A User Behavior Monitoring And Profiling Scheme For Masquerade Detection

Masquerading attack refers to conducting malicious activities on a computer system by impersonating another user. Such attacks are difficult to detect with standard intrusion detection sensors when they are carried out by insiders who have the knowledge of the system. One approach to detect masquerading attacks is to build user profiles and monitor for significant changes in user's behavior at runtime. Intrusion detectors based on this principle typically have used user command line data to build such profiles. This data does not represent user's complete behavior in a graphical user interface (GUI)-based system and hence is not sufficient to quickly and accurately detect masquerade attacks. In this chapter, we present a new empirically driven framework for creating a unique feature set for user behavior monitoring on GUI-based systems. For proof-of-concept demonstration, we use a small set of real user behavior data from live systems and extract parameters to construct these feature vectors. The feature vectors contain user information such as mouse speed, distance, angles, and amount of clicks, and keystroke dynamics during a user session. We then formulate our technique of user identification and masquerade detection as a binary classification problem and use Support Vector Machine (SVM) to learn and classify user actions as intrusive or benign. We show that our technique based on these feature vectors can provide detection rates of up to 96% with low false positive rates. We have tested our technique with various feature vector parameters and concluded that these feature vectors can provide unique and comprehensive user behavior information and are powerful enough to detect masqueraders.