1 / 35

Detecting Masqueraders Using High Frequency Commands as Signatures

Detecting Masqueraders Using High Frequency Commands as Signatures. Hui Shi CS776. Outline. Intrusion Detection Introduction of the paper High Frequency Command Method Experimental Results and improvements Conclusion.

dieter
Download Presentation

Detecting Masqueraders Using High Frequency Commands as Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Masqueraders Using High Frequency Commands as Signatures Hui Shi CS776

  2. Outline • Intrusion Detection • Introduction of the paper • High Frequency Command Method • Experimental Results and improvements • Conclusion

  3. The introduction of Intrusion Detection • Cost • Privacy • Safety to prevent unauthorized access to system resources and data

  4. Definition • Anderson, while introducing the concept of intrusion detection in 1980, defined an intrusion attempt or a threat to be the potential possibility of a deliberate unauthorized attempt to • access information • manipulate information • or render a system unreliable or unusable.

  5. Approaches • Learnt Model • Rule-based • Expert System • Model-based • Data Mining • Neural Networks • Pattern Matching • Statistical-based • Specification Model • Protocol-based • State-based

  6. Classification • Network IDS can be categorized into • Anomaly detection • Misuse detection

  7. anomaly detection • Anomaly detection is carried out based on the desired or positive behavior of users and processes. Based on this normative specification of positive behavior, attacks are identified by observing deviations from the established normal usage profiles. It does not require prior knowledge of intrusions and can thus detect new intrusions.

  8. misuse detection • Misuse detection is based on the specification of the undesirable or negative behavior of users and processes. It tries to detect patterns of known attacks and weak spots in a system. It performs a pattern match between audit data streams and an attack signature and generates alarms if the match is successful

  9. problems • Anomaly-based intrusion detection has the potential lo detect all intrusions but has the limitation of a higher false alarm rate • Misuse detection system can identify the known intrusions but cannot detect the novel intrusions

  10. Model • An intrusion detection system builds the behavior models of a resource using a set of features, or feature vector • FV = {Fl , F2, . . . , Fn}, here F, is a feature in the feature set. • Every feature in the feature vector can be one of these types: • A feature associated with an instant of time ,e.g., the fields in the current packet • Or with a time interval ,e.g., the number of SYN packets within 2 seconds, • or with the context of a current event (e.g., the system-call events).

  11. Behavior signature • Assuming that there is a feature vector for intrusion detection FV = { F1 F2,. . . , Fn},and the feature ranges of every feature are determined beforehand. • The behavior signature is the combination of feature ranges of all the features in FV.

  12. Two elements • Feature • The range of all the features

  13. Outline • Intrusion Detection • Introduction of the paper • High Frequency Command Method • Experimental Results and improvements • Conclusion

  14. Introduction of the paper • This paper uses the high frequency commands (HFC) to characterize a user’s normal behavior • Masqueraders are people who impersonate other people on the computer. They usually are insiders with malicious intent trying to hide their identity by impersonating other users. • They could also be intruders from outside—although in practice most outside intruders immediately try to gain access to the account of the super-user and therefore are a special case.

  15. Introduction of the paper • Under Unix system, each user had a distinctive behavior using Unix commands. • A profile for each user to represent the typical behavior • If the input data, called signature, deviated from the profile significantly, we should be able to identify the masqueraders • Define the dissimilarity between them ,the larger the difference was, the more probable the signature was a masquerade

  16. Introduction of the paper • The feature is frequency and commands • The behavior signature is the range of the high frequency of the commands

  17. Outline • Intrusion Detection • Introduction of the paper • High Frequency Command Method • Experimental Results and improvements • Conclusion

  18. Algorithm 1: Profile Algorithm • CmdSize = max{i Freq[i] ≠ 0}; • if (CmdSize>n) CmdSize = n; • for (i=1; i<=n; i++) { • if (i<=CmdSize) { • PCmd[i] = Cmd[i]; • PFreq[i] = Freq[i]; • else { • PCmd[i] = “*”; // dummy • PFreq[i] = 0;

  19. Algorithm 2: Signature Algorithm • for (i=1; i<=CmdSize; i++) • for (j=1; j<=m; j++) • if(PCmd[i]==Cmd[j]) • SFreq[i]=Freq[j]; • for (i=CmdSize; i<=n; i++) • SFreq[i]=Freq[j] where j is the smallest • index of an unused command in Cmd;

  20. Dissimilarity Algorithm • fp is the frequency of the profile, fs is the frequency of the signature, and n is the number of top frequency commands • tn is the accumulated frequency of top n commands.

  21. Outline • Intrusion Detection • Introduction of the paper • High Frequency Command Method • Experimental Results and improvements • References

  22. Data for experiments • The database contains 50 users with 15,000 commands for each user. • For each user, the first 5,000 commands contain the clean data. The masquerade data is put into the remaining 10,000 commands for testing. • Each user has one profile and 100 signatures. • The experiment is conducted in three methods (orders 0, 1, and 2). • For each user, after computed the area difference between its profile and each of its 100 signatures, 100 dissimilarity measures are obtained. • Thus for the 50 users, there were a total of 5,000 dissimilarity measures.

  23. Three trend lines are included • The original signature is treated as a 0-th order trend line • Trend lines of Order 1 and 2 were the smoothening method that used the first and second order polynomial trend-lines to compute the area differences between a signature and a profile • If the dissimilarity of the profile and the trend line was large, it meant that the signature behaved differently from the profile and potentially contained masquerader

  24. Results

  25. Threshold • For a masquerade block, if the dissimilarity score was higher than the threshold, it was positively identified as true positive. On the other hand, if the score was lower than the threshold, a false negative (FN) happened. • Similarly, for a clean block, if the dissimilarity score was lower than the threshold, then our algorithm made a correct prediction (true negative). If the score is higher than the threshold, then we had a false positive (FP) case. • Use experiments to see what a reasonable threshold should be

  26. False rate

  27. Secondary Profile • First, build the profile just like what was described in Section 2. After that we compute a secondary profile for the top 40 commands. The i-thsecondary command which is selected based on the i-th command of the profile. • PCmd2[i] = {c | c is the most common command following PCmd[i] in the training data set}. • So, for each profile, a secondary profile with up to 40 commands. In most cases, the secondary profile looks very different from the first one. Note that the secondary profile depends on the first one.

  28. Combine two profiles • The combined dissimilarity should be (di*w1)+(di*w2), • where di is the dissimilarity of order i and w1+w2 =1. • w1: (100 –FP1) / [(100 –FP1)+(100 –FP2)] • w2: (100 – FP2) / [(100 – FP1)+(100 – FP2)]

  29. Outline • Intrusion Detection • Introduction of the paper • High Frequency Command Method • Experimental Results and improvements • References

  30. Conclusion • In this paper, it proposed the High Frequency Command method to characterize a user’s normal behavior in order to detect the masqueraders. Our hypothesis is true that the HFC method can be used as a signature to identify a user • In Intrusion Detection • Feature • Behavior signature

  31. References • Ming Dong Wan, Han-Ching Wu, Ying-Wei Kuo, etc. “Detecting Masqueraders Using High Frequency Commands as Signatures”. 22nd International Conference on Advanced Information Networking and Applications- Workshops. pp. 596-601. • Schonlau, M., Theus, M. , “Detecting Masquerades inIntrusion Detection Based on Unpopular Commands,” Information Processing Letters 76, 2000, pp. 33-38. • M. Schonlau, W. DuMouchel, Wen-HuaJu, A.F. Karr,M, Theus, and Y. Vardi, “Computer Intrusion: Detecting Masquerades”, Statistical Science, 2001,pp.58-74. • Zhuowei Li; Das, A.; Jianying Zhou.Theoretical basis for intrusion detection. Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, 2005. pp.184-192. • J.P Anderson. Computer Security Threat Monitoring and Surveillance. Technical report, James P Anderson Co., Fort Washington, Pennsylvania, April 1980.

  32. Thank you

More Related