Masquerade detection using truncated command lines
- 25 June 2003
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- p. 219-228
- https://doi.org/10.1109/dsn.2002.1028903
Abstract
A masquerade attack, in which one user impersonates another, can be the most serious form of computer abuse. Automatic discovery of masqueraders is sometimes under-taken by detecting significant departures from normal user behavior, as represented by a user profile formed from system audit data. While the success of this approach has been limited, the reasons for its unsatisfying performance are not obvious, possibly because most reports do not elucidate the origins of errors made by the detection mechanisms. This paper takes as its point of departure a recent series of experiments framed by Schonlau et al. [12]. In extending that work with a new classification algorithm, a 56% improvement in masquerade detection was achieved at a corresponding false-alarm rate of 1.3%. A detailed error analysis, based on an alternative data configuration, reveals why some users are good masqueraders and othersare not.Keywords
This publication has 6 references indexed in Scilit:
- A prototype real-time intrusion-detection expert systemPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2003
- A Hybrid High-Order Markov Chain Model for Computer Intrusion DetectionJournal of Computational and Graphical Statistics, 2001
- Computer Intrusion: Detecting MasqueradesStatistical Science, 2001
- Detecting masquerades in intrusion detection based on unpopular commandsInformation Processing Letters, 2000
- Temporal sequence learning and data reduction for anomaly detectionACM Transactions on Information and System Security, 1999
- A survey of intrusion detection techniquesComputers & Security, 1993