Sequence Alignment for Masquerade Detection Scott E. Coull Joel W. Branch Boleslaw K. Szymanski Eric A. Breimer The masquerade attack, where an attacker takes on the identity of a legitimate user to maliciously utilize that user’s privileges, poses a serious threat to the security of information systems. Such attacks completely undermine traditional security mechanisms, including strong authentication and intrusion detection, because the trust imparted in user accounts once they have been authenticated. Many attempts have been made at detecting these attacks, yet none of them have provided a level of accuracy necessary for practical deployment. In this paper, we discuss the use of a specially tuned sequence alignment algorithm, typically used in the field of bioinformatics, to detect instances of masquerading in sequences of computer audit data. By aligning monitored audit data with sequences known to have been produced by the user, known as the user’s signature, the alignment algorithm can discover areas of similarity and ultimately derive a metric which indicates the presence or absence of masquerade attacks. Specifically, we use a specially tuned Smith-Waterman sequence alignment algorithm and investigate the use of various scoring systems on the algorithm’s ability to detect masquerade attacks. Additionally, we provide methods to dynamically update the user’s signature to accommodate for variations in behavior that occur over time, and describe heuristics for decreasing the computational requirements of the algorithm. Our technique is evaluated against the standard masquerade detection dataset provided by Schonlau et al. [9]. The results show that the use of our sequence alignment technique provides the best results of all known to us masquerade detection techniques. Department of Computer Science, Rensselaer Polytechnic Institute, Troy, NY cs-06-14
Sequence Alignment for Masquerade Detection
Scott E. Coull
Joel W. Branch
Boleslaw K. Szymanski
Eric A. Breimer
The masquerade attack, where an attacker takes on the identity of a legitimate user to maliciously utilize that user’s privileges, poses a serious threat to the security of information systems. Such attacks completely undermine traditional security mechanisms, including strong authentication and intrusion detection, because the trust imparted in user accounts once they have been authenticated. Many attempts have been made at detecting these attacks, yet none of them have provided a level of accuracy necessary for practical deployment. In this paper, we discuss the use of a specially tuned sequence alignment algorithm, typically used in the field of bioinformatics, to detect instances of masquerading in sequences of computer audit data. By aligning monitored audit data with sequences known to have been produced by the user, known as the user’s signature, the alignment algorithm can discover areas of similarity and ultimately derive a metric which indicates the presence or absence of masquerade attacks. Specifically, we use a specially tuned Smith-Waterman sequence alignment algorithm and investigate the use of various scoring systems on the algorithm’s ability to detect masquerade attacks. Additionally, we provide methods to dynamically update the user’s signature to accommodate for variations in behavior that occur over time, and describe heuristics for decreasing the computational requirements of the algorithm. Our technique is evaluated against the standard masquerade detection dataset provided by Schonlau et al. [9]. The results show that the use of our sequence alignment technique provides the best results of all known to us masquerade detection techniques.
Department of Computer Science, Rensselaer Polytechnic Institute, Troy, NY
cs-06-14