Abstract

Most studies in masquerade detection focus mainly on the user action, ignoring the object upon which that action is performed. This may yield limited models, since, for example, command execution (an action) usually ends up in the transformation of a file (the object). The overall goal of this paper is to prove that the object is paramount to distinguishing a user from a masquerade. With this in mind, we have developed a new approach to masquerade detection, called file system navigation, and tested our ideas using the Windows-Users and Windows-Intruder simulations Logs Data set, (WUIL) which unlike other datasets of its kind includes close-to-real simulated attacks. We have shown that our approach makes it possible to capture computer behavior in an abstract way difficult to realize in a purely action-based approach. In this paper, we introduce an abstraction called locality, the tendency of programs to cluster references to memory. While temporal locality is applicable to both actions and objects, spatial locality is more suitable to objects, as it depends on a notion of position. We have successfully validated our working hypothesis: locality-based features better capture user behavior for masquerade detection. Particularly, results based on our approach report an Area Under the Curve (AUC) of the receiver operating characteristic curve value of 0.97 in average with 30% of users having an AUC equal to or above 0.99.

Full Text
Paper version not known

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Similar Papers

Paper Title
Journal
Date
Author
Characterizing reference locality in the WWW
V Almeida ... M Crovella
-
V Almeida, et. al.V Almeida ... M Crovella
01 Dec 1996
Characteristics of Temporal and Spatial Locality of Internet Access Patterns
Keisuke Ishibashi ... Makoto Imase
-
Keisuke Ishibashi, et. al.Keisuke Ishibashi ... Makoto Imase
01 Jan 2002
Application of both Temporal and Spatial Localities in the Management of Kernel Buffer Cache
Song Jiang
-
Song JiangSong Jiang
01 Jan 2009
Locality Principle Revisited: A Probability-Based Quantitative Approach
Saurabh Gupta ... Yi Yang
-
Saurabh Gupta, et. al.Saurabh Gupta ... Yi Yang
01 May 2012
View more papers

More From: IEEE Transactions on Information Forensics and Security

Paper Title
Journal
Date
Author
DeCloak: Enable Secure and Cheap Multi-Party Transactions on Legacy Blockchains by a Minimally Trusted TEE Network
Qian Ren ... Lei Wang
IEEE Transactions on Information Forensics and Security | VOL. 19
Qian Ren, et. al.Qian Ren ... Lei Wang
01 Jan 2024
Hardware Secure Module Based Lightweight Conditional Privacy-Preserving Authentication for VANETs
Zihou Zhang ... Yufeng Li
IEEE Transactions on Information Forensics and Security | VOL. 19
Zihou Zhang, et. al.Zihou Zhang ... Yufeng Li
01 Jan 2024
Joint Discriminative Analysis With Low-Rank Projection for Finger Vein Feature Extraction
Shuyi Li ... Lifang Wu
IEEE Transactions on Information Forensics and Security | VOL. 19
Shuyi Li, et. al.Shuyi Li ... Lifang Wu
01 Jan 2024
Finger-Knuckle Assisted Slap Fingerprint Identification System for Higher Security and Convenience
Zhenyu Zhou ... Ajay Kumar
IEEE Transactions on Information Forensics and Security | VOL. 19
Zhenyu Zhou, et. al.Zhenyu Zhou ... Ajay Kumar
01 Jan 2024
View more papers

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.