Investigative Behavior Profiling with One Class SVM for Computer Forensics

  • Wilson Naik Bhukya
  • Sateesh Kumar Banothu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7080)


Behavior profiling of a user or a system is of great importance and is a non-trivial task of system forensic experts. User profiling information is very much useful for forensic investigators by monitoring and collecting significant changes in user’s behavior based on his/her computer usage patterns. Traditional investigation mechanisms are based on command line system events collected using log files. In a GUI based investigative profiling system, most of the user activities are performed using either mouse movements and clicks or a combination of mouse movements and keystrokes. The command line data cannot capture the complete GUI event behavior of the users hence it is insufficient to perform any forensic analysis in GUI based systems. Presently, there is no frame work available to capture the GUI based user behavior for forensic investigation. We have proposed a novel approach to capture the GUI based user behavior using a logging tool. Our experimentation results shows that, the GUI based investigative profiling forensic can give more accurate and leads to identify the culprits. We have shown how one class SVM is less overhead in terms of training and testing instances for computer forensic compared to two class SVM.


GUI based Profiling Mouse events forensic investigation User behavior SVM 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adomavicius, G., Tuzhilin, A.: Expertdriven validation of rule-based user models in personalization applications. Data Mining and Knowledge Discovery 5(1/2), 33–58 (2001)CrossRefzbMATHGoogle Scholar
  2. 2.
    Garg, A., Rahalkar, R., Upadhyaya, S., Kwait, K.: Profiling Users in GUI Based Systems for Masquerade Detection. In: Proceedings of 7th Annual IEEE Information Assurance Workshop (IAW 2006), June 21-23. United States Military Academy, West Point (2006)Google Scholar
  3. 3.
    Heller, K.A., Svore, K.M., Keromytis, A.D., Stolfo, S.J.: One Class Vector Machines for Detecting Anomalous Windows Registry Accesses. In: Proceedings of 2003 International Conference on Data Mining (ICDM 2003), November 19 (2003)Google Scholar
  4. 4.
    Li, L., Manikopoulos, C.N.: Windows NT One-class Masquerade Detection. In: Proceedings of 2004 IEEE Information Assurance Workshop (IAW 2004). United States Military Academy, West Point (2004)Google Scholar
  5. 5.
    Imsand, E.S., Hamilton Jr, J.A.: GUI Usage Analysis for Masquerade Detection. In: Proceedings of 2007 IEEE, Information Assurance Workshop (IAW 2007), June 21-23. United States Military Academy, West Point (2007)Google Scholar
  6. 6.
    Coull, S.E., Branch, J.W., Szymanski, B.K., Breimer, E.A.: Sequence Alignment for Masquerade Detection (2006)Google Scholar
  7. 7.
    Coull, S., Branch, J., Szymanski, B., Breimer, E.: Intrusion detection: A bioinformatics approach. In: 19th Annual Computer Security Applications Conferences, Las Vegas, Nevada, December 8-12 (2003)Google Scholar
  8. 8.
    Pusara, M., Brodley, C.: User Re-authentication via mouse movements. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, Washington D.C., USA, October 29 (2004)Google Scholar
  9. 9.
    Hirsh, M., Basu, C., Davidson, B.: Learning to personalize. Communications of the ACM 43(8), 102–106 (2000)CrossRefGoogle Scholar
  10. 10.
    Schonlau, M., DuMouchel, W., Ju, W.-H., Karr, A.F., Theus, M., Vardi, Y.: Computer Intrusion: Detecting Masquerades. Statistical Science 16, 58–74 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Wang, K., Stolfo, S.J.: One Class Training for Masquerade Detection. In: ICDM Workshop on Data Mining for Computer Security, DMSEC 2003 (2003)Google Scholar
  12. 12.
    Monrose, F., Rubin, A.: Authentication via Keystroke Dynamics. In: ACM Conference on Computer and Communications Security, pp. 48–56 (1997)Google Scholar
  13. 13.
    Pusara, M., Brodley, C.E.: User re-authentication via mouse movements. In: VizSEC/DMSEC 2004: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, Washington DC, USA, pp. 1–8 (2004)Google Scholar
  14. 14.
    Wespi, A., Dacier, M., Debar, H.: Intrusion Detection Using Variable-Length Audit Trail Patterns. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 110–129. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  15. 15.
    Feng, H., Kolesnikov, O., Fogla, P., Lee, W., Gong, W.: Anomaly Detection using Call Stack Information. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, California (May 2003)Google Scholar
  16. 16.
    Joachims, T.: Text Categorization with Support Vector Machines: Learning with Many Relevant Features. In: Nédellec, C., Rouveirol, C. (eds.) ECML 1998. LNCS, vol. 1398, pp. 137–142. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  17. 17.
    Joachims, T.: SVM light:Support Vector Machine (2004),
  18. 18.
    Ghosh, A., Schwartzbard, A., Schatz, M.: Learning Program Behavior Profiles for Intrusion Detection. In: First USENIX Workshop on Intrusion Detection and Network Monitoring, pp. 51–62 (1999)Google Scholar
  19. 19.
    Levitt, K., Ko, C., Fink, G.: Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring. In: Computer Security Application Conference (1994)Google Scholar
  20. 20.
    Schonlau, M.: Masquerading User Data (1998),
  21. 21.
  22. 22.
    Dash, S.K., Reddy, K.S., Pujari, A.K.: Episode Based Masquerade Detection. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2005. LNCS, vol. 3803, pp. 251–262. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Kim, H.-S., Cha, S.-D.: Empherical evaluation of SVM-based masquerade detection using UNIX commands. Computers and Security 24, 160–168 (2005)CrossRefGoogle Scholar
  24. 24.
  25. 25.
    Ester, M., Kriegel, H.-P., Sander, J., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: Proceedings of the Second Int. Conference on Knowledge Discovery and Data Mining (1996)Google Scholar
  26. 26.
    Fawcett, T., Provost, F.: Adaptive fraud detection. Data Mining and Knowledge Discovery 1(3), 291–316 (1997)CrossRefGoogle Scholar
  27. 27.
    Chan, P.K.: A Non-Invasive Learning Approach to Building Web User Profiles. In: Masand, B., Spiliopoulou, M. (eds.) WebKDD 1999. LNCS (LNAI), vol. 1836, pp. 39–55. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  28. 28.
    Mannila, H., Toivonen, H., Verkamo, A.: Discovery of Frequent Episodes in Event Sequences. Data Mining and Knowledge Discovery 1(3), 259–289 (1997)CrossRefGoogle Scholar
  29. 29.
  30. 30.
  31. 31.
    Van Halteren, H.: Radboud University Nijmegen, The Netherlands Author verification by linguistic profiling: An exploration of the parameter space. ACM Transactions on Speech and Language Processing (TSLP) Archive 4(1) (January 2007); table of contents Article No. 1 Year of Publication: 2007 ISSN:1550-4875Google Scholar
  32. 32.
    Abraham, T.: Event sequence mining to develop profiles for computer forensic investigation purposes. In: Proceedings of the 2006 Australasian Workshops on Grid Computing and e-research. ACM International Conference Proceeding Series, vol. 167(54) (2006)Google Scholar
  33. 33.
    Bhukya, W.N., Kommuru, S.K., Negi, A.: Masquerade Detection Based Upon GUI User Profiling in Linux Systems. In: Cervesato, I. (ed.) ASIAN 2007. LNCS, vol. 4846, pp. 228–239. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  34. 34.
    Tan, P.-N., Kumar, V.: Mining Indirect Associations in Web Data. In: Kohavi, R., Masand, B., Spiliopoulou, M., Srivastava, J. (eds.) WebKDD 2001. LNCS (LNAI), vol. 2356, pp. 145–166. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  35. 35.
    Srikant, R., Agrawal, R.: Mining generalized association rules. In: Proceedings of 21st VLDB Conference (1995)Google Scholar
  36. 36.
    Mobasher, B., Dai, H., Luo, T., Sun, Y., Wiltshire, J.: Discovery of aggregate usage profiles for web personalization. In: Proceedings of the Workshop on Web Mining for E-Commerce, WEBKDD 2000 (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Wilson Naik Bhukya
    • 1
  • Sateesh Kumar Banothu
    • 2
  1. 1.Department of Computer and Information SciencesUniversity of HyderabadHyderabadIndia
  2. 2.Department of Information TechnologyJNTUH College of EngineeringJagityalIndia

Personalised recommendations