Sequence-based masquerade detection for different user groups

Sen S.

SECURITY AND COMMUNICATION NETWORKS, vol.8, no.7, pp.1265-1278, 2015 (Journal Indexed in SCI) identifier identifier

  • Publication Type: Article / Article
  • Volume: 8 Issue: 7
  • Publication Date: 2015
  • Doi Number: 10.1002/sec.1080
  • Page Numbers: pp.1265-1278


Insider threats are one of the biggest threats that organizations are confronted with today. A masquerader who impersonates another user for his malicious activities has been studied extensively in the literature. The approaches proposed on masquerade detection mainly assume that masquerader behavior will deviate from the typical behavior of the victim. This research presents a rigorous evaluation of sequence-based approaches based on this assumption. The main idea underlying sequence-based approaches is that users type similar commands, in a similar order, every time to do a specific job and, these similarities could distinguish users from others. Sequence-based approaches in the literature only consider commands typed in a specific order, at all times. In this research, we also take into account typing similar commands in a command sequence, but in an unordered way, in the newly proposed method, Matching of Unordered Command Sequences. We compare this new technique with another sequence-based approach called Matching of Ordered Command Sequences, and a command-based approach called Matching of Commands. These techniques are evaluated with varying parameters in order to explore how the order of commands, the variations in a command sequence, and the variety of commands affect masquerade detection. Furthermore, the performance of these methods on different types of users and masqueraders is analyzed. We explore what kind of users are easily distinguishable from others, and what kind of masqueraders are difficult to detect. Copyright (c) 2014 John Wiley & Sons, Ltd.