Abstract
Masquerade attacks pose a grave security problem that is a consequence of identity theft. Detecting masqueraders is very hard. Prior work has focused on profiling legitimate user behavior and detecting deviations from that normal behavior that could potentially signal an ongoing masquerade attack. Such approaches suffer from high false positive rates. Other work investigated the use of trap-based mechanisms as a means for detecting insider attacks in general. In this paper, we investigate the use of such trap-based mechanisms for the detection of masquerade attacks. We evaluate the desirable properties of decoys deployed within a user’s file space for detection. We investigate the trade-offs between these properties through two user studies, and propose recommendations for effective masquerade detection using decoy documents based on findings from our user studies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ben-Salem, M.: DDA Sensor, http://www1.cs.columbia.edu/ids/ruu/data/
Ben-Salem, M., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Insider Attack and Cyber Security: Beyond the Hacker. Springer, Heidelberg (2008)
Bowen, B., and Hershkop, S. Decoy.: Document Distributor, http://sneakers.cs.columbia.edu/ids/ruu/dcubed/
Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: SecureComm 2009: Proceedings of the 5th International ICST Conference on Security and Privacy in Communication Networks (2009)
Chinchani, R., Upadhyaya, S., Kwiat, K.: A tamper-resistant framework for unambiguous detection of attacks in user space using process monitors. In: Proceedings of First IEEE International Workshop on Information Assurance (IWIAS 2003), pp. 25–34 (2003)
Greenberg, A.: ID Theft: Don’t Take it Personally (February 2010), http://www.forbes.com/2010/02/09/banks-consumers-fraud-technology-security-id-theft.html,
Higgins, K. J.: Widespread Confickr/Downadup Worm Hard To Kill (January 2009), http://www.darkreading.com/security/attacks-breaches/212901489/index.html
Kim, J.-S., Biryukov, A., Preneel, B., Hong, S.H.: On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract). In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 242–256. Springer, Heidelberg (2006)
Krawczyk, H., Bellare, M., Canetti, R.: RFC2104, HMAC: Keyed-Hashing for Message Authentication. The Internet Engineering Task Force (IETF)
Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: DSN 2002: Proceedings of the International Conference on Dependable Systems and Networks (2002)
Milgram, S.: Obedience to Authority: An Experimental View. Harpercollins, New York (1974)
Schonlau, M., Dumouchel, W., Ju, W., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16, 58–74 (2001)
Spitzner, L.: Honeypots: Catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference, pp. 170–179 (December 2003)
Stolfo, S.J., Greenbaum, I., Sethumadhavan, S.: Self-monitoring monitors. In: Columbia University Computer Science Department, Technical Report # cucs-026-09 (2009)
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: CCS 2009: Proceedings of the 16th ACM conference on Computer and communications security, pp. 635–647. ACM Press, New York (2009)
Wang, K., Stolfo, S.J.: One-class training for masquerade detection. In: Proceedings of the 3rd IEEE Workshop on Data Mining for Computer Security (2003)
Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp. 116–122 (June 2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ben Salem, M., Stolfo, S.J. (2011). Decoy Document Deployment for Effective Masquerade Attack Detection. In: Holz, T., Bos, H. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2011. Lecture Notes in Computer Science, vol 6739. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22424-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-22424-9_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22423-2
Online ISBN: 978-3-642-22424-9
eBook Packages: Computer ScienceComputer Science (R0)