A first step toward detecting SSH identity theft in HPC cluster environments: discriminating masqueraders based on command behavior

Recent attacks enabled by stolen authentication passwords and keys have allowed intruders to masquerade as legitimate users on high performance computing clusters. With the motivation of detecting masqueraders on clusters, this work seeks to discriminate different types of users based on their command behavior - in particular, user command behavior on a multi-user public machine versus user command behavior on a high performance computing cluster. Our intuition is that these users act differently and the unique high performance cluster environment is constrained such that command behavior discrimination is enhanced versus enterprise environments. We formalize this into a classification problem to be solved by a support vector machine with TF-IDF feature construction techniques from the field of Information Retrieval. We present results showing the effectiveness of this approach exhibiting high precision depending on the length of monitoring in both time and number of commands. In particular we show that as few as 10 commands may be enough to recognize a masquerading attacker on a high performance computing cluster.