Masquerade detection based upon GUI user profiling in Linux systems

Abstract

Masquerading or impersonation attack refers to the act of gaining access to confidential data or greater access privileges, while pretending to be legitimate users. Detection of masquerade attacks is of great importance and is a non-trivial task of system security. Detection of these attacks is done by monitoring significant changes in user's behavior based on his/her computer usage. Traditional detection mechanisms are based on command line system events collected using log files. In a GUI based system, most of the user activities are performed using either mouse movements and clicks or a combination of mouse movements and keystrokes. The command line data cannot capture the complete GUI event behavior of the users hence it is insufficient to detect attacks in GUI based systems. Presently, there is no frame work available to capture the GUI based user behavior in Linux systems. We are proposing a novel approach to capture the GUI based user behavior for Linux systems using our event logging tool. Our experimentation results shows that, the GUI based user behavior can be efficiently used for masquerade attack detection to achieve high detection rates with less false positives. We have applied One-class SVM on the collected data, which requires only training the user's own legitimate sessions to build up the user's profile. Our results on GUI data using One-class SVM gives higher detection rates with less false positives compared to a Two-class SVM approach. © Springer-Verlag Berlin Heidelberg 2007.