Skip to main content
SpringerLink
Log in

Host-Based Intrusion Detection: A Behavioral Approach Using Graph Model

  • Conference paper
  • First Online:
Hybrid Intelligent Systems (HIS 2022)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 647))

Included in the following conference series:

  • 463 Accesses

Abstract

Data breach incidents are becoming a global threat, costing companies millions with each attack. Most host-based intrusion approaches analyze system logs, such as the system call log, to monitor host network traffic. However, the system call log does not capture some critical behavior of the user. This research explores host-intrusion detection based on the user file-accessing log, which provides an additional dimension of user behavior for data breaching. This paper hypothesizes that an intruder behaves inside a host computer differently from “normal” users. We propose to use a graph model to model file-accessing behavior at a high level of abstraction. We then derive a set of behavioral features from the graph model for machine learning algorithms to identify the intruders. We validated our hypothesis with an existing user activity dataset by adopting an anomaly detection approach. The results based on our approach report an Area Under the Curve (AUC) of the receiver operating characteristic curve value of 0.98, with the one-class Support Vector Machine model trained on only normal users’ data.

This work was partly supported by the National Science Foundation grants (1950297, 1433817); the U.S. Department of Education grant (P200A210119); and the National Security Agency grant (H98230-22-1-0323).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 229.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 299.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Camiña, J.B., Hernández-Gracidas, C., Monroy, R., Trejo, L.: The Windows-Users and -Intruder simulations Logs dataset(WUIL): an experimental framework for masquerade detection mechanisms. Expert. Syst. Appl. 41(3), 919–930 (2014). https://doi.org/10.1016/j.eswa.2013.08.022, https://linkinghub.elsevier.com/retrieve/pii/S0957417413006349

  2. Cao, Z., Huang, S.H.S.: Detecting intruders and preventing hackers from evasion by tor circuit selection. In: 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference On Big Data Science and Engineering (TrustCom/BigDataSE), pp. 475–480. IEEE, New York, NY (2018). https://doi.org/10.1109/TrustCom/BigDataSE.2018.00074, https://ieeexplore.ieee.org/document/8455942/

  3. Chitrakar, R., Huang, C.: Selection of candidate support vectors in incremental SVM for network intrusion detection. Comput. Secur. 45, 231–241 (2014). https://doi.org/10.1016/j.cose.2014.06.006, https://linkinghub.elsevier.com/retrieve/pii/S0167404814000996

  4. Government Accountability Office: DATA PROTECTION Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach. Tech. Rep. GAO Publication No. 18–559, Washington, D.C.: U.S. Government Printing Office (2018)

    Google Scholar 

  5. Gu, J., Lu, S.: An effective intrusion detection approach using SVM with naïve Bayes feature embedding. Comput. Secur. 103, 102158 (2021). https://doi.org/10.1016/j.cose.2020.102158, https://linkinghub.elsevier.com/retrieve/pii/S0167404820304314

  6. Gu, J., Wang, L., Wang, H., Wang, S.: A novel approach to intrusion detection using SVM ensemble with feature augmentation. Comput. Secur. 86, 53–62 (2019). https://doi.org/10.1016/j.cose.2019.05.022, https://linkinghub.elsevier.com/retrieve/pii/S0167404819301154

  7. Haider, W., Hu, J., Xie, M.: Towards reliable data feature retrieval and decision engine in host-based anomaly detection systems. In: 2015 IEEE 10th Conference on Industrial Electronics and Applications (ICIEA), pp. 513–517. IEEE, Auckland, New Zealand (2015). https://doi.org/10.1109/ICIEA.2015.7334166, http://ieeexplore.ieee.org/document/7334166/

  8. Huang, S.H.S., Cao, Z., Raines, C.E., Yang, M.N., Simon, C.: Detecting intruders by user file access patterns. In: Liu, J.K., Huang, X. (eds.) Network and System Security. Lecture Notes in Computer Science, vol. 11928, pp. 320–335. Springer International Publishing, Cham (2019). https://doi.org/10.1007/978-3-030-36938-5_19, http://link.springer.com/10.1007/978-3-030-36938-5_19

  9. Huang, S.H.S., Cao, Z.: Detecting malicious users behind circuit-based anonymity networks. IEEE Access 8, 208610–208622 (2020). https://doi.org/10.1109/ACCESS.2020.3038141, https://ieeexplore.ieee.org/document/9258912/

  10. Killourhy, K., Maxion, R.: Why did my detector do that? In: Hutchison, D., Kanade, T., Kittler, J., Kleinberg, J.M., Mattern, F., Mitchell, J.C., Naor, M., Nierstrasz, O., Pandu Rangan, C., Steffen, B., Sudan, M., Terzopoulos, D., Tygar, D., Vardi, M.Y., Weikum, G., Jha, S., Sommer, R., Kreibich, C. (eds.) Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, vol. 6307, pp. 256–276. Springer Berlin Heidelberg, Berlin, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_14, http://link.springer.com/10.1007/978-3-642-15512-3_14

  11. Kim, G., Lee, S., Kim, S.: A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert. Syst. Appl. 41(4), 1690–1700 (2014). https://doi.org/10.1016/j.eswa.2013.08.066, https://linkinghub.elsevier.com/retrieve/pii/S0957417413006878

  12. Liu, M., Xue, Z., Xu, X., Zhong, C., Chen, J.: Host-based intrusion detection system with system calls: review and future trends. ACM Comput. Surv. 51(5), 1–36 (2019). https://doi.org/10.1145/3214304, https://dl.acm.org/doi/10.1145/3214304

  13. Maxion, R., Townsend, T.: Masquerade detection using truncated command lines. In: Proceedings International Conference on Dependable Systems and Networks. pp. 219–228. IEEE Computer Society, Washington, DC, USA (2002). https://doi.org/10.1109/DSN.2002.1028903, http://ieeexplore.ieee.org/document/1028903/

  14. Mishra, A., Nadkarni, K., Patcha, A.: Intrusion detection in wireless ad hoc networks. IEEE Wireless Commun. 11(1), 48–60 (2004). https://doi.org/10.1109/MWC.2004.1269717, http://ieeexplore.ieee.org/document/1269717/

  15. Newman, L.: How to protect yourself from that massive Equifax breach. Wired (2017). https://www.wired.com/story/how-to-protect-yourself-from-that-massive-equifax-breach/

  16. Salem, M.B., Stolfo, S.J.: Modeling User Search Behavior for Masquerade Detection. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, vol. 6961, pp. 181–200. Springer, Berlin (2011). https://doi.org/10.1007/978-3-642-23644-0_10, http://link.springer.com/10.1007/978-3-642-23644-0_10

  17. Schonlau, M., DuMouchel, W., Ju, W.H., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: detecting masquerades. Stat. Sci. 16(1), 58–74 (2001)http://www.jstor.org/stable/2676780, publisher: Institute of Mathematical Statistics

  18. Schonlau, M., Theus, M.: Detecting masquerades in intrusion detection based on unpopular commands. Inf. Process. Lett. 76(1–2), 33–38 (2000). https://doi.org/10.1016/S0020-0190(00)00122-8, https://linkinghub.elsevier.com/retrieve/pii/S0020019000001228

  19. Verma, M.E., Bridges, R.A.: Defining a metric space of host logs and operational use cases. In: 2018 IEEE International Conference on Big Data (Big Data), pp. 5068–5077. IEEE, Seattle, WA, USA (2018). https://doi.org/10.1109/BigData.2018.8622083, https://ieeexplore.ieee.org/document/8622083/

  20. Zanero, S.: Behavioral Intrusion Detection. In: Hutchison, D., Kanade, T., Kittler, J., Kleinberg, J.M., Mattern, F., Mitchell, J.C., Naor, M., Nierstrasz, O., Pandu Rangan, C., Steffen, B., Sudan, M., Terzopoulos, D., Tygar, D., Vardi, M.Y., Weikum, G., Aykanat, C., Dayar, T., Körpeoğlu, İ.(eds.) Computer and Information Sciences - ISCIS 2004. Lecture Notes in Computer Science, vol. 3280, pp. 657–666. Springer Berlin Heidelberg, Berlin, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30182-0_66, http://link.springer.com/10.1007/978-3-540-30182-0_66

Download references

Author information

Authors and Affiliations

  1. Texas A &M University-San Antonio, San Antonio, TX, 78224, USA

    Zechun Cao

  2. University of Houston, Houston, TX, 77204, USA

    Shou-Hsuan Stephen Huang

Authors
  1. Zechun Cao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shou-Hsuan Stephen Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zechun Cao .

Editor information

Editors and Affiliations

  1. Faculty of Computing and Data Science, FLAME University, Pune, Maharashtra, India

    Ajith Abraham

  2. National University of Kaohsiung, Kaohsiung, Taiwan

    Tzung-Pei Hong

  3. Symbiosis International University, Pune, India

    Ketan Kotecha

  4. University of Jinan, Jinan, China

    Kun Ma

  5. Scientific Network for Innovation and Research Excellence, Machine Intelligence Research Labs, Mala, Kerala, India

    Pooja Manghirmalani Mishra

  6. Scientific Network for Innovation and Research Excellence, Machine Intelligence Research Labs, Auburn, WA, USA

    Niketa Gandhi

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cao, Z., Stephen Huang, SH. (2023). Host-Based Intrusion Detection: A Behavioral Approach Using Graph Model. In: Abraham, A., Hong, TP., Kotecha, K., Ma, K., Manghirmalani Mishra, P., Gandhi, N. (eds) Hybrid Intelligent Systems. HIS 2022. Lecture Notes in Networks and Systems, vol 647. Springer, Cham. https://doi.org/10.1007/978-3-031-27409-1_122

Download citation

Publish with us

Policies and ethics

Search

Navigation