Title :
Masquerade detection using truncated command lines
Author :
Maxion, Roy A. ; Townsend, Tahlia N.
Author_Institution :
Dependable Syst. Lab., Carnegie Mellon Univ., Pittsburgh, PA, USA
Abstract :
A masquerade attack, in which one user impersonates another, can be the most serious form of computer abuse. Automatic discovery of masqueraders is sometimes undertaken by detecting significant departures from normal user behavior, as represented by a user profile formed from system audit data. While the success of this approach has been limited, the reasons for its unsatisfying performance are not obvious, possibly because most reports do not elucidate the origins of errors made by the detection mechanisms. This paper takes as its point of departure a recent series of experiments framed by Schonlau et al. (2001). In extending that work with a new classification algorithm, a 56% improvement in masquerade detection was achieved at a corresponding false-alarm rate of 1.3%. A detailed error analysis, based on an alternative data configuration, reveals why some users are good masqueraders and others are not.
Keywords :
auditing; security of data; classification algorithm; computer abuse; data configuration; errors; false alarm rate; masquerade attack detection; system audit data; truncated command lines; user profile; Classification algorithms; Computer science; Computer security; Costs; Error analysis; Information security; Keyboards; Laboratories; Monitoring; National security;
Conference_Titel :
Dependable Systems and Networks, 2002. DSN 2002. Proceedings. International Conference on
Print_ISBN :
0-7695-1101-5
DOI :
10.1109/DSN.2002.1028903
