Command and Block Profiles for Legitimate Users of a Computer Network

  • Anna M. Bartkowiak
Part of the Communications in Computer and Information Science book series (CCIS, volume 245)


Intruders and masqueraders are a plague in computer networks. To recognize an intruder, one firstly needs to know what is the normal behavior of a legitimate user. To find it out, we propose to build pairs of profiles called ‘command and block profiles’. Schonlau data (SEA) are used for illustration of the concept and its usability in work with real data. The elaborated data contain observations for 50 users; for each of them a sequence of 15,000 system calls was recorded. Data for 21 users are pure; data for the remaining 29 users are contaminated with activities of alien (illegitimate) users. We consider only the uncontaminated data (for the 21 users). 5 out of 21 investigated users seem to change their profiles during work time. Some trials have shown that the proposed simple method may also recognize a big part of alien implanted blocks.


computer security legitimate user intruders alien blocks masquerade Schonlau data unix commands anomaly outliers 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Schonlau, M.: Masquerading used data, web page,
  2. 2.
    Schonlau, M., et al.: Computer intrusion: detecting masquerades. Statistical Science 16, 1–17 (2001)MathSciNetzbMATHGoogle Scholar
  3. 3.
    Bartkowiak, A.M.: Anomaly, novelty, one-class classification: a comprehensive introduction. International Journal of Computer Systems and Industrial Management Applications 3, 061–071 (2011), Google Scholar
  4. 4.
    Kim, H.-S., Cha, S.-S.: Empirical evaluation of SVM-based masquerade detection using UNIX command. Computers & Security 24, 160–168 (2005)CrossRefGoogle Scholar
  5. 5.
    Guan, X., Wang, W., Zhang, X.: Fast intrusion detection based on non-negative matrix factorization model. J. of Network and Computer Applications 32, 31–44 (2009)CrossRefGoogle Scholar
  6. 6.
    Wang, W., Guan, X., Zhang, X.: Processing of massive audit data streams for real-time anomaly intrusion detection. Computer Communications 31, 58–72 (2008)CrossRefGoogle Scholar
  7. 7.
    DiGesu, V., LoBosco, G., Friedman, J.H.: Intruders pattern identification, pp. 1–4. IEEE (2008) 978-1-4244-2175-6/08 ©2008Google Scholar
  8. 8.
    Sodiya, A.S., Folorunso, O., Onashoga, S.A., Ogunderu, O.P.: An improved semi-global alignement algorithm for masquerade detection. Int. J. for Network Security 13, 31–40 (2011)Google Scholar
  9. 9.
    Bertacchini, M., Fierens, P.I.: Preliminary results on masquerader detection using compression based similarity metrics. Electronic Journal of SADIO 7(1), 31–42 (2007), zbMATHGoogle Scholar
  10. 10.
    Posadas, R., Mex-Perera, C., Monroy, R., Nolazco-Flores, J.: Hybrid Method for Detecting Masqueraders Using Session Folding and Hidden Markov Models. In: Gelbukh, A., Reyes-Garcia, C.A. (eds.) MICAI 2006. LNCS (LNAI), vol. 4293, pp. 622–631. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Insider Attack and Cyber Security: Beyond the Hacker, pp. 69–90. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Bartkowiak, A.: Outliers in biometrical data: what’s old, what’s new. Int. J. of Biometrics 2(1), 2–18 (2010)CrossRefGoogle Scholar
  13. 13.
    Kohonen, T.: Self-organising maps. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  14. 14.
    Vesanto, J., Himberg, J., Alhoniemi, E., Parhankangas, J.: SOM Toolbox for Matlab 5. Som Toolbox team, Helsinki University of Technology, Finland, Libella Oy, Espoo, 1–54 (2000),

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Anna M. Bartkowiak
    • 1
    • 2
  1. 1.Institute of Computer ScienceUniversity of WroclawWroclawPoland
  2. 2.Wroclaw High School of Applied InformaticsWroclawPoland

Personalised recommendations