A comparison of one-class bag-of-words user behavior modeling techniques for masquerade detection

Authors

  • Malek Ben Salem,

    Corresponding author
    1. Computer Science Department, Intrusion Detection Systems Laboratory, Columbia University, New York, USA
    • Intrusion Detection Systems Laboratory, Columbia University, 500 W. 120th Street, Computer Science Building, 10027 NY, New York, USA.
    Search for more papers by this author
  • Salvatore J. Stolfo

    1. Computer Science Department, Intrusion Detection Systems Laboratory, Columbia University, New York, USA
    Search for more papers by this author

ABSTRACT

A masquerade attack is a consequence of identity theft. In such attacks, the impostor impersonates a legitimate insider while performing illegitimate activities. These attacks are very hard to detect and can cause considerable damage to an organization. Prior work has focused on user command modeling to identify abnormal behavior indicative of impersonation. In this paper, we investigate the performance of two one-class user behavior profiling techniques: one-class Support Vector Machines (ocSVMs) and a Hellinger distance-based user behavior profiling technique. Both techniques model bags of words or commands and do not model sequences of commands. We use both techniques for masquerade detection and compare the experimental results. The objective is to evaluate which modeling technique is most suitable for use in an operational monitoring system, hence our focus is on accuracy and operational performance characteristics. We show that one-class SVMs are most practical for deployment in sensors developed for masquerade detection in the general case. We also show that for specific users whose profile fits the average user profile, one-class SVMs may not be the best modeling approach. Such users pose a more serious threat since they may be easier to mimic. Copyright © 2011 John Wiley & Sons, Ltd.

Ancillary