Detecting Masqueraders by Profiling User Behaviors

摘要

Insider attack is a serious threat to enterprises, organizations and countries. It has become a widely studied topic in the field of information security. This paper mainly aims to effectively detect masqueraders by profiling user behaviors with keystroke and network traffic. The fly-time of digraph is employed to build users' keystroke behavior. User network behavior is modeled with statistic and text features that are extracted from network traffic. The K-Means classifier is used to classify network traffic, and different classification results are mapped to different user operations accordingly. Extensive experimental result shows that, in the case of users' keystroke models, the detection rate is achieved from 77% to 87.5% and the false alarm rate is 0.44 %. When we use network models, the detection rate is 100% with the false alarm rate as 0.05%. In conclusion, network traffic can describe user network behaviors precisely, while the detection rate of user keystroke behaviors suffers from the insufficient user input from keyboard. It is obvious that a certain masquerader detection mechanism which is based on specific user behaviors, cannot reach satisfied results since the corresponding data is insufficient in different scenarios. It is necessary to use both two type of behaviors for different scenarios to achieve a better detection result.