Abstract
The goal of a masquerade detection system is to determine whether a given computer activity does not correspond to a target user, thereby inferring that a masquerader has stolen the computer session of a user. Masquerade detection should be addressed as a one-class classification problem, where only user information is available for classifier construction. This might be mandatory when it is difficult to account for all types of attack patterns or collect enough evidence thereof. In this paper, we introduce a masquerader detection method, named Bagging-TPMiner, a one-class classifier ensemble. As the name suggests, Bagging-TPMiner bootstraps the training dataset of genuine user behavior in order to find typical objects. In the classification phase, it renders a new sample of computer behavior to be a masquerade if that behavior is distinct from the typical objects. Critically, unlike existing clustering techniques, Bagging-TPMiner gives similar attention to both types of regions, dense and sparse, thus capturing the (hidden) structure of ordinary user behavior. We have successfully tested Bagging-TPMiner on WUIL, a repository of datasets for masquerader detection that contain more faithful masquerade attempts. Our experimental results show that Bagging-TPMiner improves classification accuracy when compared to other classifiers and that it is significantly better at identifying bursts of attacks, called persistent attacks, or at continuously updating from prior mistakes.
Similar content being viewed by others
References
Bache K, Lichman M (2013) UCI machine learning repository. http://archive.ics.uci.edu/ml
Ben-Salem S, Stolfo S (2010) Modeling user search behavior for masquerade detection. Computer Science technical reports 033. Columbia University
Bertacchini M, Fierens P (2008) A survey on masquerader detection approaches. In: Proceedings of V Congreso Iberoamericano de Seguridad Informática. Universidad de la República de Uruguay, pp 46–60
Camiña B, Monroy R, Trejo L, Sánchez E (2011) Towards building a masquerade detection method based on user file system navigation. In: Batyrshin I, Sidorov G (eds) Proceedings of the Mexican international conference on artificial intelligence, pp 174–186, MICAI’11
Camiña JB, Hernández-Gracidas C, Monroy R, Trejo L (2014) The windows-users and -intruder simulations logs dataset (wuil): an experimental framework for masquerade detection mechanisms. Expert Syst Appl 41:919–930
Demšar J (2006) Statistical comparisons of classifiers over multiple data sets. J Mach Learn Res 7:1–30
Denning DE (1987) An intrusion–detection model. IEEE Trans Softw Eng 13(2):222–232
Duda RO, Hart PE, Stork DG (2001) Pattern classification. Wiley-Interscience, Hoboken
Fawcett T (2006) An introduction to ROC analysis. Pattern Recognit Lett 27:861–874
García S, Herrera F (2008) An extension on “Statistical comparisons of classifiers over multiple data sets” for all pairwise comparisons. J Mach Learn Res 9:2677–2694
Garg A, Rahalkar R, Upadhyaya S, Kwiat K (2006) Profiling users in GUI based systems masquerade detection. In: Proceedings of the 7th IEEE information assurance workshop. IEEE Computer Society Press, pp 48–54
Giacinto G, Perdisci R, Del Rio M, Roli F (2008) Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Inf Fusion 9(1):69–82. doi:10.1016/j.inffus.2006.10.002
Kholidy HA, Baiardi F, Hariri S (2014) DDSGA: a data-driven semi-global alignment approach for detecting masquerade attacks. IEEE Trans Depend Secure Comput 12(2):164–178
Killourhy K, Maxion RA (2010) Why did my detector do that?!—Predicting keystroke-dynamics error rates. In: Jha S, Sommer R, Kreibich C (eds) Recent advances in intrusion detection, 13th international symposium, RAID 2010, Lecture notes in computer science, vol 6307. Springer, pp 256–276
Kudlacik P, Porwik P, Wesolowski T (2015) Fuzzy approach for intrusion detection based on user’s commands. Soft Comput pp.1–15
Kuncheva LI (2014) Combining pattern classifiers: methods and algorithms. Wiley, Hoboken
Latendresse M (2005) Masquerade detection via customized grammars. In: Julish K, Kruegel C (eds) Proceedings of the second international conference on detection of intrusions and malware, and vulnerability assessment, DIMVA 2005. Lecture notes in computer science, vol 3548. Springer, pp 141–159
Maxion RA (2003) Masquerade detection using enriched command lines. In: Proceedings of the international conference on dependable systems and networks, DSN’03. IEEE Computer Society Press, San Francisco, CA, USA, pp 5–14
Maxion RA, Townsend TN (2002) Masquerade detection using truncated command lines. In: Proceedings of the international conference on dependable systems and networks, DSN 2002, pp 219–228
Messerman A, Mustafic T, Camtepe S, Albayrak S (2011) Continuous and non-intrusive identity verification in real-time environments based on free-text keystroke dynamics. In: Proceedings of the international joint conference on biometrics, IJCB 201. IEEE Computer Society Press, pp 1–8
Morales A, Fierrez J, Ortega-Garcia J (2014) Towards predicting good users for biometric recognition based on keystroke dynamics. In: Agapito L, Bronstein MM, Rother C (eds) Computer vision workshop—ECCV 2014 workshops, part II, Lecture notes in computer science, vol 8926. Springer, pp 711–724
Nevill-Manning CG, Witten IH (1997) Identifying hierarchical structure in sequences: a linear-time algorithm. JAIR 7:67–82
Posadas R, Mex-Perera C, Monroy R, Nolazco-Flores J (2006) Hybrid method for detecting masqueraders using session folding and hidden markov models. In: Proceedings of the 5th Mexican international conference on artificial intelligence: advances in artificial intelligence. Lecture notes in computer science, vol 4293. Springer, pp 622–631
Pusara M (2004) User re-authentication via mouse movements. In: Proceedings of the 2004 ACM workshop on visualization and data mining for computer security, VizSEC/DMSEC’04. ACM, New York, USA, pp 1–8
Razo-Zapata I, Mex-Perera C, Monroy R (2012) Masquerade attacks based on user’s profile. J Syst Softw 85(11):2640–2651
Salem MB, Hershkop S, Stolfo SJ (2008) A survey of insider attack detection research. In: Stolfo SJ, Bellovin SM, Hershkop S, Keromytis A, Sinclair S, Smith SW (eds) Insider attack and cyber security: beyond the hacker, advances in information security. Springer, Berlin, pp 69–90
Schonlau M, DuMouchel W, Ju W, Karr A, Theus M, Vardi Y (2001) Computer intrusion: detecting masquerades. Stat Sci 16(1):58–74
Schonlau M, Theus M (2000) Detecting masquerades in intrusion detection based on unpopular commands. Inf Process Lett 76:33–38
Song Y, Ben-Salem M, Hershkop S, Stolfo S (2013) System level user behavior biometrics using fisher features and gaussian mixture models. In: Security and privacy workshops, SPW 2013. IEEE Computer Society Press, pp 52–59
Tax DMJ, Duin RPW (2001) Combining one-class classifiers. In: Multiple classifier systems, 2001 (MCS). Lecture notes in computer science, vol 2096. Springer Berlin, Heidelberg, pp 299–308
Vapnik V (1998) Statistical learning theory. Wiley, Hoboken
Wang K, Stolfo S (2003) One-class training for masquerade detection. In: Proceedings of the 3rd IEEE conference data mining workshop on data mining for computer security. IEEE, pp 10–19
Acknowledgments
We thank the members of the GIEE-ML group at Tecnológico de Monterrey for providing useful suggestions and advice on an earlier version of this paper. We are also grateful to Rebekah Hosse Clark (clarkwecare@aol.com) and Dr. Ernesto Hernandez Cooper (emcooper@itesm.mx) for their valuable contributions improving the grammar and style of this paper. J. Benito Camiña was supported by CONACYT studentship 329962. Milton García-Borroto thanks the Instituto Superior Politécnico José Antonio Echeverría for supporting him in this research.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
Author Miguel Angel Medina-Pérez declares that he has no conflict of interest. Author Raúl Monroy declares that he has no conflict of interest. Author J. Benito Camiña declares that he has no conflict of interest. Author Milton García-Borroto declares that he has no conflict of interest.
Ethical approval
All procedures performed in studies involving human participants were in accordance with the ethical standards of the institutional and/or national research committee and with the 1964 Helsinki declaration and its later amendments or comparable ethical standards.
Informed consent
Informed consent was obtained from all individual participants included in the study.
Additional information
Communicated by H. Ponce.
Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
About this article
Cite this article
Medina-Pérez, M.A., Monroy, R., Camiña, J.B. et al. Bagging-TPMiner: a classifier ensemble for masquerader detection based on typical objects. Soft Comput 21, 557–569 (2017). https://doi.org/10.1007/s00500-016-2278-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-016-2278-8