Abstract
Cybersecurity in networks and computer systems is a very important research area for companies and institutions around the world. Therefore, safeguarding information is a fundamental objective, because data is the most valuable asset of a person or company. Users interacting with multiple systems generate a unique behavioral pattern for each person (called digital fingerprint). This behavior is compiled with the interactions between the user and the applications, websites, communication equipment (PCs, mobile phones, tablets, etc.). In this paper the analysis of eight users with computers with a UNIX operating system, who have performed their tasks in a period of 2 years, is detailed. This data is the history of use in Shell sessions, which are sorted by date and token. With this information a mathematical model of intrusion detection based on time series behaviors is generated. To generate this model a data pre-processing is necessary, which it generates user sessions \( S_{m}^{u} \), where u identifies the user and m the number of sessions the user u has made. Each session \( S_{m}^{u} \) contains a sequence of execution of commands \( C\_n \), that is \( S_{m}^{u} = \{ C_{1} ,C_{2} ,C_{3} , \ldots ,C_{n} \} \), where n is the position in wich the C command was executed. Only 17 commands have been selected, which are the most used by each user u. In the creation of the mathematical model we apply the page Rank algorithm [1], the same that within a command execution session \( S_{m}^{u} \), determines which command \( C_{n} \) calls another command \( C_{n + 1} \), and determines which command is the most executed. For this study we will perform a model with sb subsequences of two commands, \( sb = \{ C_{n} ,C_{n + 1} \} \), where the algorithm is applied and we obtain a probability of execution per command defined by \( P(C_{n} ) \). Finally, a profile is generated for each of the users as a signal in time series, where maximum and minimum normal behavior is obtained. If any behavior is outside those ranges, it is determined as intrusive behavior, with a detection probability value. Otherwise, it is determined that the behavior is normal and can continue executing commands in a normal way. The results obtained in this model have shown that the proposal is quite effective in the testing phase, with an accuracy rate greater than 90% and a false positive rate of less than 4%. This shows that our model is effective and adaptable to the dynamic behavior of the user. On the other hand, a variability in the execution of user commands has been found to be quite high in periods of short time, but the proposed algorithm tends to adapt quite optimally.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Gleich, D.F.: PageRank beyond the web. SIAM Rev. 57(3), 321–363 (2015)
Ashfaq, R.A.R., Wang, X.-Z., Huang, J.Z., Abbas, H., He, Y.-L.: Fuzziness based semi-supervised learning approach for intrusion detection system. Inf. Sci. (Ny) 378, 484–497 (2017)
Kim, G., Lee, S., Kim, S.: A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Syst. Appl. 41(4), 1690–1700 (2014)
Elhag, S., Fernández, A., Bawakid, A., Alshomrani, S., Herrera, F.: On the combination of genetic fuzzy systems and pairwise learning for improving detection rates on intrusion detection systems. Expert Syst. Appl. 42(1), 193–202 (2015)
Lin, W.-C., Ke, S.-W., Tsai, C.-F.: CANN: an intrusion detection system based on combining cluster centers and nearest neighbors. Knowl.-Based Syst. 78, 13–21 (2015)
Aljawarneh, S., Aldwairi, M., Yassein, M.B.: Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model. J. Comput. Sci. 25, 152–160 (2018)
Guevara, C., Santos, M., López, V.: Data leakage detection algorithm based on task sequences and probabilities. Knowl.-Based Syst. 120, 236–246 (2017)
Page, L., Brin, S., Motwani, R., Winograd, T.: The PageRank citation ranking: bringing order to the web, November 1999
Aeberhard, S., Coomans, D., Vel, D.: UCI Machine Learning Repository: UNIX User Data Data Set. https://archive.ics.uci.edu/ml/datasets/UNIX+User+Data. Accessed 17 Dec 2018
Zarkami, R., Moradi, M., Pasvisheh, R.S., Bani, A., Abbasi, K.: Input variable selection with greedy stepwise search algorithm for analysing the probability of fish occurrence: a case study for Alburnoides mossulensis in the Gamasiab River, Iran. Ecol. Eng. 118, 104–110 (2018)
Xinchuan, Z., Martinez, T.: A noise filtering method using neural networks. In: IEEE International Workshop on Soft Computing Techniques in Instrumentation, Measurement and Related Applications, SCIMA 2003, pp. 26–31 (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Guevara, C. et al. (2020). Mathematical Model of Intrusion Detection Based on Sequential Execution of Commands Applying Pagerank. In: Ahram, T., Karwowski, W. (eds) Advances in Human Factors in Cybersecurity. AHFE 2019. Advances in Intelligent Systems and Computing, vol 960. Springer, Cham. https://doi.org/10.1007/978-3-030-20488-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-20488-4_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-20487-7
Online ISBN: 978-3-030-20488-4
eBook Packages: EngineeringEngineering (R0)