{"title":"使用截断的命令行进行伪装检测","authors":"R. Maxion, T. Townsend","doi":"10.1109/DSN.2002.1028903","DOIUrl":null,"url":null,"abstract":"A masquerade attack, in which one user impersonates another, can be the most serious form of computer abuse. Automatic discovery of masqueraders is sometimes undertaken by detecting significant departures from normal user behavior, as represented by a user profile formed from system audit data. While the success of this approach has been limited, the reasons for its unsatisfying performance are not obvious, possibly because most reports do not elucidate the origins of errors made by the detection mechanisms. This paper takes as its point of departure a recent series of experiments framed by Schonlau et al. (2001). In extending that work with a new classification algorithm, a 56% improvement in masquerade detection was achieved at a corresponding false-alarm rate of 1.3%. A detailed error analysis, based on an alternative data configuration, reveals why some users are good masqueraders and others are not.","PeriodicalId":93807,"journal":{"name":"Proceedings. International Conference on Dependable Systems and Networks","volume":"16 1","pages":"219-228"},"PeriodicalIF":0.0000,"publicationDate":"2002-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"255","resultStr":"{\"title\":\"Masquerade detection using truncated command lines\",\"authors\":\"R. Maxion, T. Townsend\",\"doi\":\"10.1109/DSN.2002.1028903\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"A masquerade attack, in which one user impersonates another, can be the most serious form of computer abuse. Automatic discovery of masqueraders is sometimes undertaken by detecting significant departures from normal user behavior, as represented by a user profile formed from system audit data. While the success of this approach has been limited, the reasons for its unsatisfying performance are not obvious, possibly because most reports do not elucidate the origins of errors made by the detection mechanisms. This paper takes as its point of departure a recent series of experiments framed by Schonlau et al. (2001). In extending that work with a new classification algorithm, a 56% improvement in masquerade detection was achieved at a corresponding false-alarm rate of 1.3%. A detailed error analysis, based on an alternative data configuration, reveals why some users are good masqueraders and others are not.\",\"PeriodicalId\":93807,\"journal\":{\"name\":\"Proceedings. International Conference on Dependable Systems and Networks\",\"volume\":\"16 1\",\"pages\":\"219-228\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2002-06-23\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"255\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings. International Conference on Dependable Systems and Networks\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/DSN.2002.1028903\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings. International Conference on Dependable Systems and Networks","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN.2002.1028903","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 255
摘要
伪装攻击,即一个用户冒充另一个用户,可能是最严重的计算机滥用形式。有时通过检测与正常用户行为的重大偏离来自动发现伪装者,如由系统审计数据形成的用户配置文件所表示的那样。虽然这种方法的成功是有限的,但其不令人满意的性能的原因并不明显,可能是因为大多数报告没有阐明检测机制所犯错误的根源。本文以Schonlau et al.(2001)最近的一系列实验为出发点。在用一种新的分类算法扩展这项工作时,假面检测的效率提高了56%,相应的误报率为1.3%。基于另一种数据配置的详细错误分析揭示了为什么有些用户是好的伪装者,而有些则不是。
Masquerade detection using truncated command lines
A masquerade attack, in which one user impersonates another, can be the most serious form of computer abuse. Automatic discovery of masqueraders is sometimes undertaken by detecting significant departures from normal user behavior, as represented by a user profile formed from system audit data. While the success of this approach has been limited, the reasons for its unsatisfying performance are not obvious, possibly because most reports do not elucidate the origins of errors made by the detection mechanisms. This paper takes as its point of departure a recent series of experiments framed by Schonlau et al. (2001). In extending that work with a new classification algorithm, a 56% improvement in masquerade detection was achieved at a corresponding false-alarm rate of 1.3%. A detailed error analysis, based on an alternative data configuration, reveals why some users are good masqueraders and others are not.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
