Layered Security Architecture for Masquerade Attack Detection

  • Hamed Saljooghinejad
  • Wilson Naik Bhukya
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7371)


Masquerade attack refers to an attack that uses a fake identity, to gain unauthorized access to personal computer information through legitimate access identification. Automatic discovery of masqueraders is sometimes undertaken by detecting significant departures from normal user behavior. If a user’s normal profile deviates from their original behavior, it could potentially signal an ongoing masquerade attack. In this paper we proposed a new framework to capture data in a comprehensive manner by collecting data in different layers across multiple applications. Our approach generates feature vectors which contain the output gained from analysis across multiple layers such as Window Data, Mouse Data, Keyboard Data, Command Line Data, File Access Data and Authentication Data. We evaluated our approach by several experiments with a significant number of participants. Our experimental results show better detection rates with acceptable false positives which none of the earlier approaches has achieved this level of accuracy so far.


Masquerade Detection Intrusion Detection System Anomaly Detection User Profiling 


  1. 1.
    Garg, A., Rahalkar, R., Upadhyaya: Profiling Users in GUI Based Systems for Masquerade Detection. In: Proc. of 2006 IEEE Information Assurance Workshop (IAW), New York (2006)Google Scholar
  2. 2.
    Bhukya, W., Kommuru, S., Negi, A.: Masquerade Detection Based Upon GUI User Profiling in Linux Systems. In: Cervesato, I. (ed.) ASIAN 2007. LNCS, vol. 4846, pp. 228–239. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Imsand, E.S., Hamilton Jr., J.A.: GUI Usage Analysis for Masquerade Detection. In: Proceedings of 2007 IEEE, Information Assurance Workshop (IAW 2007), New York (2007)Google Scholar
  4. 4.
    Saljooghinejad, H., Rathore, W.N.: Multi Application User Profiling for Masquerade Attack Detection. In: Abraham, A., Lloret Mauri, J., Buford, J.F., Suzuki, J., Thampi, S.M. (eds.) ACC 2011, Part II. CCIS, vol. 191, pp. 676–684. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  5. 5.
    Kim, H.S., Cha, S.D.: Empirical evaluation of svm-based masquerade detection using Unix commands. Computers and Security 24(2), 160–168 (2005)CrossRefGoogle Scholar
  6. 6.
    Schonlau, M., DuMouchel, W., Ju, W.-H., Karr, A.F., Theus, M., Vardi, Y.: Computer Intrusion: Detecting Masquerades. Statistical Science 16, 58–74 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Maxion, R.A., Townsend, T.N.: Masquerade Detection Using Truncated Command Lines. In: Proceedings of Int. Conf. on Dependable System & Networks (DSN 2002), pp. 219–228 (2002)Google Scholar
  8. 8.
    Maxion, R.A.: Masquerade Detection Using Enriched Command Lines. In: Proceedings of Int. Conference on Dependable Systems and Networks (DSN 2003), CA (June 2003)Google Scholar
  9. 9.
    Lane, T., Brodley, C.E.: An Application of Machine Learning to Anomaly Detection. In: Proceedings of 20th National Information System Security Conf., vol. 1, pp. 366–380 (1997)Google Scholar
  10. 10.
    Joachims, T.: Text Categorization with SVM: Learning with Many Relevant Features. In: Nédellec, C., Rouveirol, C. (eds.) ECML 1998. LNCS, vol. 1398, pp. 137–142. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  11. 11.
    Joachims, T.: Transductive Inference for Text Classification Using Support Vector Machines. In: Proc. European Conf. Machine Learning (ECML 1999), June 27-30 (1999)Google Scholar
  12. 12.
    Pusara, M., Brodley, C.: User Re-authentication via mouse movements. In: Proceedings of the ACM Workshop on Visualization and Data Mining for Computer Security, USA (2004)Google Scholar
  13. 13.
  14. 14.
    McCallum, A., Nigam, K.: A comparison of event models for naivebayes text classification. In: Learning for Text Categorization, AAAI Workshop, Wisconsin, July 27, pp. 41–48 (1998)Google Scholar
  15. 15.
    Chawla, N.V., Hall, L.O., Bowyer, K.W.: SMOTE: Synthetic Minority Oversampling Technique. Journal of Artificial Intelligence Research 16, 321–357 (2002)zbMATHGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Hamed Saljooghinejad
    • 1
  • Wilson Naik Bhukya
    • 1
  1. 1.Department of Computer and Information ScienceUniversity of HyderabadHyderabadIndia

Personalised recommendations