Abstract
Detecting whether a given activity in a device, corresponds to a legitimate device user or not, is usually carried out by looking for deviations in behavior against a normal usage baseline. One approach to this problem, called masquerade detection, uses the file system navigation information, comprised of the files, folders, and how the user navigates between them, to construct the normal usage baseline. Atop the file system navigation approach for masquerade detection, there is an alternate representation of file system usage which abstracts away a collection of interrelated files into a single symbol, denoting a task; thus, touching any of these files amounts to simply as executing a task. In this paper, we propose a refined notion of the task abstraction, which allows for a better characterization of the user. The improved abstraction makes possible to obtain a better Masquerade Detection System with increased efficiency, resulting in a faster detection of masqueraders.
Similar content being viewed by others
References
Ben-Salem, M., Stolfo, S.: Modeling user search behavior for masquerade detection. Computer Science Technical Reports 033, Columbia University (2010)
Camiña, JB., Monroy, R., Trejo, L., Sánchez, E.: Towards building a masquerade detection method based on user file system navigation. In: Batyrshin, I., Sidorov, G. (eds) Proceedings of the Mexican international conference on artificial intelligence, MICAI‘11, pp 174–186 (2011)
Camiña, J.B., Hernández-Gracidas, C., Monroy, R., Trejo, L.: The windows-users and -intruder simulations logs dataset (wuil): An experimental framework for masquerade detection mechanisms. Expert Syst. Appl. 41, 919–930 (2014)
Camiña, J.B., Rodríguez, J., Monroy, R.: Towards a masquerade detection system based on user’s tasks. Research in attacks, intrusions and defenses, pp. 447–465. Springer, New York (2014). (Intrusions and Defenses)
Camina, J., Monroy, R., Trejo, L., Medina-Perez, M.: Temporal and spatial locality: an abstraction for masquerade detection. In: IEEE transactions on information Forensics and Security pp 2036–2051 (2016)
Demšar, J.: Statistical comparisons of classifiers over multiple data sets. J. Mach. Learn. Res. 7, 1–30 (2006)
Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)
El Masri, A., Wechsler, H., Likarish, P., Kang, BB.: Identifying users with application-specific command streams. In: Privacy, security and trust (PST), 2014 twelfth annual international conference on, IEEE, pp 232–238 (2014)
García, S., Herrera, F.: An extension on “statistical comparisons of classifiers over multiple data sets” for all pairwise comparisons. J. Mach. Learn. Res. 9, 2677–2694 (2008)
Garg, A., Rahalkar, R., Upadhyaya, S., Kwiat, K.: Profiling users in GUI based systems masquerade detection. In: Proceedings of the 7th IEEE information assurance workshop, IEEE computer society press, pp 48–54 (2006)
Gates, C.S., Li, N., Xu, Z., Chari, S., Molloy, I., Park, Y.: Detecting insider information theft using features from file access logs. In: Kutylowski, M., Vaidya, J. (eds.) European symposium on research in computer security ESORICS, pp. 383–400. Springer, New York (2014). (Lecture Notes in Computer Science)
Greenberg, S.: Using unix: collected traces of 168 users. Department of Computer Science. University of Calgary, Calgary (1988). (Tech. rep.)
Japkowicz, N.: Concept-learning in the absence of counter-examples: an autoassociation-based approach to classification. Ph.D. thesis, Rutgers, The State University of New Jersey (1999)
Jha, S., Tan, K., Maxion, RA.: Markov chains, classifiers, and intrusion detection. In: 14th IEEE computer security foundations workshop, 2001., IEEE, pp 206–219 (2001)
Killourhy, K., Maxion, R.A.: Why did my detector do that-predicting keystroke-dynamics error rates. In: Jha, S., Sommer, R., Kreibich, C. (eds.) Recent advances in intrusion detection, 13th international symposium, RAID 2010, pp 256–276. Springer, Berlin Heidelberg (2010)
Killourhy, KS., Maxion, RA.: Comparing anomaly-detection algorithms for keystroke dynamics. In: DSN, pp 125–134 (2009)
Linton, F., Joy, D., Schaefer, H.P., Charron, A.: Owl: a recommender system for organization-wide learning. Educ. Technol. Soc. 3(1), 62–76 (2000)
Maxion, R.A.: Masquerade detection using enriched command lines. In: Proceedings of the international conference on dependable systems and networks, DSN‘03, pp 5–14. IEEE Computer Society Press, San Francisco, CA, USA (2003)
Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: Proceedings of the international conference on dependable systems and networks, DSN 2002, 219–228 (2002)
McCallum, A., Nigam, K., et al.: A comparison of event models for naive bayes text classification. In: AAAI-98 workshop on learning for text categorization, 752, 41–48 (1998)
Medina-Pérez, MA., Monroy, R., Camiña, JB., García-Borroto, M.: Bagging-tpminer: a classifier ensemble for masquerader detection based on typical objects. Soft Computing pp 1–13 (2016)
Messerman, A., Mustafic T, Camtepe, S., Albayrak, S.: Continuous and non-intrusive identity verification in real-time environments based on free-text keystroke dynamics. In: Proceedings of the international joint conference on biometrics, IJCB 2011, IEEE computer society press, pp 1–8 (2011)
Morales, A., Fierrez, J., Ortega-Garcia, J.: Towards predicting good users for biometric recognition based on keystroke dynamics. In: Agapito, L., Bronstein, M.M., Rother, C. (eds.) Computer vision workshop—ECCV 2014 workshops, part II, pp 711–724. Springer, Lecture Notes in Computer Science (2014)
Pusara, M., Brodley, CE.: User re-authentication via mouse movements. In: Proceedings of the 2004 ACM workshop on visualization and data mining for computer security, ACM, New York, USA, VizSEC/DMSEC ’04, pp 1–8 (2004)
Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. Proc. IEEE 77(2), 257–286 (1989)
Schonlau, M., DuMouchel, W., Ju, W., Karr, A., Theus, M., Vardi, Y.: Computer intrusion: detecting masquerades. Stat. Sci. 16(1), 58–74 (2001)
Song, Y., Ben-Salem, M., Hershkop, S., Stolfo, S.: System level user behavior biometrics using fisher features and gaussian mixture models. In: Security and privacy workshops, SPW 2013, IEEE computer society press, pp 52–59 (2013)
Vidal, J., Sandoval, A., García, L.: Online masquerade detection resistant to mimicry. Expert Syst. Appl. 61, 162–180 (2016)
Wang, X., Sun, Y., Wang, Y.: An abnormal file access behavior detection approach based on file path diversity. In: Jia X, Xing Y (eds) International conference on information and communication technologies (ICT), Institution of Engineering and Technology, pp 455–459 (2014)
Weiss, A., Ramapanicker, A., Shah, P., Noble, S., Immohr, L.: Mouse movements biometric identification: a feasibility study Proceedings of Student/Faculty Research Day. pp c2.1–c2.8. Pace University (2007)
Zhou, G., Sohn, K., Lee, H.: Online incremental feature learning with denoising autoencoders. In: International conference on artificial intelligence and statistics, pp 1453–1461 (2012)
Acknowledgements
We thank the members of the GIEE-ML group at Tecnológico de Monterrey for providing useful suggestions and advice on this research. J. Rodríguez is currently supported by CONACYT scholarship 376099.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Rodríguez, J., Cañete, L., Monroy, R. et al. Experimenting with masquerade detection via user task usage. Int J Interact Des Manuf 11, 771–784 (2017). https://doi.org/10.1007/s12008-016-0360-1
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12008-016-0360-1