Analysis of command frequency and command sequence grammar in IDS

Masquerader is someone who impersonates another user and operates computer system with privileged access. It´s difficult to detect out by conventional techniques as firewall or misuse-based intrusion detection. Anomaly detection has been considered as a promising approach for masquerade detection, which is based on the idea that significant departures from normal behavior could be considered due to a masquerade. However, for low detection accuracy and high false alarm rate, it is still in research stage. Till now, many methods have been proposed from different viewpoints, such as Hidden Markov Model, Naive Bayes, SVM, and so on. Compared with other methods that with well theoretical backgrounds, two intuitive determined statistical methods: the Customized Grammars method and the Self Signature approach combined with Uniqueness, reported the much better detection efficiency. Especially, both methods based on the intuitive notion that the more frequently a usage pattern was employed by current user previously, the more indicative of normal. In other hand, the statistics of usage pattern in the Customized Grammars method was based on sequential grammars, and that of the Self Signature approach combined with Uniqueness was on commands and 2-grams. In this paper, these two methods are compared and evaluated on two benchmark data sets of Unix command sequence: the Schonlau data and the Greenberg data. As a result, contributions of command frequency and command sequence grammar in IDS were analyzed and clarified.