Sequence-based masquerade detection for different user groups


Sen S.

SECURITY AND COMMUNICATION NETWORKS, cilt.8, sa.7, ss.1265-1278, 2015 (SCI İndekslerine Giren Dergi) identifier identifier

  • Cilt numarası: 8 Konu: 7
  • Basım Tarihi: 2015
  • Doi Numarası: 10.1002/sec.1080
  • Dergi Adı: SECURITY AND COMMUNICATION NETWORKS
  • Sayfa Sayıları: ss.1265-1278

Özet

Insider threats are one of the biggest threats that organizations are confronted with today. A masquerader who impersonates another user for his malicious activities has been studied extensively in the literature. The approaches proposed on masquerade detection mainly assume that masquerader behavior will deviate from the typical behavior of the victim. This research presents a rigorous evaluation of sequence-based approaches based on this assumption. The main idea underlying sequence-based approaches is that users type similar commands, in a similar order, every time to do a specific job and, these similarities could distinguish users from others. Sequence-based approaches in the literature only consider commands typed in a specific order, at all times. In this research, we also take into account typing similar commands in a command sequence, but in an unordered way, in the newly proposed method, Matching of Unordered Command Sequences. We compare this new technique with another sequence-based approach called Matching of Ordered Command Sequences, and a command-based approach called Matching of Commands. These techniques are evaluated with varying parameters in order to explore how the order of commands, the variations in a command sequence, and the variety of commands affect masquerade detection. Furthermore, the performance of these methods on different types of users and masqueraders is analyzed. We explore what kind of users are easily distinguishable from others, and what kind of masqueraders are difficult to detect. Copyright (c) 2014 John Wiley & Sons, Ltd.