• DocumentCode
    2175391
  • Title

    Masquerade detection using truncated command lines

  • Author

    Maxion, Roy A. ; Townsend, Tahlia N.

  • Author_Institution
    Dependable Syst. Lab., Carnegie Mellon Univ., Pittsburgh, PA, USA
  • fYear
    2002
  • fDate
    2002
  • Firstpage
    219
  • Lastpage
    228
  • Abstract
    A masquerade attack, in which one user impersonates another, can be the most serious form of computer abuse. Automatic discovery of masqueraders is sometimes undertaken by detecting significant departures from normal user behavior, as represented by a user profile formed from system audit data. While the success of this approach has been limited, the reasons for its unsatisfying performance are not obvious, possibly because most reports do not elucidate the origins of errors made by the detection mechanisms. This paper takes as its point of departure a recent series of experiments framed by Schonlau et al. (2001). In extending that work with a new classification algorithm, a 56% improvement in masquerade detection was achieved at a corresponding false-alarm rate of 1.3%. A detailed error analysis, based on an alternative data configuration, reveals why some users are good masqueraders and others are not.
  • Keywords
    auditing; security of data; classification algorithm; computer abuse; data configuration; errors; false alarm rate; masquerade attack detection; system audit data; truncated command lines; user profile; Classification algorithms; Computer science; Computer security; Costs; Error analysis; Information security; Keyboards; Laboratories; Monitoring; National security;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Dependable Systems and Networks, 2002. DSN 2002. Proceedings. International Conference on
  • Print_ISBN
    0-7695-1101-5
  • Type

    conf

  • DOI
    10.1109/DSN.2002.1028903
  • Filename
    1028903
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=2175391