XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan,YE Run-guo

2011-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Masquerade attacks are attempts by unauthorized users to gain access to confidential data or greater access privileges,while pretending to be legitimate users.This paper proposes a novel method to distinguish legitimate users from masqueraders.The uncertainty of the user′s behavior and the relevance of the operation of shell commands are thoroughly considered.The method constructs specific highorder homogeneous Markov chain models to represent the normal behavior profiles of valid users.It defines the states by twofold hierarchical merging shell commands.Therefore this method increases the accuracy of describing the normal behavior profiles,improves the generalization of the detection system and sharply reduces the storage space.In the detection period,taking the real-time performance into account,it computes the categorical boolean variables only using the transition probabilities,which has little computation workload,and then smoothes them to get the decision values used to determine whether the monitored user′s behavior is normal or anomalous.Its performance is tested in computer simulation,showing higher detection accuracy and fewer computation costs than related methods′.The proposed method is especially suitable for on-line detection.

Xiao X,Tian X,Zhai Q,Xia S.

DOI: https://doi.org/10.1016/j.jss.2012.05.049

IF: 3.5

2012-01-01

Journal of Systems and Software

Abstract:Masquerade detection is now one of the major concerns of system security research and its difficulty is to model user behavior on the nonstationary audit data. Many previous works represent the user behavior based on fixed-length models. In this paper, we propose a variable-length model to overcome their weakness in the precision and adaptability of user profiling. In the model, the user's normal behavior is profiled by Markov chain with states of variable-length sequences. At first multiple shell command streams of different lengths are generated and different shell command sequences are hierarchically merged into several sets to form the library of general sequences. Then the variable-length behavioral patterns of a valid user are mined and the Markov chain is constructed. While performing detection, the probabilities of short state sequences are calculated, smoothed with sliding windows, and finally used to classify the monitored user's activity as normal or abnormal. Our experiments with standard datasets such as Purdue data and SEA data reveal that the proposed model can achieve higher detection accuracy, require less memory and take shorter time than the other traditional methods and is amenable for real-time intrusion detection.

Bin Zhang,Xi Xiao,Weizhe Zhang,Arun Kumar Sangaiah,Ying Zhou,Xinyu Liu

DOI: https://doi.org/10.1002/ett.3858

IF: 3.6

2022-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:In-vehicle network is easy to be attacked by masquerade attackers because of the controller local area network, and there are many intrusion detection systems to solve this problem. However, the traditional methods consider the transition and frequent property, but they lose the information of the cooccurrence. In this article, a novel method based on cooccurrence matrixes is proposed, and it makes use of the cooccurrence property of the command stream, which is often ignored. There are two steps in the training process. First, a relatively large number of distinct shell commands are transformed into a smaller number of unique events by hierarchically merging shell commands. Second, considering the correlation property of audit data, the method constructs a partly normalized cooccurrence matrix to profile the valid user's normal behaviors. Although performing detection, the partly normalized cooccurrence matrixes of the current event sequences are generated. Then the distances between these matrixes and the profile matrix are calculated with sliding windows. Finally, distances are used to determine whether they are normal or not. Our method is evaluated against two standard masquerade detection datasets provided by T. Lane et al and M. Schonlau et al, respectively. The results indicate that the proposed method is promising in terms of detection accuracy, which is at least 10% higher than other four solutions, and the proposed method has fewer memory requirements, which saves at most 90% of the compared methods, and it can be conducted in parallel and is more suitable for real-time masquerade detection.

XIAO Xi,ZHAI Qi-bin,TIAN Xin-guang,CHEN Xiao-juan

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.11.012

2011-01-01

Computer Science

Abstract:This paper presented a novel method for anomaly detection of user behavior based on the discrete-time Mar-kov chain model,which is applicable to intrusion detection systems using shell commands as audit data.In the training period,the uncertainty of the user's behavior and the relevance of the operation of shell commands in short time were fully considered.This method takes the sequences of shell commands as the basic processing units.It merges the sequences into sets in terms of their ordered frequencies and then constructs states of the Markov chain on the merged results.Therefore this method increases the accuracy of describing the normal behavior profile and the adaptability to the variations of the user's behavior and sharply reduces the number of states and the required storage space.In the detection stage,considering the real-time performance and the accuracy requirement of the detection system,it analyzes the anomaly degree of the user's behavior by computing the occurrence probabilities of the state sequences,and then provides two schemes,based on the probability stream filtered with single window or multi-windows,to classify the user's behavior.The results of our experiments show that this method can achieve higher detection performance and practicability than others.

Peng Jiang,Hongyi Wu,Cong Wang,Chunsheng Xin

DOI: https://doi.org/10.1109/ICC.2018.8422830

2018-01-01

Abstract:Identity-based attacks such as MAC spoofing are common in wireless networks. The recently developed virtualization technologies bring a new type of MAC spoofing attack, virtual MAC spoofing. This makes it even more challenging to detect such attacks, especially in a tight environment with spatial similarities. In this paper, we design, implement and evaluate a system to effectively detect virtual MAC spoofing attacks via deep learning. A deep convolutional neural network is constructed to extract physical features from CSI obtained from packet transmissions, to detect virtual MAC spoofing attacks. An important merit of the proposed detection system is that this system can distinguish two devices even at the same location, which was not well addressed by previous approaches. Our extensive experimental results demonstrate the effectiveness of the system with an average detection accuracy of 95%, even when devices are co-located.

Zhiyuan Lv,Youjian Zhao,Haibin Li

DOI: https://doi.org/10.1109/ISCC47284.2019.8969587

2019-01-01

Abstract:Nowadays, masquerade attack caused by identity misuse is a kind of severe insider threat and a common security problem for most organizations. Although the anomaly detection based on machine learning has been applied as a common method for this problem, most existing approaches for detecting masquerade attack usually use host-based data to profile user behavior and detect anomaly. However, host-based data are too sensitive to collect, which results in poor universality and makes it difficult for enterprises to deploy. In this paper, we propose a cheap and general masquerade detection method with high accuracy to profile user network behavior and detect anomaly, using network packet sketches (IP, port, protocol, etc.). As network packet headers with standardized format are non-sensitive, our method is suitable for most enterprises and much cheaper to deploy. To validate the method, we collected more than 10 TB normal user data and 5 GB simulated masquerader data in real enterprise environment. The experimental results show that our method achieves good performance with average AUC up to 0.988 and the approach of modeling user network behavior by network packet sketches results in good time efficiency.

W Yurcik,C Liu

DOI: https://doi.org/10.1109/CCGRID.2005.1558542

2005-01-01

Abstract:Recent attacks enabled by stolen authentication passwords and keys have allowed intruders to masquerade as legitimate users on high performance computing clusters. With the motivation of detecting masqueraders on clusters, this work seeks to discriminate different types of users based on their command behavior - in particular user command behavior on a multi-user public machine versus user command behavior on a high performance computing cluster Our intuition is that these users act differently and the unique high performance cluster environment is constrained such that command behavior discrimination is enhanced versus enterprise environments.We formalize this into a classification problem to be solved by a Support Vector Machine with TF-IDF feature construction techniques from the field of Information Retrieval. We present results showing the effectiveness of this approach exhibiting high precision depending on the length of monitoring in both time and number of commands. In particular we show that as few as 10 commands may be enough to recognize a masquerading attacker on a high performance computing cluster

ZENG Jian-ping,GUO Dong-hui

DOI: https://doi.org/10.3321/j.issn:0372-2112.2008.04.030

2008-01-01

Abstract:User activities are normally in variant forms or may be aberrant in some cases.This kind of uncertainty leads to the difficulty for current intrusion detection algorithm in deciding whether the user is masquerading or not.In the proposed algorithm,the user features are properly selected and the corresponding user trustworthiness computation methods are introduced.Different types of trustworthiness are integrated with interval type-2 fuzzy set,thus user trustworthiness is got and applied to a threshold-based decision.Theory analysis and experiments show that the proposed algorithm can handle the uncertainties that exist in user actirity or user model,so better detection performance can be achieved,compared with the detection algorithm based on ordinal fuzzy set.

WEI WANG,XIAO-HONG GUAN,XIANG-LIANG ZHANG

DOI: https://doi.org/10.1109/ICMLC.2004.1378514

2004-01-01

Abstract:Intrusion detection is an important technique in the defense-in-depth network security framework and a hot topic in computer network security in recent years. In this paper, a new efficient intrusion detection method based on hidden Markov models (HMMs) is presented. HMMs are applied to model the normal program behaviors using traces of system calls issued by processes. The output probability of a sequence of system calls is calculated by the normal model built. If the probability of a sequence in a trace is below a certain threshold, the sequence is flagged as a mismatch. If the ratio between the mismatches and all the sequences in a trace exceeds another threshold, the trace is then considered as a possible intrusion. The method is implemented and tested on the sendmail system call data from the University of New Mexico. Experimental results show that the performance of the proposed method in intrusion detection is better than other methods.

Xi XIAO,Shu-tao XIA,Xin-guang TIAN,Qi-bin ZHAI

DOI: https://doi.org/10.1016/s1005-8885(10)60128-8

2011-01-01

The Journal of China Universities of Posts and Telecommunications

Abstract:In anomaly detection, a challenge is how to model a user's dynamic behavior. Many previous works represent the user behavior based on fixed-length models. To overcome their shortcoming, we propose a novel method based on discrete-time Markov chains (DTMC) with states of variable-length sequences. The method firstly generates multiple shell command streams of different lengths and combines them into the library of general sequences. Then the states are defined according to variable-length behavioral patterns of a valid user, which improves the precision and adaptability of user profiling. Subsequently the transition probability matrix is created. In order to reduce computational complexity, the classification values are determined only by the transition probabilities, then smoothed with sliding windows, and finally used to discriminate between normal and abnormal behavior. Two empirical evaluations on datasets from Purdue University and AT&T Shannon Lab show that the proposed method can achieve higher detection accuracy and require less memory than the other traditional methods.

ZENG Jian-ping,GUO Dong-hui

2007-01-01

Abstract:A new detection method,MDAA,is proposed to solve the problems in determining the sliding window size and make it easily in selecting a precise decision value for current detection algorithms.In MDAA,HMM(Hidden Markov Model) is used to model the users' normal action.Sliding window size is determined by computing condition entropy of the model,thus the size can be adaptive to different users.Genetic algorithm is used to compute the maximal and minimal likelihood of sequence,and then the sequence can be transformed to a value that is more easily to be judged.Experiments on a real world data set show that the MDAA can get a better performance,and also it can be more adaptive to different users.

Wei Ma,Yunyun Hou,Mingyu Jin,Pengpeng Jian

DOI: https://doi.org/10.1371/journal.pone.0300821

IF: 3.7

2024-03-26

PLoS ONE

Abstract:Multi-stage attacks are one of the most critical security threats in the current cyberspace. To accurately identify multi-stage attacks, this paper proposes an anomaly-based multi-stage attack detection method. It constructs a Multi-Stage Profile (MSP) by modeling the stable system's normal state to detect attack behaviors. Initially, the method employs Doc2Vec to vectorize alert messages generated by the intrusion detection systems (IDS), extracting profound inter-message correlations. Subsequently, Hidden Markov Models (HMM) are employed to model the normal system state, constructing an MSP, with relevant HMM parameters dynamically acquired via clustering algorithms. Finally, the detection of attacks is achieved by determining the anomaly threshold through the generation probability (GP). To evaluate the performance of the proposed method, experiments were conducted using three public datasets and compared with three advanced multi-stage attack detection methods. The experimental results demonstrate that our method achieves an accuracy of over 99% and precision of 100% in multi-stage attack detection. This confirms the effectiveness of our method in adapting to different attack scenarios and ultimately completing attack detection.

multidisciplinary sciences

Wu Tao,Wang Chong-Jun,Xie Jun-Yuan

2010-01-01

Abstract:Intrusion detection,as an active measure to assure information security,has been receiving intensive attention and has recently become the focus of the computer security especially the network security research communities.In order to avoid being detected,however,intrusion events have evolved to become intelligent and distributive,making them good at concealing their purposes and so penetrating the intrusion detection system.To deal with this problem,as this paper does,techniques involving artificial intelligence and machine learning are brought in.This paper models intrusion and its detection as two multi-agent systems that have conflict interests,and holds the opinion that to intrude is just to device and execut attacking plans aiming to achieve certain objectives,the key of intrusion detection then is to analyze the observed opopnent's actions perceived as abnormal and reveal their intentions,which is then a classical intention recognition problem.Be is justifiable,we noticed that the traditional KEY-HOLE observing method for intention recognition is not suitable to be used here,because the environment for intrusion detection usually has an attack-defense nature thus is dynamic and can be extremely complex,making it expectable that failures to report intrusions and false reports of intrusions do happen,as a result acquiring a complete and true action sequence of the intruder is impossible.Under this circumstance,to design a strategy so robust that can recognize the intruder's intention using just an action sequence which not only contains only part of the intruder's complete action squence and also unknownly includs some misclassified actions is desperated needed,and this is exactly what this paper may contribute.Further than proposing the two multi-agent systems model,this paper sees the intrusion process as a Partially Observable Markov Decision Process(POMDP),and then estimates the intruder's intention as the output of the process.In this cae intention of the intruder can be recognized through an incomplete and defective action sequence it has just taken.The effectiveness of the proposed method is proved by experiments on data set contributed by DARPA.

Zilin Huang,Xiulai Li,Xinyi Cao,Ke Chen,Longjuan Wang,Logan Bo-Yee Liu

2024-11-09

Abstract:In the digital age, users store personal data in corporate databases, making data security central to enterprise management. Given the extensive attack surface, assets face challenges like weak authentication, vulnerabilities, and malware. Attackers may exploit vulnerabilities to gain unauthorized access, masquerading as legitimate users. Such attacks can lead to privacy breaches, business disruption, financial losses, and reputational damage. Complex attack vectors blur lines between insider and external threats. To address this, we introduce the IDU-Detector, integrating Intrusion Detection Systems (IDS) with User and Entity Behavior Analytics (UEBA). This integration monitors unauthorized access, bridges system gaps, ensures continuous monitoring, and enhances threat identification. Existing insider threat datasets lack depth and coverage of diverse attack vectors. This hinders detection technologies from addressing complex attack surfaces. We propose new, diverse datasets covering more attack scenarios, enhancing detection technologies. Testing our framework, the IDU-Detector achieved average accuracies of 98.96% and 99.12%. These results show effectiveness in detecting attacks, improving security and response speed, and providing higher asset safety assurance.

Cryptography and Security

Xu Zhang,Ting Wu,Qiuhua Zheng,Liang Zhai,Haizhong Hu,Weihao Yin,Yingpei Zeng,Chuanhui Cheng

DOI: https://doi.org/10.3390/s22082874

IF: 3.9

2022-04-08

Sensors

Abstract:Currently, hidden Markov-based multi-step attack detection models are mainly trained using the unsupervised Baum–Welch algorithm. The Baum–Welch algorithm is sensitive to the initial values of model parameters. However, its training uses random or average parameter initialization methods, which frequently results in the model training into a local optimum, thus, making the model unable to fit the alert logs well and thereby reducing the detection effectiveness of the model. To solve this issue, we propose a pre-training method for multi-step attack detection models based on the high semantic similarity of alerts in the same attack phase. The method first clusters the alerts based on their semantic information and pre-classifies the attack phase to which each alert belongs. Then, the distance of the alert vector to each attack stage is converted into the probability of generating alerts in each attack stage, replacing the initial value of Baum–Welch. The effectiveness of the proposed method is evaluated using the DARPA 2000 dataset, DEFCON21 CTF dataset, and ISCXIDS 2012 dataset. The experimental results show that the hidden Markov multi-step attack detection method based on pre-training of the proposed model parameters had higher detection accuracy than the Baum–Welch-based, K-means-based, and transfer learning differential evolution-based hidden Markov multi-step attack detection methods.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

XU Ming,DING Hong,CHEN Chun

DOI: https://doi.org/10.3785/j.issn.1008-973x.2005.02.008

2005-01-01

Abstract:In order to exactly and rapidly detect anomaly, a detection model that can exactly depict the profiles of normal process actions was proposed. The consistently repeated system call sequences in normal process traces were regarded as macros, then a Markov chains anomaly detection model based on system call macros was constructed. Conclusions were drawn by comparing the performance metrics of Macro MCM (Markov chains model) with the first-order MCM and second-order MCM based on system call. The comparison shows that in detection performance (hit rates and false alarm rates), Macro MCM is better than the other two models; in needed memory capability, Macro MCM is more than the first-order MCM, but less than the second-order MCM; in computing speed, the training speed of Macro MCM is the slowest among three models, but its detection speed is the highest.

Hao Zhang,Wenjun Zhang,Zhihan Lv,Arun Kumar Sangaiah,Tao Huang,Naveen Chilamkurti

DOI: https://doi.org/10.1007/s11280-019-00675-z

2019-03-22

World Wide Web

Abstract:Malicious behavior detection is a key topic that has been a focus in the field of intrusion detection. Current intrusion detection systems are primarily based on single-point monitoring and detection and cannot detect attack modes with a hidden attack frequency. The idea presented in this paper is the incorporation of API call sequence software into the analysis and the construction of behavior chains to express the behavior patterns in software. This paper introduces related definitions of behavioral points and behaviors and proposes a depth-detection method for malware based on behavior chains (MALDC). The method monitors behavior points based on API calls and then uses the calling sequence of those behavior points at runtime to construct a behavior chain. Finally, we use depth detection method based on long short-term memory(LSTM) to detect malicious behavior from the behavior chains. To verify the performance of the proposed model, we conducted a large experiment on 54,324 malware and 53,361 benign samples collected from Windows systems and used those samples to train and test the model. Comparative verification by using various classifiers showed that the behavior points extracted based on the above method and the constructed behavior chains can be used to recognize malicious behavior at a high recognition rate. The method achieved an accuracy of 98.64% with a false positive rate of less than 2% in the best case, which is a satisfactory recognition rate for detecting malicious software behavior.

William Marfo,Pablo Moriano,Deepak K. Tosh,Shirley V. Moore

2024-08-10

Abstract:Modern vehicles rely on a myriad of electronic control units (ECUs) interconnected via controller area networks (CANs) for critical operations. Despite their ubiquitous use and reliability, CANs are susceptible to sophisticated cyberattacks, particularly masquerade attacks, which inject false data that mimic legitimate messages at the expected frequency. These attacks pose severe risks such as unintended acceleration, brake deactivation, and rogue steering. Traditional intrusion detection systems (IDS) often struggle to detect these subtle intrusions due to their seamless integration into normal traffic. This paper introduces a novel framework for detecting masquerade attacks in the CAN bus using graph machine learning (ML). We hypothesize that the integration of shallow graph embeddings with time series features derived from CAN frames enhances the detection of masquerade attacks. We show that by representing CAN bus frames as message sequence graphs (MSGs) and enriching each node with contextual statistical attributes from time series, we can enhance detection capabilities across various attack patterns compared to using only graph-based features. Our method ensures a comprehensive and dynamic analysis of CAN frame interactions, improving robustness and efficiency. Extensive experiments on the ROAD dataset validate the effectiveness of our approach, demonstrating statistically significant improvements in the detection rates of masquerade attacks compared to a baseline that uses only graph-based features, as confirmed by Mann-Whitney U and Kolmogorov-Smirnov tests (p < 0.05).

Cryptography and Security,Machine Learning

Jonathan Oliver,Jue Mo,Susmit Yenkar,Raghav Batta,Sekhar Josyoula

2024-02-17

Abstract:Similarity has been applied to a wide range of security applications, typically used in machine learning models. We examine the problem posed by masquerading samples; that is samples crafted by bad actors to be similar or near identical to legitimate samples. We find that these samples potentially create significant problems for machine learning solutions. The primary problem being that bad actors can circumvent machine learning solutions by using masquerading samples.

Cryptography and Security,Machine Learning

Wenzhe Zhang,Chuyang Zeng,Yang Cao,Zuming Qin,Haiguang Chen

DOI: https://doi.org/10.1088/1742-6596/2246/1/012082

2022-04-01

Journal of Physics: Conference Series

Abstract:Abstract Aiming at the poor detection performance of user abnormal login behavior in the complex environment of industrial control system, a new method based on multi-dimensional probability analysis is proposed. First of all, login time, source, destination and other login parameters are collected. Secondly, the abnormal probability of login parameters is calculated. Thirdly, the login transfer probability among multiple destination hosts is calculated. Finally, through the comprehensive analysis of the above three probabilities, an abnormal login behavior detection model based on multi-dimensional probability analysis is constructed. Experiments show that this method can effectively identify the abnormal login behavior of users caused by various types of network attacks.