User Behavior Analysis in Masquerade Detection Using Principal Component Analysis

Network attackers usually compromise legitimate user account to gain access to host computer. To detect and prevent this kind of attacks, it is typical to build anomaly intrusion detection system (AIDS) to distinguish a legitimate user from an intruder, called masquerader. One important hypothesis of this type of detection is: different user exhibits different behavior in their online activities. The user behavior can be captured and compared. The efficiency of AIDS relies on the quality of the training data. Many prior studies encounter the problem of low hit rates and high false alarms. In this paper, we study the relationship between the user behavior in terms of operating system commands and the success rate of detection. We first used the principal component analysis (PCA) to select the commands that are highly effective in distinguishing users. Then we use these commands to classify users into categories. Our analysis shows a strong correlation between the false rate and the distance between these categories.