A Fuzzy Approach to User-level Intrusion Detection
- PDF / 1,408,354 Bytes
- 16 Pages / 595.276 x 790.866 pts Page_size
- 5 Downloads / 197 Views
A Fuzzy Approach to User-level Intrusion Detection Wei Liu1 · Yu Mao1 · Linlin Ci1 · Fuquan Zhang2
Received: 17 June 2019 / Revised: 8 July 2020 / Accepted: 20 August 2020 © Taiwan Fuzzy Systems Association 2020
Abstract Traditionally, researchers have focused on network level intrusion detection and program level intrusion detection to improve computer security. However, neither approach is foolproof. Typically, a successful attacker manifests in the form of the attacker becoming a user on the host either with elevated or normal user privileges. The reason for this situation is that current research and technology development have focused on external, not internal. At this point, user-level intrusion detection attempts to deter and curtail an attacker even after the system has been compromised. This paper proposed a novel method for anomaly detection of user behavior. Considering the complexity and fluctuation of user behavior, our method builds a finite automaton to profile the user’s normal behavior with closeness of commands within patterns and timing sequence and frequency information between patterns. This allows discrete data used for training to have a holistic structure that allows for a more accurate expression of the normal behavior of the user. In the detection stage, Wei Liu and Yu Mao contributed equally to this work & Fuquan Zhang [email protected] Wei Liu [email protected] Yu Mao [email protected] Linlin Ci [email protected] 1
School of Computer Science & Technology, Beijing Institute of Technology, Beijing 100081, China
2
Fujian Provincial Key Laboratory of Information Processing and Intelligent Control, Minjiang University, Fuzhou 350117, China
our method builds a threat evaluation system using fuzzy logic. Experimental results on data sets of Purdue University, SEA and self-collected data show that an accurate, effective and efficient detection can be achieved using the proposed approach. Keywords User behavior · Command closeness · Masquerader detection · Trusted computing · Fuzzy logic
1 Introduction Trusted user behavior is the embodiment of computer system trustworthiness. Although insider attacks may not occur as frequently as external attacks, they have a higher rate of success, can go undetected and pose a much greater risk than external attacks. Easy collection of shell commands is often used as a research object for user behavior when users interact directly with the system. After a series of processing, the original command data will form a sequence of commands in chronological order. This sequence of commands and short sequences intercepted at a certain step size are often used to characterize user behavior. For specific tasks, the sequence of commands of normal users always presents a kind of regularity and similarity. These normal sequences can be used to describe the user’s normal behavior profiles. In the evaluation of a specific task, a user whose command sequence is similar to the user profiles within a certain range, the user is considered to be a normal user. Otherwise, if
Data Loading...
