Journal of Network and Systems Management

, Volume 20, Issue 4, pp 561–578 | Cite as

Online Randomization Strategies to Obfuscate User Behavioral Patterns

  • Juan E. Tapiador
  • Julio C. Hernandez-Castro
  • Pedro Peris-Lopez


When operating from the cloud, traces of user activities and behavioral patterns are accessible to anyone with enough privileges within the system. This could be, for example, the case of dishonest technical staff who may well be interested in selling user logs to competitors. In this paper, we investigate some of the security and privacy leakages derived from the analysis of user activities. We show that the working behavioral patterns exhibited by users can be easily captured into computationally useful representations that would allow an adversary to predict future activities, detect the occurrence of events of interest, or infer the organization’s internal structure. We then introduce the idea of obfuscating user behaviour through Online Action Randomization Algorithms. In doing so, we introduce an indistinguishability-based definition for perfectly obfuscated actions and a concrete scheme to randomize user traces in an incremental way. We report experimental results confirming the obfuscation quality and other properties of the proposed schemes.


Cloud computing security Insider threats User modeling Anonymity Privacy 



We thank the anonymous reviewers for their insights and comments that have greatly contributed to improve the quality of this work.


  1. 1.
    Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., Molina, J.: Controlling data in the cloud: Outsourcing computation without outsourcing control. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security—CCSW 2009, pp. 85–90. (2009)Google Scholar
  2. 2.
    Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing v1.0. April 2009. Available at
  3. 3.
    Newman, R.E., Moskowitz, I.S., Syverson, P., Serjantov, A.: metrics for traffic analysis prevention. In: Privacy Enhancing Technologies Symposium - PET 2003, LNCS 2760, pp. 48–65. Springer, Berlin (2003)Google Scholar
  4. 4.
    Agrawal, R., Srikant, R.: Privacy-preserving data mining. In: Proc. 2000 ACM SIGMOD International Conference on Management of Data - SIGMOD 2000, pp. 439–450. (2000)Google Scholar
  5. 5.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud! Exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security—CCS 2009, pp. 199–212. (2009)Google Scholar
  6. 6.
    Zukerman, I., Albrecht, D.W.: Predictive statistical models for user modeling. User Model. User-Adap. Inter. 11, 5–18 (2001)zbMATHCrossRefGoogle Scholar
  7. 7.
    Davison, B.D., Hirsh, H.: Experiments in UNIX command prediction. Technical Report ML-TR-41, Dept. of Computer Science, Rutgers University (1997)Google Scholar
  8. 8.
    Davison, B.D., Hirsh, H.: Toward an adaptive command line interface. In: Proceedings of the 7th International Conference on Human-Computer Interaction, pp. 505–508. Elsevier, Amsterdam (1997)Google Scholar
  9. 9.
    MIT Reality Mining Project. See
  10. 10.
    Ren, K., Wang, C., Wang, Q.: Security challenges for the public cloud. IEEE Internet Comput. 16(1), 69–73 (2012)CrossRefGoogle Scholar
  11. 11.
    Schonlau, M., DuMouchel, W., Ju, W.-H., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: Detecting Masquerades. Stat. Sci. 16(1), 58–74 (2001)MathSciNetzbMATHCrossRefGoogle Scholar
  12. 12.
    Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: Proceedings of the 2002 International Conference on Dependable Systems and Networks—DSN 2002), pp. 219–228 (2002)Google Scholar
  13. 13.
    Maxion, R.A.: Masquerade detection using enriched command lines. In: Proceedings of the 2003 International Conference on Dependable Systems and Networks—DSN 2003), pp. 5–14. (2003)Google Scholar
  14. 14.
    Killourhy, K.S., Maxion, R.A.: Toward realistic and artifact-free insider-threat data. In: 23rd Annual Computer Security Applications Conference—ACSAC 2007, pp. 87–96. (2007)Google Scholar
  15. 15.
    Wang, K., Stolfo, S.: One-class training for Masquerade detection. In: ICDM Workshop on Data Mining for Computer Security. (2003)Google Scholar
  16. 16.
    Tapiador, J.E., Clark, J.A.: Masquerade mimicry attack detection: A randomised approach. Comput. Secur. 30(5), 297–310 (2011)CrossRefGoogle Scholar
  17. 17.
    Bertacchini, M., Fierens, P.I.: Preliminary results on masquerader detection using compression-based similarity metrics. Electron. J. SADIO 7(1), (2007)Google Scholar
  18. 18.
    Evans, S., Eiland, E., Markham, S., Impson, J., Laczo, A.: MDLcompress for intrusion detection: Signature inference and masquerade attack. In: 2007 IEEE Military Communications Conference—MILCOM 2007, pp. 1–7. (2007)Google Scholar
  19. 19.
    Posadas, R., Mex-Perera, J.C., Monroy, R., Nolazco-Flores, J.A.: Hybrid method for detecting masqueraders using session folding and hidden markov models. In: Proceedings of the 5th Mexican International Conference on Artificial Intelligence, pp. 622–631. (2006)Google Scholar
  20. 20.
    Oka, M., Oyama, Y., Abe, H., Kato, K.: Anomaly detection using layered networks based on eigen co-occurrence matrix. In: 2004 Symposium on Recent Advances in Intrusion Detection - RAID 2004, LNCS Vol. 3224, pp. 223–237. Springer, Berlin (2004)Google Scholar
  21. 21.
    Latendresse, M.: Masquerade detection via customized grammars. In: Conference on Detection of Intrusions and Malware & Vulnerability Assessment - DIMVA 2005, LNCS Vol. 3548, pp. 141–159. Springer, Berlin (2005)Google Scholar
  22. 22.
    Chen, L., Dong, G.: Masquerader Detection using OCLEP: One-class classification using length statistics of emerging patterns. In: WebAge Information Management Workshops—WAIMW 2006, pp. 5–5. (2006)Google Scholar
  23. 23.
    Gebski, M., Wong, R.K.: Intrusion Detection via Analysis and Modelling of User Commands. In: Proc. 7th international Conference on Data Warehousing and Knowledge Discovery - DAWAK 2005, LNCS Vol. 3589, pp. 388–397. Springer, Berlin (2005)Google Scholar
  24. 24.
    Ourston, D., Mooney, R.J.: Changing the rules: A comprehensive approach to theory refinement. In: 8th National Conference on Artificial Intelligence—AAAI 1990, Vol. 2, pp. 815–820. (1990)Google Scholar
  25. 25.
    Davison, B.D., Hirsh, H.: Predicting sequences of user actions. In: AAAI-98/ICML’98 Workshop on Predicting the Future: AI Approaches to Time Series Analysis, pp. 5–12. (1998)Google Scholar
  26. 26.
    Bauer, M.: Generation of alternative decompositions for plan libraries. IJCAI’99 Workshop on Learning about Users (1999)Google Scholar
  27. 27.
    Stumpf, S., Bao, X., Dragunov, A., Dietterich, T.G., Herlocker, J., Johnsrude, K., Li, L., Shen, J.Q.: Predicting user tasks: i know what you’re doing!. In: 20th National Conference on Artificial Intelligence (AAAI-05), Workshop on Human Comprehensible Machine Learning (2005)Google Scholar
  28. 28.
    Kullback, S., Leibler, R.A.: On information and sufficiency. Ann Math Stat 22(1), 79–86 (1951)MathSciNetzbMATHCrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  • Juan E. Tapiador
    • 1
    • 4
  • Julio C. Hernandez-Castro
    • 2
  • Pedro Peris-Lopez
    • 3
  1. 1.Department of Computer ScienceUniversity of YorkYorkUK
  2. 2.School of ComputingUniversity of PortsmouthPortsmouthUK
  3. 3.Information Security and Privacy LabDelft University of Technology (TU-Delft)DelftThe Netherlands
  4. 4.Deptartment of Computer ScienceUniversidad Carlos III de MadridLeganesSpain

Personalised recommendations