Masquerade Detection via Customized Grammars
We show that masquerade detection, based on sequences of commands executed by the users, can be effectively and efficiently done by the construction of a customized grammar representing the normal behavior of a user. More specifically, we use the Sequitur algorithm to generate a context-free grammar which efficiently extracts repetitive sequences of commands executed by one user – which is mainly used to generate a profile of the user. This technique identifies also the common scripts implicitly or explicitly shared between users – a useful set of data for reducing false positives. During the detection phase, a block of commands is classified as either normal or a masquerade based on its decomposition in substrings using the grammar of the alleged user. Based on experimental results using the Schonlau datasets, this approach shows a good detection rate across all false positive rates – they are the highest among all published results inpknown to the author.
Unable to display preview. Download preview PDF.
- 2.Ju, W.H., Vardi, Y.: Profiling UNIX users and processes based on rarity of occurrence statistics with applications to computer intrusion detection. Technical Report ALR-2001-002, Avaya Labs Research (March 2001)Google Scholar
- 7.Wang, K., Stolfo, S.J.: One-class training for masquerade detection. In: 3rd IEEE Workshop on Data Mining for Computer Security, DMSEC 2003 (November 2003)Google Scholar