Combining Baiting and User Search Profiling Techniques
for
Masquerade Detection
Malek Ben Salem+ and Salvatore J. Stolfo
Columbia University
New York, NY 10027, USA
{malek,sal}@cs.columbia.edu
Abstract
Masquerade attacks are characterized by an adversary
stealing a legitimate user¡¯s credentials and
using them to impersonate the victim and perform
malicious activities, such as stealing information.
Prior work on masquerade attack detection has focused on
profiling legitimate user behavior and
detecting abnormal behavior indicative of a masquerade
attack. Like any anomaly-detection based techniques,
detecting masquerade attacks by profiling user behavior
suffers from a significant number of false positives.
We extend prior work and provide a novel integrated
detection approach in this paper.
We combine a user behavior profiling technique with a
baiting technique in order to more accurately
detect masquerade activity. We show that using this
integrated approach reduces the false positives
by 36% when compared to user behavior profiling alone,
while achieving almost perfect detection results.
Furthermore, we show how this combined detection approach
can serve as a mechanism
for hardening the masquerade attack detector against
mimicry attacks.
Keywords: Intrusion detection, masquerade attack detection,
baiting, decoys, orthogonal techniques
+: Corresponding author: Malek Ben Salem
Currently at Accenture Technology Labs.
Accenture, 800 N Glebe Suite 300, Arlington, VA 22203,
USA, Tel: +1 703 947 3546
Journal of Wireless Mobile Networks,
Ubiquitous Computing, and Dependable Applications (JoWUA),
Vol. 3, No. 1/2, pp. 13-29, March 2012
[pdf]