Model for Detection of Masquerade Attacks Based on Variable-Length Sequences

Abstract

Read online

A masquerader is an attacker who gains illegitimate access to a user's account. Masquerade detection is one of the key problems of intrusion detection systems. Deep learning models that obtained state-of-the-art results in masquerade detection have failed to exhibit very high detection performance when data samples contain limited information. Alternatively, computationally cheaper and more memory-efficient traditional machine learning models suffer from less robust features, which hinders them in achieving high detection performance. The contributions of this article are as follows: we introduce new features of variable-length UNIX command sequences (i.e., weighted occurrence frequencies of different orders) and integrate these features into an extended Markov-chain-based variable-length model. The detection performance of our model is evaluated on three publicly available and free datasets: Schonlau (SEA), Purdue (PU), and Greenberg. The results demonstrate that our model significantly improves the true positive rate (TPR), false positive rate, receiver operator characteristic, and threshold variance compared to the baselines (other Markov-chain-based variable-length models). Furthermore, in terms of the TPR, the proposed method is superior to a state-of-the-art deep learning model that uses a convolutional neural network on the PU and Greenberg datasets and a state-of-the-art sequence-alignment-hidden Markov model on the SEA dataset. Moreover, the proposed method is much more lightweight than the state-of-the-art models in terms of computational and memory complexity, and thus more suitable for real-time masquerade detection.

Keywords

• Anomaly detection
• intrusion detection
• machine learning (ML)
• Markov chain
• masquerade detection
• UNIX commands