{"title":"Detecting Masqueraders by Profiling User Behaviors","authors":"Haohui Peng, Wei Wang","doi":"10.1109/IMCCC.2018.00101","DOIUrl":null,"url":null,"abstract":"Insider attack is a serious threat to enterprises, organizations and countries. It has become a widely studied topic in the field of information security. This paper mainly aims to effectively detect masqueraders by profiling user behaviors with keystroke and network traffic. The fly-time of digraph is employed to build users' keystroke behavior. User network behavior is modeled with statistic and text features that are extracted from network traffic. The K-Means classifier is used to classify network traffic, and different classification results are mapped to different user operations accordingly. Extensive experimental result shows that, in the case of users' keystroke models, the detection rate is achieved from 77% to 87.5% and the false alarm rate is 0.44 %. When we use network models, the detection rate is 100% with the false alarm rate as 0.05%. In conclusion, network traffic can describe user network behaviors precisely, while the detection rate of user keystroke behaviors suffers from the insufficient user input from keyboard. It is obvious that a certain masquerader detection mechanism which is based on specific user behaviors, cannot reach satisfied results since the corresponding data is insufficient in different scenarios. It is necessary to use both two type of behaviors for different scenarios to achieve a better detection result.","PeriodicalId":328754,"journal":{"name":"2018 Eighth International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC)","volume":"18 3","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 Eighth International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IMCCC.2018.00101","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Insider attack is a serious threat to enterprises, organizations and countries. It has become a widely studied topic in the field of information security. This paper mainly aims to effectively detect masqueraders by profiling user behaviors with keystroke and network traffic. The fly-time of digraph is employed to build users' keystroke behavior. User network behavior is modeled with statistic and text features that are extracted from network traffic. The K-Means classifier is used to classify network traffic, and different classification results are mapped to different user operations accordingly. Extensive experimental result shows that, in the case of users' keystroke models, the detection rate is achieved from 77% to 87.5% and the false alarm rate is 0.44 %. When we use network models, the detection rate is 100% with the false alarm rate as 0.05%. In conclusion, network traffic can describe user network behaviors precisely, while the detection rate of user keystroke behaviors suffers from the insufficient user input from keyboard. It is obvious that a certain masquerader detection mechanism which is based on specific user behaviors, cannot reach satisfied results since the corresponding data is insufficient in different scenarios. It is necessary to use both two type of behaviors for different scenarios to achieve a better detection result.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
