Masquerade Detection in Network Environments

As reliance on Internet connected systems expands, the threat of damage from malicious actors, especially undetected actors, rises. Masquerade attacks, where one individual or system poses as another, are among the most harmful and difficult to detect types of intrusion. Previous efforts to detect masquerade attacks have focused on host-based approaches, including command line, system call, and GUI interaction profiling but when host data is not accessible or legal/ethical restrictions apply, these methods are infeasible. In this work, we present an approach to masquerade detection using only basic network statistics. We use server log analysis to tag network events with the associated user and build user network profiles By utilizing only antagonized summary data, we limit the privacy impact of masquerade detection while avoiding the data accessibility issues associated with host-based approaches. We compile 90 days of NetFlow data from over 50 users and show the user profile are unique, and likely useful for detecting masqueraders. Finally, we apply Support Vector Machine (SVM) classification to demonstrate feasibility of masquerade detection using network data.