Multi application user profiling for masquerade attack detection

Abstract

Masquerade attack or Impersonation attack refers to an act of illegitimate user gaining unauthorized privileges of the system. Detecting these attacks is more complex due to the fact that the insiders carry out most of these attacks. Masquerade attack is detected by profiling users system usage. If his/her normal profile deviates from his/her original behavior, he is detected as a masquerader. Most of the research was done using command line data & GUI Usage analysis. The command line data which contains commands, logs, system calls and the GUI profiling using keyboard and mouse activities, can not capture the complete event behavior of the users, Due to the reason that users are not fixed to a single application in their usage period. Hence it is very difficult to detect masquerader in the existing systems. In this paper we have proposed a new framework to capture the data across multiple applications to build the user profile. We have developed our own tool to capture the event data across multiple applications. Our experimental result shows that our framework is better in detection than the existing methods. We have applied four different classifiers, K-Nearest Neighbor, SVM, BayesNet and NaïveBase on the collected user profiles. Our results show that K-NN is the best classifier for the collected Multi application GUI data. © 2011 Springer-Verlag.