiveness for binary classification problems, and this paper specifically addresses unbalanced, unsupervised, binary classification problems. Furth ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
A novel method for receiver operating characteristic (ROC) curve analysis and anomoly detection is proposed. The ROC curve provides a measure of effectiveness for binary classification problems, and this paper specifically addresses unbalanced, unsupervised, binary classification problems. Furthermore, this work explores techniques in fusing decision values from classifiers and using ROC curves to illustrate the effectiveness of the fusion techniques. In describing an unbalanced classification problem, we are addressing a problem that has a low occurrence of the positive class (generally less than 10%). Since the problem is unsupervised, the 1 class SVM is utilized. We discuss the curse of dimensionality experienced with the 1 class SVM, and to overcome this problem we create subspaces of our variables. For each subspace created, the 1 class SVM produces a decision value. The aggregation of the decision values occurs through the use of fuzzy logic, creating the fuzzy ROC curve. The primary source of data for this research is a host based computer intrusion detection dataset.
Masquerade attack detection using a searchbehavior modeling approach
, 2009
"... Masquerade attacks are unfortunately a familiar security problem that is a consequence of identity theft. Detecting masqueraders is very hard. Prior work has focused on user command modeling to identify abnormal behavior indicative of impersonation. This paper extends prior work by presenting one-cl ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
Masquerade attacks are unfortunately a familiar security problem that is a consequence of identity theft. Detecting masqueraders is very hard. Prior work has focused on user command modeling to identify abnormal behavior indicative of impersonation. This paper extends prior work by presenting one-class Hellinger distance-based and one-class SVM modeling techniques that use a set of novel features to reveal user intent. The specific objective is to model user search profiles and detect deviations indicating a masquerade attack. We hypothesize that each individual user knows their own file system well enough to search in a limited, targeted and unique fashion in order to find information germane to their current task. Masqueraders, on the other hand, will likely not know the file system and layout of another user’s desktop, and would likely search more extensively and broadly in a manner that is different than the victim user being impersonated. We extend prior research that uses UNIX command sequences issued by users as the audit source by relying upon an abstraction of commands. We devise taxonomies of UNIX commands and Windows applications that are used to abstract sequences of user commands and actions. We also gathered our own normal and masquerader data sets captured in a Windows environment for evaluation. The datasets are publicly available for other researchers who wish to study masquerade attack rather than author identification as in much of the prior reported work. The experimental results show that modeling search behavior reliably detects all masqueraders with a very low false positive rate of 0.1%, far better than prior published results. The limited set of features used for search behavior modeling also results in huge performance gains over the same modeling techniques that use larger sets of features. 1
Unsupervised Fuzzy Ensembles and Their Use in Intrusion Detection
- In Proceedings of the European Symposium on Artificial Neural Networks
, 2005
"... Abstract. This paper proposes a novel method for unsupervised ensembles that specifically addresses unbalanced, unsupervised, binary classification problems. Unsupervised learning often experiences the curse of dimensionality, however subspace modeling can overcome this problem. For each subspace cr ..."
Abstract
-
Cited by 4 (3 self)
- Add to MetaCart
(Show Context)
Abstract. This paper proposes a novel method for unsupervised ensembles that specifically addresses unbalanced, unsupervised, binary classification problems. Unsupervised learning often experiences the curse of dimensionality, however subspace modeling can overcome this problem. For each subspace created, the classifier produces a decision value. The aggregation of the decision values occurs through the use of fuzzy logic, creating the fuzzy ROC curve. The one-class SVM is utilized for unsupervised classification. The primary source of data for this research is a host based computer intrusion detection dataset. 1
Towards better protocol identification using profile HMMs, JHU
- TCP DATA 5 158 SYNACK 1 5 SYN 20 14 4 ACK 26 161 1 FIN REQ 2 2 RESP DATA 4 251 SYNACK 6 SYN
, 2005
"... {cvwright,fabian,masson} at jhu dot edu We present improved techniques for the identification of unknown TCP connections in wide-area Internet traffic using Profile Hidden Markov Models. Specifically, we built mixture models using a k-means clustering approach to find component behavior patterns in ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
(Show Context)
{cvwright,fabian,masson} at jhu dot edu We present improved techniques for the identification of unknown TCP connections in wide-area Internet traffic using Profile Hidden Markov Models. Specifically, we built mixture models using a k-means clustering approach to find component behavior patterns in the traffic traces. These mixture models allow us to better recognize protocols that tend to exhibit more than one characteristic behavioral pattern. Moreover, our models use only those features that remain intact after encryption, namely packet sizes and inter-arrival times. Using a vector quantization approach to combine these features in a single model, we show how to substantially increase recognition accuracy over prior work — in some cases well over 30 percent. 1
Fuzzy roc curves for unsupervised nonparametric ensemble techniques
- Proceedings International Joint Conference on Neural Networks, IJCNN
, 2005
"... Abstract — This paper explores a novel ensemble technique for unsupervised classification using nonparametric statistics. Multiple classification systems (MCS), or ensemble techniques, involve considering several classification methods or multiple outputs from the same method and devising techniques ..."
Abstract
-
Cited by 3 (3 self)
- Add to MetaCart
Abstract — This paper explores a novel ensemble technique for unsupervised classification using nonparametric statistics. Multiple classification systems (MCS), or ensemble techniques, involve considering several classification methods or multiple outputs from the same method and devising techniques to reach a decision. The performance of a binary classification system can be measured on a receiver operating characteristic (ROC) curve, and the area under the curve (AUC) is exactly the Wilcoxon Rank Sum or Mann-Whitney U statistic, both of which are nonparametric statistics based upon ranked data. Successful performance of an unsupervised ensemble can be measured through the AUC, and the performance of different aggregation techniques for the combination of the multiple classification system decision values, or rankings in this paper, is illustrated. Aggregation techniques are based upon fuzzy logic theory, creating the fuzzy ROC curve. The one-class SVM is utilized for the unsupervised classification. I.
