Modeling User Search Behavior for Masquerade Detection

Ben Salem, Malek; Stolfo, Salvatore

Masquerade attacks are a common security problem that is a consequence of identity theft. This paper extends prior work by modeling user search behavior to detect deviations indicating a masquerade attack. We hypothesize that each individual user knows their own file system well enough to search in a limited, targeted and unique fashion in order to find information germane to their current task. Masqueraders, on the other hand, will likely not know the file system and layout of another user's desktop, and would likely search more extensively and broadly in a manner that is different than the victim user being impersonated. We identify actions linked to search and information access activities, and use them to build user models. The experimental results show that modeling search behavior reliably detects all masqueraders with a very low false positive rate of 1.1%, far better than prior published results. The limited set of features used for search behavior modeling also results in large performance gains over the same modeling techniques that use larger sets of features.



Also Published In

Recent Advances in Intrusion Detection: 14th International Symposium, Raid 2011, Menlo Park, Ca, USA, September 20-21, 2011: Proceedings

More About This Work

Academic Units
Computer Science
Lecture Notes in Computer Science, 6961
Published Here
December 16, 2011