Abstract
Data breach incidents are becoming a global threat, costing companies millions with each attack. Most host-based intrusion approaches analyze system logs, such as the system call log, to monitor host network traffic. However, the system call log does not capture some critical behavior of the user. This research explores host-intrusion detection based on the user file-accessing log, which provides an additional dimension of user behavior for data breaching. This paper hypothesizes that an intruder behaves inside a host computer differently from “normal” users. We propose to use a graph model to model file-accessing behavior at a high level of abstraction. We then derive a set of behavioral features from the graph model for machine learning algorithms to identify the intruders. We validated our hypothesis with an existing user activity dataset by adopting an anomaly detection approach. The results based on our approach report an Area Under the Curve (AUC) of the receiver operating characteristic curve value of 0.98, with the one-class Support Vector Machine model trained on only normal users’ data.
This work was partly supported by the National Science Foundation grants (1950297, 1433817); the U.S. Department of Education grant (P200A210119); and the National Security Agency grant (H98230-22-1-0323).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Camiña, J.B., Hernández-Gracidas, C., Monroy, R., Trejo, L.: The Windows-Users and -Intruder simulations Logs dataset(WUIL): an experimental framework for masquerade detection mechanisms. Expert. Syst. Appl. 41(3), 919–930 (2014). https://doi.org/10.1016/j.eswa.2013.08.022, https://linkinghub.elsevier.com/retrieve/pii/S0957417413006349
Cao, Z., Huang, S.H.S.: Detecting intruders and preventing hackers from evasion by tor circuit selection. In: 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference On Big Data Science and Engineering (TrustCom/BigDataSE), pp. 475–480. IEEE, New York, NY (2018). https://doi.org/10.1109/TrustCom/BigDataSE.2018.00074, https://ieeexplore.ieee.org/document/8455942/
Chitrakar, R., Huang, C.: Selection of candidate support vectors in incremental SVM for network intrusion detection. Comput. Secur. 45, 231–241 (2014). https://doi.org/10.1016/j.cose.2014.06.006, https://linkinghub.elsevier.com/retrieve/pii/S0167404814000996
Government Accountability Office: DATA PROTECTION Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach. Tech. Rep. GAO Publication No. 18–559, Washington, D.C.: U.S. Government Printing Office (2018)
Gu, J., Lu, S.: An effective intrusion detection approach using SVM with naïve Bayes feature embedding. Comput. Secur. 103, 102158 (2021). https://doi.org/10.1016/j.cose.2020.102158, https://linkinghub.elsevier.com/retrieve/pii/S0167404820304314
Gu, J., Wang, L., Wang, H., Wang, S.: A novel approach to intrusion detection using SVM ensemble with feature augmentation. Comput. Secur. 86, 53–62 (2019). https://doi.org/10.1016/j.cose.2019.05.022, https://linkinghub.elsevier.com/retrieve/pii/S0167404819301154
Haider, W., Hu, J., Xie, M.: Towards reliable data feature retrieval and decision engine in host-based anomaly detection systems. In: 2015 IEEE 10th Conference on Industrial Electronics and Applications (ICIEA), pp. 513–517. IEEE, Auckland, New Zealand (2015). https://doi.org/10.1109/ICIEA.2015.7334166, http://ieeexplore.ieee.org/document/7334166/
Huang, S.H.S., Cao, Z., Raines, C.E., Yang, M.N., Simon, C.: Detecting intruders by user file access patterns. In: Liu, J.K., Huang, X. (eds.) Network and System Security. Lecture Notes in Computer Science, vol. 11928, pp. 320–335. Springer International Publishing, Cham (2019). https://doi.org/10.1007/978-3-030-36938-5_19, http://link.springer.com/10.1007/978-3-030-36938-5_19
Huang, S.H.S., Cao, Z.: Detecting malicious users behind circuit-based anonymity networks. IEEE Access 8, 208610–208622 (2020). https://doi.org/10.1109/ACCESS.2020.3038141, https://ieeexplore.ieee.org/document/9258912/
Killourhy, K., Maxion, R.: Why did my detector do that? In: Hutchison, D., Kanade, T., Kittler, J., Kleinberg, J.M., Mattern, F., Mitchell, J.C., Naor, M., Nierstrasz, O., Pandu Rangan, C., Steffen, B., Sudan, M., Terzopoulos, D., Tygar, D., Vardi, M.Y., Weikum, G., Jha, S., Sommer, R., Kreibich, C. (eds.) Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, vol. 6307, pp. 256–276. Springer Berlin Heidelberg, Berlin, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_14, http://link.springer.com/10.1007/978-3-642-15512-3_14
Kim, G., Lee, S., Kim, S.: A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert. Syst. Appl. 41(4), 1690–1700 (2014). https://doi.org/10.1016/j.eswa.2013.08.066, https://linkinghub.elsevier.com/retrieve/pii/S0957417413006878
Liu, M., Xue, Z., Xu, X., Zhong, C., Chen, J.: Host-based intrusion detection system with system calls: review and future trends. ACM Comput. Surv. 51(5), 1–36 (2019). https://doi.org/10.1145/3214304, https://dl.acm.org/doi/10.1145/3214304
Maxion, R., Townsend, T.: Masquerade detection using truncated command lines. In: Proceedings International Conference on Dependable Systems and Networks. pp. 219–228. IEEE Computer Society, Washington, DC, USA (2002). https://doi.org/10.1109/DSN.2002.1028903, http://ieeexplore.ieee.org/document/1028903/
Mishra, A., Nadkarni, K., Patcha, A.: Intrusion detection in wireless ad hoc networks. IEEE Wireless Commun. 11(1), 48–60 (2004). https://doi.org/10.1109/MWC.2004.1269717, http://ieeexplore.ieee.org/document/1269717/
Newman, L.: How to protect yourself from that massive Equifax breach. Wired (2017). https://www.wired.com/story/how-to-protect-yourself-from-that-massive-equifax-breach/
Salem, M.B., Stolfo, S.J.: Modeling User Search Behavior for Masquerade Detection. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, vol. 6961, pp. 181–200. Springer, Berlin (2011). https://doi.org/10.1007/978-3-642-23644-0_10, http://link.springer.com/10.1007/978-3-642-23644-0_10
Schonlau, M., DuMouchel, W., Ju, W.H., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: detecting masquerades. Stat. Sci. 16(1), 58–74 (2001)http://www.jstor.org/stable/2676780, publisher: Institute of Mathematical Statistics
Schonlau, M., Theus, M.: Detecting masquerades in intrusion detection based on unpopular commands. Inf. Process. Lett. 76(1–2), 33–38 (2000). https://doi.org/10.1016/S0020-0190(00)00122-8, https://linkinghub.elsevier.com/retrieve/pii/S0020019000001228
Verma, M.E., Bridges, R.A.: Defining a metric space of host logs and operational use cases. In: 2018 IEEE International Conference on Big Data (Big Data), pp. 5068–5077. IEEE, Seattle, WA, USA (2018). https://doi.org/10.1109/BigData.2018.8622083, https://ieeexplore.ieee.org/document/8622083/
Zanero, S.: Behavioral Intrusion Detection. In: Hutchison, D., Kanade, T., Kittler, J., Kleinberg, J.M., Mattern, F., Mitchell, J.C., Naor, M., Nierstrasz, O., Pandu Rangan, C., Steffen, B., Sudan, M., Terzopoulos, D., Tygar, D., Vardi, M.Y., Weikum, G., Aykanat, C., Dayar, T., Körpeoğlu, İ.(eds.) Computer and Information Sciences - ISCIS 2004. Lecture Notes in Computer Science, vol. 3280, pp. 657–666. Springer Berlin Heidelberg, Berlin, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30182-0_66, http://link.springer.com/10.1007/978-3-540-30182-0_66
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Cao, Z., Stephen Huang, SH. (2023). Host-Based Intrusion Detection: A Behavioral Approach Using Graph Model. In: Abraham, A., Hong, TP., Kotecha, K., Ma, K., Manghirmalani Mishra, P., Gandhi, N. (eds) Hybrid Intelligent Systems. HIS 2022. Lecture Notes in Networks and Systems, vol 647. Springer, Cham. https://doi.org/10.1007/978-3-031-27409-1_122
Download citation
DOI: https://doi.org/10.1007/978-3-031-27409-1_122
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-27408-4
Online ISBN: 978-3-031-27409-1
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)