1 Towards a Masquerade Detection System Based on User’s TasksJ. Benito Camiña, Jorge Rodríguez, and Raúl Monroy Presentation by Calvin Raines
2 What is a masquerade attack?Hello
3 How can masquerades be detected?Audit data Commands I/O devices Search patterns File system navigation Anomaly based detection: Normal user profile is built, alarm raised if usage differs significantly from profile. User “Tasks”
4 What were some previous approaches?Intrusion detection expert system (IDES) Earliest form of masquerade detection system (MDS) Used audit data Looked at sequences of actions Shonalu et al. (Unix commands) First general MDS test set Logs of user commands broken into chunks Jack ls cd ls… get open… open close… … get get... g++ vi vi… get close… Jill cd vi… vi g++… ./pgm vi… … ls vi close… get open… cd ls vi… Normal IDES: Denning, D.E.: An intrusion-detection model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987) Schonlau, M.: Masquerading user data (Matthias Schonlau’s home page) (1998), Attack
5 What were some previous approaches?Mouse Angle/speed of movement Click/drag Keyboard Static or Free text RUU (Are You You?) Search patterns; 22 features File access, process creation, browsing, etc. Mouse: Pusara, M., Brodley, C.: User re-authentication via mouse movements. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, VizSEC/DMSEC 2004, pp. 1–8. ACM (October 2004) Garg, A., Rahalkar, R., Upadhyaya, S., Kwiat, K.: Profiling users in GUI based systems masquerade detection. In: 2006 IEEE Information Assurance Workshop, pp. 48–54. IEEE Computer Society Press (June 2006) Keyboard: Killourhy, K., Maxion, R.: Why did my detector do that?! - predicting keystrokedynamics error rates. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 256–276. Springer, Heidelberg (2010) RUU: Salem, M.B., Stolfo, S.J.: Modeling user search behavior for masquerade detection. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID LNCS, vol. 6961, pp. 181–200. Springer, Heidelberg (2011)
6 What weaknesses do the old ways have?Intrusive recording Static keyboard recording discourages new passwords Specificity of results Unix commands specific to OS One versus the others (OVTO) No true attacks in test set RUU simulated attacks, but these were not faithful Data sets are static Most previous approaches are not intrusive “ “ “ are specific, but conceptually adaptable
7 What new dataset is used?Critical concept: objects, not actions Which file system objects accessed and how used Directory Graph Navigation System C Access Graph Access graph – recently accessed files/tasks with frequency and path info Directory – Subtree containing “hot” files/tasks CV 10 PDF 8 Cat 3 C Desktop Misc Work CV Music Docs Desktop C Desktop PDF.pdf C Documents Funny Cat.gif Work School Temp
8 What is WUIL? Windows Users and Intruder simulations Logs dataset20 Windows users normal activity MS Windows audit tool 3 levels of attacks carried out on each user computer Data theft attacks Limited to 5 minute window Carried out by same person Issues: Current results specific to windows No other types of masquerade attacks considered One (same person) versus the others (non attackers)
9 What attacks were simulated?Basic – Opportunity Searches My Documents for interesting looking names, opens the file, sends to self via , and closes file Intermediate – Prepared Brings USB to copy files to, uses MS Windows’ search tool to find files with specific strings (e.g. *password*.*), remove USB and remove tracks Advanced – Plotted Uses .bat file to automatically copy files the intermediate attack found
10 What is task abstraction?Assumption: Files in the same folder are related to each other, and thus using any file in a certain folder can be viewed as working on a task. Supertask Directory Subdirectory A Assumption may not be true: one participant used multiple physical drives; another was disorganized Task 1 Object 1 Object 2 Object 3 Object 4 Task 2 Subdirectory B Task 3 Object 5 Object 6 Object 7
11 What is task abstraction?Depth Cut Point Deepest level for which >70% of task rate is underneath it < 100 Tasks 3 < DCP < 10 101 tasks is excessive DCP4 is where desktop/documents/etc. are located DCP10 is deep (assumed further depth unrealistic)
12 What are the benefits of task abstraction?Less required storage Resilient to change Files added and deleted frequently
13 What experiments were performed?Testing for: Objects v. Tasks How much information needed to detect attacks? Different percentages of construction/validation Approach: Window based approach (unmixed, size 20) Naïve Bayes and Markov Chains Five-fold cross validation on best const/valid ratio Having unmixed windows ignores the possibility of a masquerader attacking in the middle of user activity (e.g. if user steps away and leaves terminal open)
14 ? What is Naïve Bayes? Frequency probability Subset + - squares 5/83/8 blue 3/6 all 7/12 5/12
15 How was Naïve Bayes implemented?Calculated Symbol Explanation fuc number of times user (u) acceced resource (c) a 0 < a << 1 to prevent 0 probabilities K Total number of resources nu Length of u’s training set ci specific resource Dividing by n+aK – need to account both for number of files and length of training set Combined Window size n = 20
16 What are Markov Chains? Sequence probability Sequence ProbabilitiesTotal SSSCRRRCS .5x.5x.4x.5x.6x.6x.3x.4 SRSRCCCSR .1x.1x.1x.3x.1x.1x.4x.1
17 How were Markov Chains implemented?Consider each day as an independent trace Attack and normal traces separated Determine n-gram size using divergence Divergence – largest difference between normal and attack Treat each n-gram within a trace as a state Sum up 1-Probability of each state transition, divide by number of events Penalty: if state transition nonexistent, add 5 If higher than threshold classify as an attack
18 How were Markov Chains implemented?Day 1 Fun School Day 2 N-gram size 3 1 1 F FS FSF 0.66 0.5 1 0.33 SFF FFS - 1 0.5 1 1 S SF SFS
19 How were Markov Chains implemented?Normal School Fun Attack ( )/6 0.19 ( )/6 4.25 Sum (1-Pr) / #events Penalty: If Pr = 0, (1-Pr) = 5
20 How were results presented?AUC Zero-FP: How many masquerades classified as normal Zero-FN: How many normal misclassified as attacks
21 What were the Naïve Bayes results?80-20 is best split Task better than object (Except on MMP FN)
22 What were the Markov Chains results?Same trends as Naïve Bayes Better than naïve bayes
23 What is Mean-Windows-to-First-Alarm?Average amount of windows needed to classify a trace as an attack Bayes faster at detecting stronger attacks (Partly due to unorganized participants)
24 What can be concluded? Markov Chain model more accurateAlthough, slower at detecting strong attacks Task based detection comparable (slightly better) than object based detection