Decoy Document Deployment for Effective Masquerade Attack Detection

  • Malek Ben Salem
  • Salvatore J. Stolfo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6739)


Masquerade attacks pose a grave security problem that is a consequence of identity theft. Detecting masqueraders is very hard. Prior work has focused on profiling legitimate user behavior and detecting deviations from that normal behavior that could potentially signal an ongoing masquerade attack. Such approaches suffer from high false positive rates. Other work investigated the use of trap-based mechanisms as a means for detecting insider attacks in general. In this paper, we investigate the use of such trap-based mechanisms for the detection of masquerade attacks. We evaluate the desirable properties of decoys deployed within a user’s file space for detection. We investigate the trade-offs between these properties through two user studies, and propose recommendations for effective masquerade detection using decoy documents based on findings from our user studies.


User Study High False Positive Rate Legitimate User Attack Detection Malicious Activity 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ben-Salem, M.: DDA Sensor,
  2. 2.
    Ben-Salem, M., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Insider Attack and Cyber Security: Beyond the Hacker. Springer, Heidelberg (2008)Google Scholar
  3. 3.
    Bowen, B., and Hershkop, S. Decoy.: Document Distributor,
  4. 4.
    Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: SecureComm 2009: Proceedings of the 5th International ICST Conference on Security and Privacy in Communication Networks (2009)Google Scholar
  5. 5.
    Chinchani, R., Upadhyaya, S., Kwiat, K.: A tamper-resistant framework for unambiguous detection of attacks in user space using process monitors. In: Proceedings of First IEEE International Workshop on Information Assurance (IWIAS 2003), pp. 25–34 (2003)Google Scholar
  6. 6.
    Greenberg, A.: ID Theft: Don’t Take it Personally (February 2010),,
  7. 7.
    Higgins, K. J.: Widespread Confickr/Downadup Worm Hard To Kill (January 2009),
  8. 8.
    Kim, J.-S., Biryukov, A., Preneel, B., Hong, S.H.: On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract). In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 242–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Krawczyk, H., Bellare, M., Canetti, R.: RFC2104, HMAC: Keyed-Hashing for Message Authentication. The Internet Engineering Task Force (IETF)Google Scholar
  10. 10.
    Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: DSN 2002: Proceedings of the International Conference on Dependable Systems and Networks (2002)Google Scholar
  11. 11.
    Milgram, S.: Obedience to Authority: An Experimental View. Harpercollins, New York (1974)Google Scholar
  12. 12.
    Schonlau, M., Dumouchel, W., Ju, W., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16, 58–74 (2001)CrossRefzbMATHMathSciNetGoogle Scholar
  13. 13.
    Spitzner, L.: Honeypots: Catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference, pp. 170–179 (December 2003)Google Scholar
  14. 14.
    Stolfo, S.J., Greenbaum, I., Sethumadhavan, S.: Self-monitoring monitors. In: Columbia University Computer Science Department, Technical Report # cucs-026-09 (2009)Google Scholar
  15. 15.
    Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: CCS 2009: Proceedings of the 16th ACM conference on Computer and communications security, pp. 635–647. ACM Press, New York (2009)Google Scholar
  16. 16.
    Wang, K., Stolfo, S.J.: One-class training for masquerade detection. In: Proceedings of the 3rd IEEE Workshop on Data Mining for Computer Security (2003)Google Scholar
  17. 17.
    Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp. 116–122 (June 2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Malek Ben Salem
    • 1
  • Salvatore J. Stolfo
    • 1
  1. 1.Computer Science DepartmentColumbia University, New YorkNew YorkUSA

Personalised recommendations