A Study on Masquerade Detection

ACKNOWLEDGMENTS I am indebted to my advisor, Dr. Mark Stamp, for his consistent guidance, support, and encouragement throughout my master program. Dr. Mark Stamp has tirelessly guided me on how to perform meaningful research at every step. He has been and will always be an excellent role model for me. They have made my life in San Jose enjoyable and memorable. I am especially grateful to my dear wife Xiuduan Fang for her everlasting love, encouragement and support. iv ABSTRACT In modern computer systems, usernames and passwords have been by far the most common forms of authentication. A security system relying only on password protection is defenseless when the passwords of legitimate users are compromised. A masquerader can impersonate a legitimate user by using a compromised password. An intrusion detection system (IDS) can provide an additional level of protection for a security system by inspecting user behavior. In terms of detection techniques, there are two types of IDSs: signature-based detection and anomaly-based detection. An anomaly-based intrusion detection technique consists of two steps: 1) creating a normal behavior model for legitimate users during the training process, 2) analyzing user behavior against the model during the detection process. In this project, we concentrate on masquerade detection, a specific type of anomaly-based IDS. We have first explored suitable techniques to build a normal behavior model for masquerade detection. After studying two existing modeling techniques, N-gram frequency and hidden Markov models (HMMs), we have developed a novel approach based on profile hidden Markov models (PHMMs). Then we have analyzed these three approaches using the classical Schonlau data set. To find the best detection results, we have also conducted sensitivity analysis on the modeling parameters. However, we have found that our proposed PHMMs do not outperform the corresponding HMMs. We conjectured that Schonlau data set lacked the position information required by the PHMMs. To verify this conjecture, we have also generated several data sets with position information. Our experimental results show that when there is no sufficient training data, the PHMMs yield considerably better detection results than the v corresponding HMMs since the generated position information is significantly helpful for the PHMMs. Alert/Alarm: A signal suggesting that a system has been or is being attacked [1]. True Positive: A legitimate attack which triggers IDS to produce an alarm [1]. False Positive: An event signaling IDS to produce an alarm when no attack has been taken …