Analysis of masquerade detectors performance under synthesized sessions-Edición Única

Abstract

Informatics security has nowadays become an important research topic given the impact of the computers for mankind. As computers become more important, so the interests, risks and informatics attacks. With this work we focus on a type of attack called masquerade attack, where someone impersonates other by using the other’s computer account privileges and accomplish malicious activities. We try to understand this problem and analyze the way masquerade detectors are built. The way these are built says too much about their limitations. These limitations could be used in order to build synthesized masquerade sessions that bypass such detection methods. These masquerade synthesized sessions are created by an intelligent type of masquerader that has enough knowledge of the normal behavior profile of the user to masquerade. In this thesis we analyze the relationship between the the performance of different masquerade detection methods under artificially created masquerade sessions. These sessions would be created using different properties and would affect differently to each method. The dataset provided by Schonlau, called SEA1 , has been modified for including synthetic sessions created by masqueraders that we suppose have information about the behavior profile of the users intended to impersonate. As a consequence, this work provides an approach to synthesizing sessions when these are based on commands. The synthesizing of the sessions turns out to be more effective as more features are taken into account to create the masquerade sessions. We also propose a masquerade detection method that is more tolerant against synthesized datasets when these are built based on command frequencies and script frequencies. We compare the effects on six different methods that use frequency properties or sequential properties. These effects are shown by the known ROC (Receiver Operating Characteristics) curves. After analyzing the results, we could see that our proposed method outperforms the others, being capable of detecting masquerade sessions that the other methods could not detect.