Towards Building a Masquerade Detection Method Based on User File System Navigation

  • Benito Camiña
  • Raúl Monroy
  • Luis A. Trejo
  • Erika Sánchez
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7094)


Given that information is an extremely valuable asset, it is vital to timely detect whether one’s computer (session) is being illegally seized by a masquerader. Masquerade detection has been actively studied for more than a decade, especially after the seminal work of Schonlau’s group, who suggested that, to profile a user, one should model the history of the commands she would enter into a UNIX session. Schonlau’s group have yielded a masquerade dataset, which has been the standard for comparing masquerade detection methods. However, the performance of these methods is not conclusive, and, as a result, research on masquerade detection has resorted to other sources of information for profiling user behaviour. In this paper, we show how to build an accurate user profile by looking into how the user structures her own file system and how she navigates such structure. While preliminary, our results are encouraging and suggest a number of ways in which new methods can be constructed.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Schonlau, M., DuMouchel, W., Ju, W., Karr, A., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16, 58–74 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Schonlau, M.: Masquerading user data (2008),
  3. 3.
    Maxion, R.A., Townsend, T.N.: Masquerade detection augmented with error analysis. IEEE Transactions on Reliability 53, 124–147 (2004)CrossRefGoogle Scholar
  4. 4.
    Oka, M., Oyama, Y., Abe, H., Kato, K.: Anomaly Detection using Layered Networks based on Eigen Co-occurrence Matrix. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 223–237. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Latendresse, M.: Masquerade Detection via Customized Grammars. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 141–159. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Posadas, R., Mex-Perera, C., Monroy, R., Nolazco-Flores, J.: Hybrid Method for Detecting Masqueraders using Session Folding and Hidden Markov Models. In: Gelbukh, A., Reyes-Garcia, C.A. (eds.) MICAI 2006. LNCS (LNAI), vol. 4293, pp. 622–631. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Maxion, R.A.: Masquerade detection using enriched command lines. In: Proceedings of the International Conference on Dependable Systems and Networks, DSN 2003, pp. 5–14. IEEE Computer Society Press, San Francisco (2003)Google Scholar
  8. 8.
    Garg, A., Rahalkar, R., Upadhyaya, S., Kwiat, K.: Profiling users in GUI based systems masquerade detection. In: Proceedings of the 7th IEEE Information Assurance Workshop, pp. 48–54. IEEE Computer Society Press (2006)Google Scholar
  9. 9.
    Killourhy, K.S., Maxion, R.A.: Why did my detector do that?! - Predicting Keystroke-Dynamics Error Rates. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 256–276. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Sankaranarayanan, V., Pramanik, S., Upadhyaya, S.: Detecting masquerading users in a document management system. In: Proceedings of the IEEE International Conference on Communications, ICC 2006, vol. 5, pp. 2296–2301. IEEE Computer Society Press (2006)Google Scholar
  11. 11.
    Chinchani, R., Muthukrishnan, A., Chandrasekaran, M., Upadhyaya, S.: RACOON: Rapidly generating user command data for anomaly detection from customizable templates. In: Proceedings of the 20th Annual Computer Security Applications Conference, ACSAC 2004, pp. 189–204. IEEE Computer Society Press (2004)Google Scholar
  12. 12.
    Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Stolfo, S.J., Bellovin, S.M., Hershkop, S., Keromytis, A., Sinclair, S., Smith, S.W. (eds.) Insider Attack and Cyber Security: Beyond the Hacker. Advances in Information Security, pp. 69–90. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Bertacchini, M., Fierens, P.: A survey on masquerader detection approaches. In: Proceedings of V Congreso Iberoamericano de Seguridad Informática, Universidad de la República de Uruguay, pp. 46–60 (2008)Google Scholar
  14. 14.
    Schonlau, M., Theus, M.: Detecting masquerades in intrusion detection based on unpopular commands. Information Processing Letters 76, 33–38 (2000)CrossRefGoogle Scholar
  15. 15.
    Nevill-Manning, C.G., Witten, I.H.: Identifying hierarchical structure in sequences: a linear-time algorithm. Journal of Artificial Intelligence Research, JAIR 7, 67–82 (1997)zbMATHGoogle Scholar
  16. 16.
    Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: Proceedings of the International Conference on Dependable Systems & Networks, pp. 219–228. IEEE Computer Society Press, Washington, DC (2002)CrossRefGoogle Scholar
  17. 17.
    Wang, K., Stolfo, S.: One-class training for masquerade detection. In: Proceedings of the 3rd IEEE Conference Data Mining Workshop on Data Mining for Computer Security. IEEE (2003)Google Scholar
  18. 18.
    Razo-Zapata, I., Mex-Perera, C., Monroy, R.: Masquerade attacks based on user’s profile. Journal of Systems and Software ?, ?–? (2011) (submitted for evaluation)Google Scholar
  19. 19.
    Ben-Salem, M., Stolfo.: Modeling user search behavior for masquerade detection. Computer Science Technical Reports 033, Columbia University (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Benito Camiña
    • 1
  • Raúl Monroy
    • 1
  • Luis A. Trejo
    • 1
  • Erika Sánchez
    • 1
  1. 1.Computer Science DepartmentTecnológico de Monterrey — Campus Estado de MéxicoEstado de MéxicoMéxico

Personalised recommendations