通过分析用户行为来检测伪装者

2018 Eighth International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC) Pub Date : 2018-07-01 DOI:10.1109/IMCCC.2018.00101

Haohui Peng, Wei Wang

{"title":"通过分析用户行为来检测伪装者","authors":"Haohui Peng, Wei Wang","doi":"10.1109/IMCCC.2018.00101","DOIUrl":null,"url":null,"abstract":"Insider attack is a serious threat to enterprises, organizations and countries. It has become a widely studied topic in the field of information security. This paper mainly aims to effectively detect masqueraders by profiling user behaviors with keystroke and network traffic. The fly-time of digraph is employed to build users' keystroke behavior. User network behavior is modeled with statistic and text features that are extracted from network traffic. The K-Means classifier is used to classify network traffic, and different classification results are mapped to different user operations accordingly. Extensive experimental result shows that, in the case of users' keystroke models, the detection rate is achieved from 77% to 87.5% and the false alarm rate is 0.44 %. When we use network models, the detection rate is 100% with the false alarm rate as 0.05%. In conclusion, network traffic can describe user network behaviors precisely, while the detection rate of user keystroke behaviors suffers from the insufficient user input from keyboard. It is obvious that a certain masquerader detection mechanism which is based on specific user behaviors, cannot reach satisfied results since the corresponding data is insufficient in different scenarios. It is necessary to use both two type of behaviors for different scenarios to achieve a better detection result.","PeriodicalId":328754,"journal":{"name":"2018 Eighth International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC)","volume":"18 3","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Detecting Masqueraders by Profiling User Behaviors\",\"authors\":\"Haohui Peng, Wei Wang\",\"doi\":\"10.1109/IMCCC.2018.00101\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Insider attack is a serious threat to enterprises, organizations and countries. It has become a widely studied topic in the field of information security. This paper mainly aims to effectively detect masqueraders by profiling user behaviors with keystroke and network traffic. The fly-time of digraph is employed to build users' keystroke behavior. User network behavior is modeled with statistic and text features that are extracted from network traffic. The K-Means classifier is used to classify network traffic, and different classification results are mapped to different user operations accordingly. Extensive experimental result shows that, in the case of users' keystroke models, the detection rate is achieved from 77% to 87.5% and the false alarm rate is 0.44 %. When we use network models, the detection rate is 100% with the false alarm rate as 0.05%. In conclusion, network traffic can describe user network behaviors precisely, while the detection rate of user keystroke behaviors suffers from the insufficient user input from keyboard. It is obvious that a certain masquerader detection mechanism which is based on specific user behaviors, cannot reach satisfied results since the corresponding data is insufficient in different scenarios. It is necessary to use both two type of behaviors for different scenarios to achieve a better detection result.\",\"PeriodicalId\":328754,\"journal\":{\"name\":\"2018 Eighth International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC)\",\"volume\":\"18 3\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-07-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 Eighth International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/IMCCC.2018.00101\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 Eighth International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IMCCC.2018.00101","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

内部攻击是对企业、组织和国家的严重威胁。它已成为信息安全领域广泛研究的课题。本文的主要目的是通过分析用户的按键行为和网络流量来有效地检测伪装者。利用有向图的飞行时间来构建用户的击键行为。使用从网络流量中提取的统计和文本特征对用户网络行为进行建模。使用K-Means分类器对网络流量进行分类，不同的分类结果对应不同的用户操作。大量的实验结果表明，在用户按键模型的情况下，检测率达到了77% ~ 87.5%，虚警率为0.44%。当我们使用网络模型时，检测率为100%，虚警率为0.05%。综上所述，网络流量可以准确地描述用户的网络行为，而用户按键行为的检出率则受到用户键盘输入不足的影响。显然，基于特定用户行为的某种假面具检测机制，由于在不同场景下对应的数据不足，无法达到令人满意的结果。为了获得更好的检测结果，有必要在不同的场景下同时使用这两种行为。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Detecting Masqueraders by Profiling User Behaviors

Insider attack is a serious threat to enterprises, organizations and countries. It has become a widely studied topic in the field of information security. This paper mainly aims to effectively detect masqueraders by profiling user behaviors with keystroke and network traffic. The fly-time of digraph is employed to build users' keystroke behavior. User network behavior is modeled with statistic and text features that are extracted from network traffic. The K-Means classifier is used to classify network traffic, and different classification results are mapped to different user operations accordingly. Extensive experimental result shows that, in the case of users' keystroke models, the detection rate is achieved from 77% to 87.5% and the false alarm rate is 0.44 %. When we use network models, the detection rate is 100% with the false alarm rate as 0.05%. In conclusion, network traffic can describe user network behaviors precisely, while the detection rate of user keystroke behaviors suffers from the insufficient user input from keyboard. It is obvious that a certain masquerader detection mechanism which is based on specific user behaviors, cannot reach satisfied results since the corresponding data is insufficient in different scenarios. It is necessary to use both two type of behaviors for different scenarios to achieve a better detection result.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2018 Eighth International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC)

自引率

0.00%

发文量