Abstract
The article concerns the problem of detecting masqueraders in computer systems. A masquerader in a computer system is an intruder who pretends to be a legitimate user in order to gain access to protected resources. The article presents an intrusion detection method based on a fuzzy approach. Two types of user’s activity profiles are proposed along with the corresponding data structures. The solution analyzes the activity of the computer user in a relatively short period of time, building a user’s profile. The profile is based on the most recent activity of the user, therefore, it is named the local profile. Further analysis involves creating a more general structure based on a defined number of local profiles of one user, called the fuzzy profile. It represents a generalized behavior of the computer system user. The fuzzy profiles are used directly to detect abnormalities in users’ behavior, and thus possible intrusions. The proposed solution is prepared to be able to create user’s profiles based on any countable features derived from user’s actions in computer system (i.e., used commands, mouse and keyboard data, requested network resources). The presented method was tested using one of the commonly available standard intrusion data sets containing command names executed by users of a Unix system. Therefore, the obtained results can be compared with other approaches. The results of the experiments have shown that the method presented in this article is comparable with the best intrusion detection methods, tested with the same data set, in the matter of the obtained results. The proposed solution is characterized by a very low computational complexity, which has been confirmed by experimental results.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Anderson JP (1980) Computer security threat monitoring and surveillance. In: James P (ed) Technical report. Anderson Co., Fort Washington
Banerjee SP, Woodard DL (2012) Biometric authentication and identification using keystroke dynamics: a survey. J Pattern Recognit Res 7:116–139
Bartkowiak AM (2011) Block and command profiles for legitimate users of a computer network. Commun Comput Inf Sci 245:295–304 (Springer)
Bhukya WN, Suresh KG, Negi A (2006) A study of effectiveness in masquerade detection. In: Proceedings of TENCON 2006, 2006 IEEE Region 10 Conference, pp 1–4
Borah S, Chetry SPK, Singh PK (2011) Hashed-k-means: a proposed intrusion detection algorithm. In: Das VV, Thankachan N (eds) Computational Intelligence and Information Technology, vol 250. Communications in Computer and Information Science. Springer, Berlin Heidelberg, pp 855–860
Chinchani R, Muthukrishnan A, Chandrasekaran M, Upadhyaya S (2004) Racoon: rapidly generating user command data for anomaly detection from customizable templates. In: 20th Annual Computer Security Applications Conference, pp 189–202
Corchado E, Herrero A, Baruque A, Saiz JM (2005) Intrusion detection system based on a cooperative topology preserving method intrusion detection system based on a cooperative topology preserving method. In: Proceedings of the International Conference on Adaptive and Natural Computing Algorithms in Coimbra, vol IV, Portugal. Springer, Wien, pp 454–457
Coull S, Szymanski B (2008) Sequence alignment for masquerade detection. Comput Stat Data Anal 52(8):4116–4131
Coull S, Branch J, Szymanski B, Breimer E (2003) Intrusion detection: a bioinformatics approach. In: Proceedings of 19th Annual Computer Security Applications Conference (ACSAC 2003), pp 24–33
Czogała E, Łęski J (2000) Fuzzy and neuro-fuzzy intelligent systems. Physica-Verlag, Springer-Verlag Comp
Dash SK, Reddy KS, Pujari AK (2005) Episode based masquerade detection. LNCS 3803:251–262
Denning DE (1997) Internet besieged, chapter cyberspace attacks and countermeasures. ACM Press, New York, pp 29–55
Estrada VC, Nakao A, Segura EC (2009) Classifying computer session data using self-organizing maps. In: International Conference on Computational Intelligence and Security, 2009 IEEE, pp 48–53
Fiore U, Palmieri F, Castiglione A, De Santis A (2013) Network anomaly detection with the restricted boltzmann machine. Neurocomputing 122:13–23
Greenberg S (1998) Using unix: collected traces of 168 users. Research report 1988–333-45, Department of Computer Science, University of Calgary, Canada
Guan X, Wang W, Zhang X (2009) Fast intrusion detection based on non-negative matrix factorization model. J Netw Comput Appl 32:31–44
Gunes I, Bilge A, Polat H (2013) Shilling attacks against memory-based privacy-preserving recommendation algorithms. KSII Trans Internet Inf Syst 7:1272–1290
Herrero A, Corchado E, Gastaldo P, Zunino R (2007) A comparison of neural projection techniques applied to intrusion detection systems. LNCS 4507:1138–1146 (Springer-Verlag, Berlin Heidelberg)
Jain AK, Flynn P, Ross AA (2007) Handbook of biometrics. Springer, New York
Ju W, Vardi Y (1999) A hybrid high-order markov chain model for computer intrusion detection. Technical Report 92, National Institute for Statistical Sciences, Research Triangle Park, North Carolina, pp 27709–4006
Kdd cup (1999) http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
Kim HS, Cha SD (2005) Empirical evaluation of svm-based masquerade detection using unix commands. Comput Security 24:160–168
Klir GJ, Folger TA (1988) Fuzzy sets, uncertanity, and information. Prentice-Hall, Englewood Cliffs
Klir GJ, Yuan B (1995) Fuzzy sets and fuzzy logic. Theory and applications. Prentice-Hall, Upper Saddle River
Kudłacik P (2008) Operations on fuzzy sets with piecewise-linear membership function (polish). Studia Informatica, 29(3A(78)):91–111
Kudłacik P (2010) Advantages of an approximate reasoning based on a fuzzy truth value. J Med Inf Technol 15:57–61
Kudłacik P (2010) Structure of a knowledge base in the fuzzlib library (polish). Studia Informatica 31(2A(89)):469–478
Kudłacik P (2012) Improving a signature recognition method using the fuzzy approach. J Med Inf Technol 21:85–93
Kudłacik P, Porwik P (2012) A new approach to signature recognition using the fuzzy method. Pattern Anal Appl. doi:10.1007/s10044-012-0283-9
Lane T (1999) Purdue unix user data. http://www.cs.unm.edu/~terran/research/anomaly_detection_for_computer_security
Lane T (2002) Machine learning techniques for the computer security domain of anomaly detection. PhD thesis, Purdue University, USA
Lane T (2006) A decision-theoretic, semi-supervised model for intrusion detection. Mach Learn Data Mining Computer Security 157–177
Lunt TF, Jagannathan R (1988) A prototype real-time intrusion-detection expert system. In Proceedings of IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Washington DC, pp 59–66
Mamdani EH, Assilan S (1975) An experiment in linguistic synthesis with a fuzzy logic controller. Int J Man Mach Stud 20:1–13
Maxion RA (2003) Masquerade detection using enriched command lines. In: Dependable Systems and Networks. Int. Conf., pp 5–14
Maxion RA, Townsend TN (2002) Masquerade detection using truncated command lines. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN’02). IEEE Computer Society Press, pp 219–228
Olszewski D (2012) A probabilistic approach to fraud detection in telecommunications. Knowl Based Syst 26:246–258
Palmieri F, Fiore U (2010) Network anomaly detection through nonlinear analysis. Comput Security 29(7):737–755
Palmieri F, Fiore U, Castiglione A (2014) A distributed approach to network anomaly detection based on independent component analysis. Concurr Comput Pract Exper 26:1113–1129
Pao Hsing-Kuo, Fadlil Junaidillah, Lin Hong-Yi, Chen Kuan-Ta (2012) Trajectory analysis for user verification and recognition. Knowl Based Syst 34:81–90
Porwik P, Sosnowski M, Wesołowski T, Wróbel K (2011) Computational assessment of a blood vessels compliance: a procedure based on computed tomography coronary angiography. LNAI 6678(1):428–435 (Springer)
Raiyn J (2014) A survey of cyber attack detection strategies. Int J Security Appl 8(1):247–256
Salem MB, Hershkop S, Stolfo SJ (2008) A survey of insider attack detection research. In: Salvatore SJ, Bellovin SM, Keromytis AD, Hershkop S, Smith SW, Sinclair S (eds) Insider Attack and Cyber Security, volume 39 of Advances in Information Security, pp 69–90. Springer US
Salem MB, Stolfo SJ (2012) A comparison of one-class bag-of-words user behavior modeling techniques for masquerade detection. Security Commun Netw 5:863–872
Schonlau M (2000) Masquerading user data. http://www.schonlau.net
Schonlau M, Theus M (2000) Detecting masquerades in intrusion detection based on unpopular commands. Inf Process Lett 76:33–38
Schonlau M, Mouchel WD, Ju WH, Karr AF, Theus M, Vardi Y (2001) Computer intrusion: detecting masquerades. Stat Sci 16(1):58–74
Smaha SE (1988) Haystack: an intrusion detection system. In: Fourth Aerospace Computer Security Applications Conference, pp 37–44
Sodiya AS, Folorunso O, Onashoga SA, Ogunderu OP (2011) An improved semiglobal alignment algorithm for masquerade detection. Int J Netw Security 13:31–40
Szymanski BK, Zhang Y (2004) Recursive data mining for masquerade detection and author identification. In: Proceedings 5th Annual IEEE System, Man, and Cybernetics Information Assurance Workshop, pp 424–431
Takagi T, Sugeno M (1985) Fuzzy identification of systems and its applications to modelling and control. IEEE Trans Syst Man Cybern 15(1):116–132
Tavallaee M, Bagheri E, Lu W, Ghorbani Ali A (2009) A detailed analysis of the kdd cup 99 data set. In: Proceedings of the 2009 IEEE Symposium on Computational Intelligence in Security and Defense Applications (CISDA 2009)
Viejo A, Sanchez D, Castella-Roca J (2012) Preventing automatic user profiling in web 2.0 applications. Knowl Based Syst 36:191–205
Wan MD, Wu HC, Kuo YW, Marshall J, Huang SHS (2008) Detecting masqueraders using high frequency commands as signatures. In: 22nd International Conference on Advanced Information Networking and Applications—Workshops
Wang LX (1998) A course in fuzzy systems and control. Prentice-Hall, New York
Wang W, Guan X, Zhang X (2004) A novel intrusion detection method based on principal component analysis in computer security. LNCS Adv Neural Netw 3174:657–662
Wang W, Guan X, Zhang X (2008) Proc. massive audit data streams for real-time anomaly intrusion detection. Comput Commun 31:58–72
Wesołowski T, Kudłacik P (2013) Data clustering for the block profile method of intruder detection. J MIT 22:209–216
Wesołowski T, Kudłacik P (2014) User profiling based on multiple aspects of activity in a computer system. J MIT 23:121–129
Wespi A, Dacier M, Debar H (1999) An intrusion-detection system based on the teiresias pattern-discovery algorithm. In: EICAR 1999 Best Paper Proceedings
Zadeh LA (1965) Fuzzy sets. Inf Control 8:338–353
Zimmermann HJ (1985) Fuzzy set theory and it’s applications. Kluwer-Nijhoff, Boston
Acknowledgments
This work was supported by the Polish National Science Centre under the grant no. DEC-2013/09/B/ST6/02264.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by V. Loia.
Rights and permissions
About this article
Cite this article
Kudłacik, P., Porwik, P. & Wesołowski, T. Fuzzy approach for intrusion detection based on user’s commands. Soft Comput 20, 2705–2719 (2016). https://doi.org/10.1007/s00500-015-1669-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-015-1669-6