Combining a Baiting and a User Search Profiling Techniques for Masquerade Detection

Masquerade attacks are characterized by an adversary stealing a legitimate user's credentials and using them to impersonate the victim and perform malicious activities, such as stealing information. Prior work on masquerade attack detection has focused on profiling legitimate user behavior and detecting abnormal behavior indicative of a masquerade attack. Like any anomaly-detection based techniques, detecting masquerade attacks by profiling user behavior suffers from a significant number of false positives. We extend prior work and provide a novel integrated detection approach in this paper. We combine a user behavior profiling technique with a baiting technique in order to more accurately detect masquerade activity. We show that using this integrated approach reduces the false positives by 36% when compared to user behavior profiling alone, while achieving almost perfect detection results. We also show how this combined detection approach serves as a mechanism for hardening the masquerade attack detector against mimicry attacks

Designing Host and Network Sensors to Mitigate the Insider Threat

We propose a design for insider threat detection that combines an array of complementary techniques that aims to detect evasive adversaries. We are motivated by real world incidents and our experience with building isolated detectors: such standalone mechanisms are often easily identified and avoided by malefactors. Our work-in-progress combines host-based user-event monitoring sensors with trap-based decoys and remote network detectors to track and correlate insider activity. We identify several challenges in scaling up, deploying, and validating our architecture in real environments

Optimized Naive-Bayes Detection System

A Masquerader is a malicious user who tries to gain access or control of a system from a proper user. The objective of this thesis is to increase the accuracy of the existing Nave-Bayes Algorithm for detecting Masquerade attempts. We have an Online and an Offline classifier. The Classifier used in our experiments is the Nave-Bayes Classifier. Although the dataset is being learned by the Online and the Offline classifier simultaneously, the online classifier makes an instantaneous decision whereas the Offline makes it after a specified span of time. We try to increase the accuracy of the detection system by increasing the number of parameters within the dataset and also by the introduction of a Toggling factor between the Online and the Offline classifiers. The Nave-Bayes classifier builds a proper user model and an improper model from the training dataset. The Test sessions are classified against these models. The E-M Algorithm was used to generate a probabilistic score for the unidentified sessions in the testing phase. The dataset was prepared from the log files of different users that logged into the Computer Science Administrative Server (a.cs.okstate.edu) for Oklahoma State University. Experimental results demonstrate that the Online & Offline classifier with commands and the extra parameter namely the CPU time outperformed the Online & Offline classifier with commands in terms of both the false alarm rate and the hit rate.Computer Science Departmen

Probabilistic Vs Clustering Analysis of Modified Unix Command Lines for Masquerade Detection

A computer system masquerader is an intruder who takes over a genuine user session and misuses it. These Masqueraders also called insiders are those who work within the organization and try to either attain more system privileges in the form of impersonation, or misuse their privileges which then become an abuse. Detecting and alarming such intrusions is the primary goal of masquerade detection techniques. A survey of previously undertaken research shows that a behavior analysis can be carried out to detect masqueraders. Automatic discovery of masqueraders is possible by discovering significant departures of test command sessions from the normal user profiles based on command histories. In this line of experiments Schonlau et al performed testing based on a data set comprised of truncated command lines. These experiments proved less efficient with the best detection result reported for a Bayes one-step Markov model, which achieved a hit rate of 69.3% with a corresponding false-alarm rate of 6.7%. Roy A. Maxion and Tahlia N. Townsend reported a 61.5% hit rate and a false-alarm rate of 1.3% based on a na?ve Bayes classification technique. This thesis outlines some of these techniques and their difficulties. As an extension to these techniques we propose a Bayesian network technique that uses a Hybrid classifier of Na?ve Bayes and Deferred Na?ve Bayes classifiers. This approach combines the advantages of both online (Na?ve Bayes) and offline (Deferred Na?ve Bayes) classifiers. With the Bayesian Networks Classifier we also present a clustering approach adopted from the data mining literature for masquerade detection. Finally, a comparative study of the two proposed classifiers and Na?ve Bayes Classifier was carried out with the help of ROC Curves showing the respective hit rates to false alarm rates.Computer Science Departmen

Towards Effective Masquerade Attack Detection

Data theft has been the main goal of the cybercrime community for many years, and more and more so as the cybercrime community gets more motivated by financial gain establishing a thriving underground economy. Masquerade attacks are a common security problem that is a consequence of identity theft and that is generally motivated by data theft. Such attacks are characterized by a system user illegitimately posing as another legitimate user. Prevention-focused solutions such as access control solutions and Data Loss Prevention tools have failed in preventing these attacks, making detection not a mere desideratum, but rather a necessity. Detecting masqueraders, however, is very hard. Prior work has focused on user command modeling to identify abnormal behavior indicative of impersonation. These approaches suffered from high miss and false positive rates. None of these approaches could be packaged into an easily-deployable, privacy-preserving, and effective masquerade attack detector. In this thesis, I present a machine learning-based technique using a set of novel features that aim to reveal user intent. I hypothesize that each individual user knows his or her own file system well enough to search in a limited, targeted, and unique fashion in order to find information germane to their current task. Masqueraders, on the other hand, are not likely to know the file system and layout of another user's desktop, and would likely search more extensively and broadly in a manner that is different from that of the victim user being impersonated. Based on this assumption, I model a user's search behavior and monitor deviations from it that could indicate fraudulent behavior. I identify user search events using a taxonomy of Windows applications, DLLs, and user commands. The taxonomy abstracts the user commands and actions and enriches them with contextual information. Experimental results show that modeling search behavior reliably detects all simulated masquerade activity with a very low false positive rate of 1.12%, far better than any previously published results. The limited set of features used for search behavior modeling also results in considerable performance gains over the same modeling techniques that use larger sets of features, both during sensor training and deployment. While an anomaly- or profiling-based detection approach, such as the one used in the user search profiling sensor, has the advantage of detecting unknown attacks and fraudulent masquerade behaviors, it suffers from a relatively high number of false positives and remains potentially vulnerable to mimicry attacks. To further improve the accuracy of the user search profiling approach, I supplement it with a trap-based detection approach. I monitor user actions directed at decoy documents embedded in the user's local file system. The decoy documents, which contain enticing information to the attacker, are known to the legitimate user of the system, and therefore should not be touched by him or her. Access to these decoy files, therefore, should highly suggest the presence of a masquerader. A decoy document access sensor detects any action that requires loading the decoy document into memory such as reading the document, copying it, or zipping it. I conducted human subject studies to investigate the deployment-related properties of decoy documents and to determine how decoys should be strategically deployed in a file system in order to maximize their masquerade detection ability. Our user study results show that effective deployment of decoys allows for the detection of all masquerade activity within ten minutes of its onset at most. I use the decoy access sensor as an oracle for the user search profiling sensor. If abnormal search behavior is detected, I hypothesize that suspicious activity is taking place and validate the hypothesis by checking for accesses to decoy documents. Combining the two sensors and detection techniques reduces the false positive rate to 0.77%, and hardens the sensor against mimicry attacks. The overall sensor has very limited resource requirements (40 KB) and does not introduce any noticeable delay to the user when performing its monitoring actions. Finally, I seek to expand the search behavior profiling technique to detect, not only malicious masqueraders, but any other system users. I propose a diversified and personalized user behavior profiling approach to improve the accuracy of user behavior models. The ultimate goal is to augment existing computer security features such as passwords with user behavior models, as behavior information is not readily available to be stolen and its use could substantially raise the bar for malefactors seeking to perpetrate masquerade attacks

Detection of Masquerade Attacks using Data-Driven Semi-Global Alignment Approach

The broad utilization of virtualization in representing security basis conveys unrivaled security worries for inhabitants or clients and presents an extra layer that itself must be totally arranged and secured. Gatecrashers can abuse the extensive measure of assets for their attacks. This venture talks about two methodologies .In the initial three elements to be specific continuous attacks, autonomic counteractive action activities and hazard measure are incorporated to our Autonomic Intrusion Detection Framework (AIDF) as the majority of the present security advancements don't give the fundamental security components to frameworks, for example, early notices about future progressing attacks, autonomic avoidance activities and hazard measure. Accordingly, the controller can take proactive restorative activities before the attacks represent a genuine security hazard to the framework. In another Attack Sequence Detection (ASD) approach as assignments from various clients might be performed on a similar machine. In this way, one essential security concern is whether client information is secure in. Then again, programmer may encourage processing to dispatch bigger scope of attack. For example, a demand of port output in with numerous virtual machines executing such vindictive activity. In, for instance, avoiding a simple to adventure machine and afterward utilizing the past traded off to attack the objective. Such attack plan might be stealthy or inside the registering condition. So intrusion detection framework or firewall experiences issues to recognize it