Cluster Computing

, Volume 21, Issue 1, pp 423–441 | Cite as

A prudent based approach for compromised user credentials detection

  • Adnan AminEmail author
  • Babar Shah
  • Sajid Anwar
  • Feras Al-Obeidat
  • Asad Masood Khattak
  • Awais Adnan


Compromised user credential (CUC) is an activity in which someone, such as a thief, cyber-criminal or attacker gains access to your login credentials for the purpose of theft, fraud, or business disruption. It has become an alarming issue for various organizations. It is not only crucial for information technology (IT) oriented institutions using database management systems (DBMSs) but is also critical for competitive and sensitive organization where faulty data is more difficult to clean up. Various well-known risk mitigation techniques have been developed, such as authentication, authorization, and fraud detection. However, none of these methods are capable of efficiently detecting compromised legitimate users’ credentials. This is because cyber-criminals can gain access to legitimate users’ accounts based on trusted relationships with the account owner. This study focuses on handling CUC on time to avoid larger-scale damage incurred by the cyber-criminals. The proposed approach can efficiently detect CUC in a live database by analyzing and comparing the user’s current and past operational behavior. This novel approach is built by a combination of prudent analysis, ripple down rules and simulated experts. The experiments are carried out on collected data over 6 months from sensitive live DBMS. The results explore the performance of the proposed approach that it can efficiently detect CUC with 97% overall accuracy and 2.013% overall error rate. Moreover, it also provides useful information about compromised users’ activities for decision or policy makers as to which user is more critical and requires more consideration as compared to less crucial user based prevalence value.


Prudence analysis Simulated experts Compromised user credential Outlier detection 


  1. 1.
    Pecchia, A., Sharma, A., Kalbarczyk, Z., Cotroneo, D., Iyer, R.K.: Identifying compromised users in shared computing infrastructures: a data-driven Bayesian network approach. In: Proceedings of the IEEE Symposium on Reliable Distributed Systems. pp. 127–136 (2011)Google Scholar
  2. 2.
    Egele, M., Kruegel, C., Vigna, G.: COMPA?: detecting compromised accounts on social networks. In: 20th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, pp. 1–17 (2013)Google Scholar
  3. 3.
    Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: ACM Conference on Computer and Communications Security (2009)Google Scholar
  4. 4.
    Viswanath, B., Muhammad Ahmad, B., Crovella, M., Guha, S., Gummadi, K., Krishnamurthy, B., Mislove, A.: Towards detecting anomalous user behavior in online social networks. In: Proceedings of the 23rd USENIX Security Symposium (USENIX Security), pp. 223–238 (2014)Google Scholar
  5. 5.
    Yang, Z., Wilson, C., Wang, X., Gao, T., Zhao, B.Y., Dai, Y.: Uncovering social network Sybils in the wild. ACM Trans. Knowl. Discov. Data 8, 2:1–2:29 (2014)CrossRefGoogle Scholar
  6. 6.
    Singh, K., Cantt, M.: Outlier detection? Applications and techniques. Int. J. Comput. Sci. Issues 9, 307–323 (2012)Google Scholar
  7. 7.
    Daneshpazhouh, A., Sami, A.: Entropy-based outlier detection using semi-supervised approach with few positive examples. Pattern Recognit. Lett. 49, 77–84 (2014)CrossRefGoogle Scholar
  8. 8.
    Hawkins, D.M.: Identification of Outliers. Chapman and Hall, London (1980)CrossRefzbMATHGoogle Scholar
  9. 9.
    Hodge, V.J., Austin, J.: A survey of outlier detection methodologies. Artif. Intell. Rev. 22, 85–126 (2004)CrossRefzbMATHGoogle Scholar
  10. 10.
    Zhang, Y., Meratnia, N., Havinga, P.: Outlier detection techniques for wireless sensor networks: a survey. IEEE Commun. Surv. Tutor. 12, 159–170 (2010)CrossRefGoogle Scholar
  11. 11.
    Gupta, N.: A study of existing cross site scripting detection and prevention techniques in web applications. Int. J. Eng. Comput. Sci. 3, 8445–8450 (2014)Google Scholar
  12. 12.
    Gupta, M., Gao, J., Aggarwal, C.C.: Outlier detection for temporal data? A survey. IEEE Trans. Knowl. Data Eng. 25, 1–20 (2014)zbMATHGoogle Scholar
  13. 13.
    Kumar, S.: Classification and detection of computer intrusions. Doctoral Dissertation, Department of Computer Science, Purdue University, West Lafayette, IN (1995)Google Scholar
  14. 14.
    Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001, pp. 144–155. IEEE Computer Society (2001)Google Scholar
  15. 15.
    Thomas, K., Li, F., Grier, C., Paxson, V.: Consequences of connectivity? Characterizing account hijacking on Twitter. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 489–500 (2014)Google Scholar
  16. 16.
    Xue, Z., Shang, Y., Feng, A.: Semi-supervised outlier detection based on fuzzy rough C-means clustering. Math. Comput. Simul. 80, 1911–1921 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Gao, H., Hu, J., Wilson, C., Li, Z., Chen, Y., Zhao, B.Y.: Detecting and characterizing social spam campaigns. In: Proceedings of the 10th Annual Conference on Internet Measurement—IMC ’10, p. 35. ACM Press, New York (2010)Google Scholar
  18. 18.
    Gao, B., Ma, H.-Y., Yang, Y.-H.: HMMs (Hidden Markov models) based on anomaly intrusion detection method. In: Proceedings of the International Conference on Machine Learning and Cybernetics, pp. 381–385. IEEE (2002)Google Scholar
  19. 19.
    Cabrera, J.B.D., Lewis, L., Mehra, R.K.: Detection and classification of intrusions and faults using sequences of system calls. ACM SIGMOD Rec. 30, 25–34 (2001)CrossRefGoogle Scholar
  20. 20.
    Endler, D.: Intrusion detection. Applying machine learning to Solaris audit data. In: Proceedings 14th Annual Computer Security Applications Conference (Cat. No. 98EX217), pp. 268–279. IEEE Computer Society (1998)Google Scholar
  21. 21.
    Ghosh, A.K., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection learning program behavior profiles for intrusion detection. In: Proceedings of the 1st USENIX Workshop on Intrusion Detection and Network Monitoring, pp. 51–62 (1999)Google Scholar
  22. 22.
    Kang, D., Fuller, D., Honavar, V.: Learning classifiers for misuse detection using a bag of system calls. In: Proceedings of the 3rd IEEE International Conference on Intelligence and Security Informatics, pp. 511–516 (2005)Google Scholar
  23. 23.
    Tian, S., Mu, S., Yin, C.: Sequence-similarity kernels for SVMs to detect anomalies in system calls. Neurocomputing 70, 859–866 (2007)CrossRefGoogle Scholar
  24. 24.
    Wang, M., Zhang, C., Yu, J.: Native API based windows anomaly intrusion detection method Using SVM. In: IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC’06), vol. 1, pp. 514–519. IEEE (2006)Google Scholar
  25. 25.
    Ghosh, A.K., Schwartzbard, A.: A study in using neural networks for anomaly and misuse detection. In: Proceedings of the 8th USENIX Security Symposium, Washington, DC, pp. 141–152. USENIX Association (1999)Google Scholar
  26. 26.
    Dasgupta, K., Singh, R., Viswanathan, B., Chakraborty, D., Mukherjea, S., Nanavati, A.A., Joshi, A.: Social ties and their relevance to churn in mobile telecom networks. In: Proceedings of the 11th International Conference on Extending Database Technology Advances in Database Technology—EDBT ’08, pp. 668–677. ACM Press, New York (2008)Google Scholar
  27. 27.
    Hayati, P., Potdar, V., Chai, K., Talevski, A.: Web spambot detection based on web navigation behaviour. In: 2010 24th IEEE International Conference on Advanced Information Networking and Applications, pp. 797–803. IEEE, Washington, DC (2010)Google Scholar
  28. 28.
    Zhang, L., Zhu, J., Yao, T.: An evaluation of statistical spam filtering techniques. ACM Trans. Asian Lang. Inf. Process. 3, 243–269 (2004)CrossRefGoogle Scholar
  29. 29.
    Compton, P., Jansen, R.: Knowledge in context: a strategy for expert system maintenance. (1990)
  30. 30.
    Gaines, B.R., Compton, P.: Induction of ripple-down rules applied to modeling large databases. J. Intell. Inf. Syst. 5, 211–228 (1995)CrossRefGoogle Scholar
  31. 31.
    Pau, C., Horn, K.A., Quinlan, J.R., Lazarus, L.: Maintaining an expert system. In: Quinlan, J.R. (ed.) Applications of Expert Systems, vol. 2, pp. 366–385. Addison-Wesley, London (1989)Google Scholar
  32. 32.
    Richards, D., Compton, P.: Taking up the situated cognition challenge with ripple down rules. Int. J. Hum. Comput. Stud. 49, 895–926 (1998)CrossRefGoogle Scholar
  33. 33.
    Tobias, S.: Algebraic foundation and improved methods of induction of ripple down rules. In: Pacific Knowledge Acquisition Workshop, Sydney, pp. 23–25 (1996)Google Scholar
  34. 34.
    Keaveney, S.M.: Customer switching behavior in service industries: an exploratory study. J. Mark. 59, 71–82 (1995)CrossRefGoogle Scholar
  35. 35.
    Pham, K.C., Sammut, C.: RDRVision—learning vision recognition with ripple down rules. In: Proceedings of the Australasian Conference on Robotics and Automation, pp. 7–8 (2005)Google Scholar
  36. 36.
    Clancey, W.J.: Heuristic classification. Artif. Intell. 27, 289–350 (1985)CrossRefGoogle Scholar
  37. 37.
    Gomez-Prerez, A.: Ontology evaluation. In: Handbook on Ontologies, pp. 293–313. Springer, Berlin (2004)Google Scholar
  38. 38.
    Compton, P., Cao, T.M.: Evaluation of Incremental Knowledge Acquisition with Simulated Experts. Springer, Berlin (2006)CrossRefGoogle Scholar
  39. 39.
    Compton, P., Preston, P., Edwards, G., Kang, B.: Knowledge based systems that have some idea of their limits. In: Tenth Knowledge Acquisition and Knowledge-Based Systems Workshop (1996)Google Scholar
  40. 40.
    Amin, A., Rahim,F., Ramzan,M., Anwar, S.: A prudent based approach for customer churn prediction. In: BDAS: Beyond Databases, Architectures and Structures, pp. 320–332. Springer (2015)Google Scholar
  41. 41.
    Maruatona, O.O., Vamplew, P., Dazeley, R.: Prudent fraud detection in Internet banking. In: 2012 Third Cybercrime and Trustworthy Computing Workshop, pp. 60–65. IEEE (2012)Google Scholar
  42. 42.
    Maruatona, O., Vamplew, P., Dazeley, R.: Knowledge Management and Acquisition for Intelligent Systems. Springer, Berlin (2012)Google Scholar
  43. 43.
    Compton, P., Preston, P., Kang, B.: The Use of Simulated Experts in Evaluating Knowledge Acquisition, pp. 1–18. University of Calgary (1995)Google Scholar
  44. 44.
    Amin, A., Anwar, S., Adnan, A., Nawaz, M., Howard, N., Qadir, J., Hawalah, A., Hussain, A.: Comparing oversampling techniques to handle the class imbalance problem: a customer churn prediction case study. Journal of IEEE Access 4, 7940–7957 (2016)CrossRefGoogle Scholar
  45. 45.
    Ellison, S.L.R., Barwick, V.J., Farrant, T.J.: Practical Statistics for the Analytical Scientist. Royal Society of Chemistry, Cambridge (2009)Google Scholar
  46. 46.
    Miller, J.N.: Using the Grubbs and Cochran tests to identify outliers. Anal. Methods Commun. 7, 7948–7950 (2015)CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  1. 1.Institute of Management SciencesPeshawarPakistan
  2. 2.College of Technological InnovationZayed UniversityAbu DhabiUnited Arab Emirates

Personalised recommendations