We show that masquerade detection, based on sequences of commands executed by the users, can be effectively and efficiently done by the construction of a customized grammar representing the normal behavior of a user. More specifically, we use the Sequitur algorithm to generate a context-free grammar which efficiently extracts repetitive sequences of commands executed by one user – which is mainly used to generate a profile of the user. This technique identifies also the common scripts implicitly or explicitly shared between users – a useful set of data for reducing false positives. During the detection phase, a block of commands is classified as either normal or a masquerade based on its decomposition in substrings using the grammar of the alleged user. Based on experimental results using the Schonlau datasets, this approach shows a good detection rate across all false positive rates – they are the highest among all published results inpknown to the author.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Coull, S., Branch, J., Szymanski, B., Breimer, E.: Intrusion detection: A bioinformatics approach. In: ACSAC 2003: Proceedings of the 19th Annual Computer Security Applications Conference, p. 24. IEEE Computer Society, Los Alamitos (2003)CrossRefGoogle Scholar
  2. 2.
    Ju, W.H., Vardi, Y.: Profiling UNIX users and processes based on rarity of occurrence statistics with applications to computer intrusion detection. Technical Report ALR-2001-002, Avaya Labs Research (March 2001)Google Scholar
  3. 3.
    Maxion, R., Townsend, T.: Masquerade detection using truncated command lines. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2002), Washington, D.C, June 2002, pp. 219–228. IEEE Computer Society Press, Los Alamitos (2002)CrossRefGoogle Scholar
  4. 4.
    Nevill-Manning, C., Witten, I.: Identifying hierarchical structure in sequences: A linear-time algorithm. Journal of Artificial Intelligence Research 7, 67–82 (1997)MATHGoogle Scholar
  5. 5.
    Oka, M., Oyama, Y., Abe, H., Kato, K.: Anomaly detection using layered networks based on eigen co-occurrence matrix. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 223–237. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Schonlau, M., DuMouchel, W., Ju, W., Karr, A., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16(1), 1–17 (2001)MathSciNetGoogle Scholar
  7. 7.
    Wang, K., Stolfo, S.J.: One-class training for masquerade detection. In: 3rd IEEE Workshop on Data Mining for Computer Security, DMSEC 2003 (November 2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Mario Latendresse
    • 1
  1. 1.Volt Services/Northrop Grumman, FNMOC U.S. Navy 

Personalised recommendations