Combining Baiting and User Search Profiling Techniques for

Masquerade Detection

 

Malek Ben Salem⁺ and Salvatore J. Stolfo

 

Columbia University

New York, NY 10027, USA

{malek,sal}@cs.columbia.edu

 

Abstract

 

Masquerade attacks are characterized by an adversary stealing a legitimate user’s credentials and

using them to impersonate the victim and perform malicious activities, such as stealing information.

Prior work on masquerade attack detection has focused on profiling legitimate user behavior and

detecting abnormal behavior indicative of a masquerade attack. Like any anomaly-detection based techniques,

detecting masquerade attacks by profiling user behavior suffers from a significant number of false positives.

We extend prior work and provide a novel integrated detection approach in this paper.

We combine a user behavior profiling technique with a baiting technique in order to more accurately

detect masquerade activity. We show that using this integrated approach reduces the false positives

by 36% when compared to user behavior profiling alone, while achieving almost perfect detection results.

Furthermore, we show how this combined detection approach can serve as a mechanism

for hardening the masquerade attack detector against mimicry attacks.

 

Keywords: Intrusion detection, masquerade attack detection, baiting, decoys, orthogonal techniques

 

+: Corresponding author: Malek Ben Salem

Currently at Accenture Technology Labs.

Accenture, 800 N Glebe Suite 300, Arlington, VA 22203, USA, Tel: +1 703 947 3546

 

Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA),

Vol. 3, No. 1/2, pp. 13-29, March 2012 [pdf]