Recently, researchers have proposed efficient detection mechanisms for masquerade attacks. Most of these techniques use machine learning methods to learn the behavioral patterns of users and to check if an observed behavior conforms to the learnt behavior of a user. Masquerade attack is detected when the observed behavior, reportedly of a specific user, does not match with the learnt pattern of this user's past data. A major shortcoming in this process is that the user may legitimately deviate temporarily from its past behavior. If the deviation is large and near-permanent, it is desirable that such deviations are captured in a detection mechanism. We propose, in this paper, a method that takes into consideration this aspect of user behavior while detecting masquerade attacks. Our scheme is based on the premise that the commands used by a legitimate user or an attacker may differ from the trained signature. But the deviation of the legitimate user is momentary whereas that of an attacker persists longer. By introducing this novel concept in the detection mechanism, the performance improves. We show this empirically using several benchmark datasets.

• 出版日期2011-4