Imagen de Portada

Detection of masqueraders based on graph partitioning of file system access events

Masqueraders are users who take control of a machine and perform malicious activities such as data exfiltration or system misuse on behalf of legitimate users. In the literature, there are various approaches for detecting masqueraders by modeling legitimate users' behavior during their daily ta...

Descripción completa

Detalles Bibliográficos
Autores Principales: Toffalini F., Homoliak I., Harilal A., Binder A., Ochoa M.
Formato: Objeto de conferencia (Conference Object)
Lenguaje:Inglés (English)
Publicado: Institute of Electrical and Electronics Engineers Inc. 2018
Materias:
Behavioral research
File organization
Graphic methods
Network security
Real time systems
Anomaly detection
File systems
Graph Partitioning
Insider Threat
Markov cluster
Masquerader
Graph theory
File system
Graph partitioning
Insider threat
Acceso en línea:https://repository.urosario.edu.co/handle/10336/22859
https://doi.org/10.1109/SPW.2018.00037
id ir-10336-22859
recordtype dspace
spelling ir-10336-228592022-05-02T12:37:14Z Detection of masqueraders based on graph partitioning of file system access events Toffalini F. Homoliak I. Harilal A. Binder A. Ochoa M. Behavioral research File organization Graphic methods Network security Real time systems Anomaly detection File systems Graph Partitioning Insider Threat Markov cluster Masquerader Graph theory Anomaly detection File system Graph partitioning Insider threat Markov cluster Masquerader Masqueraders are users who take control of a machine and perform malicious activities such as data exfiltration or system misuse on behalf of legitimate users. In the literature, there are various approaches for detecting masqueraders by modeling legitimate users' behavior during their daily tasks and automatically determine whether they are doing something suspicious. Usually, these techniques model user behavior using features extracted from various sources, such as file system, network activities, system calls, etc. In this work, we propose a one-class anomaly detection approach that measures similarities between a history of a user and events recorded in a timewindow of the user's session which is to be classified. The idea behind our solution is the application of a graph partitioning technique on weighted oriented graphs generated from such event sequences, while considering that strongly connected nodes have to belong into the same cluster. First, a history of vertex clusters is build per each user and then this history is compared to a new input by using a similarity function, which leads either to the acceptance or rejection of a new input. This makes our approach substantially different from existing general graph-based approaches that consider graphs as a single entity. The approach can be applied for different kinds of homogeneous event sequences, however successful application of the approach will be demonstrated on file system access events only. The linear time complexity of the approach was demonstrated in the experiments and the performance evaluation was done using two state-of-the-art datasets - WUIL and TWOS - both of them containing file system access logs of legitimate users and masquerade attackers; for WUIL dataset we achieved an average per-user AUC of 0.94, a TPR over 95%, and a FPR less than 10%, while for TWOS dataset we achieved an average per-user AUC of 0.851, a TPR over 91% and a FPR around 11%. © 2018 IEEE. 2018 2020-05-25T23:58:25Z info:eu-repo/semantics/conferenceObject info:eu-repo/semantics/publishedVersion https://repository.urosario.edu.co/handle/10336/22859 https://doi.org/10.1109/SPW.2018.00037 eng info:eu-repo/semantics/openAccess application/pdf Institute of Electrical and Electronics Engineers Inc. instname:Universidad del Rosario
institution EdocUR - Universidad del Rosario
collection DSpace
language Inglés (English)
topic Behavioral research
File organization
Graphic methods
Network security
Real time systems
Anomaly detection
File systems
Graph Partitioning
Insider Threat
Markov cluster
Masquerader
Graph theory
Anomaly detection
File system
Graph partitioning
Insider threat
Markov cluster
Masquerader
spellingShingle Behavioral research
File organization
Graphic methods
Network security
Real time systems
Anomaly detection
File systems
Graph Partitioning
Insider Threat
Markov cluster
Masquerader
Graph theory
Anomaly detection
File system
Graph partitioning
Insider threat
Markov cluster
Masquerader
Toffalini F.
Homoliak I.
Harilal A.
Binder A.
Ochoa M.
Detection of masqueraders based on graph partitioning of file system access events
description Masqueraders are users who take control of a machine and perform malicious activities such as data exfiltration or system misuse on behalf of legitimate users. In the literature, there are various approaches for detecting masqueraders by modeling legitimate users' behavior during their daily tasks and automatically determine whether they are doing something suspicious. Usually, these techniques model user behavior using features extracted from various sources, such as file system, network activities, system calls, etc. In this work, we propose a one-class anomaly detection approach that measures similarities between a history of a user and events recorded in a timewindow of the user's session which is to be classified. The idea behind our solution is the application of a graph partitioning technique on weighted oriented graphs generated from such event sequences, while considering that strongly connected nodes have to belong into the same cluster. First, a history of vertex clusters is build per each user and then this history is compared to a new input by using a similarity function, which leads either to the acceptance or rejection of a new input. This makes our approach substantially different from existing general graph-based approaches that consider graphs as a single entity. The approach can be applied for different kinds of homogeneous event sequences, however successful application of the approach will be demonstrated on file system access events only. The linear time complexity of the approach was demonstrated in the experiments and the performance evaluation was done using two state-of-the-art datasets - WUIL and TWOS - both of them containing file system access logs of legitimate users and masquerade attackers; for WUIL dataset we achieved an average per-user AUC of 0.94, a TPR over 95%, and a FPR less than 10%, while for TWOS dataset we achieved an average per-user AUC of 0.851, a TPR over 91% and a FPR around 11%. © 2018 IEEE.
format Objeto de conferencia (Conference Object)
author Toffalini F.
Homoliak I.
Harilal A.
Binder A.
Ochoa M.
author_facet Toffalini F.
Homoliak I.
Harilal A.
Binder A.
Ochoa M.
author_sort Toffalini F.
title Detection of masqueraders based on graph partitioning of file system access events
title_short Detection of masqueraders based on graph partitioning of file system access events
title_full Detection of masqueraders based on graph partitioning of file system access events
title_fullStr Detection of masqueraders based on graph partitioning of file system access events
title_full_unstemmed Detection of masqueraders based on graph partitioning of file system access events
title_sort detection of masqueraders based on graph partitioning of file system access events
publisher Institute of Electrical and Electronics Engineers Inc.
publishDate 2018
url https://repository.urosario.edu.co/handle/10336/22859
https://doi.org/10.1109/SPW.2018.00037
_version_ 1740172134016090112
score 12,131701

Ejemplares similares