Command and Block Profiles for Legitimate Users of a Computer Network
Intruders and masqueraders are a plague in computer networks. To recognize an intruder, one firstly needs to know what is the normal behavior of a legitimate user. To find it out, we propose to build pairs of profiles called ‘command and block profiles’. Schonlau data (SEA) are used for illustration of the concept and its usability in work with real data. The elaborated data contain observations for 50 users; for each of them a sequence of 15,000 system calls was recorded. Data for 21 users are pure; data for the remaining 29 users are contaminated with activities of alien (illegitimate) users. We consider only the uncontaminated data (for the 21 users). 5 out of 21 investigated users seem to change their profiles during work time. Some trials have shown that the proposed simple method may also recognize a big part of alien implanted blocks.
Keywordscomputer security legitimate user intruders alien blocks masquerade Schonlau data unix commands anomaly outliers
Unable to display preview. Download preview PDF.
- 1.Schonlau, M.: Masquerading used data, web page, http://www.schonlau.net
- 7.DiGesu, V., LoBosco, G., Friedman, J.H.: Intruders pattern identification, pp. 1–4. IEEE (2008) 978-1-4244-2175-6/08 ©2008Google Scholar
- 8.Sodiya, A.S., Folorunso, O., Onashoga, S.A., Ogunderu, O.P.: An improved semi-global alignement algorithm for masquerade detection. Int. J. for Network Security 13, 31–40 (2011)Google Scholar
- 14.Vesanto, J., Himberg, J., Alhoniemi, E., Parhankangas, J.: SOM Toolbox for Matlab 5. Som Toolbox team, Helsinki University of Technology, Finland, Libella Oy, Espoo, 1–54 (2000), http://www.cis.hut.fi/projects/somtoolbox/