Temporal and Spatial Locality: An Abstraction for Masquerade Detection

© 2005-2012 IEEE.Most studies in masquerade detection focus mainly on the user action, ignoring the object upon which that action is performed. This may yield limited models, since, for example, command execution (an action) usually ends up in the transformation of a file (the object). The overall goal of this paper is to prove that the object is paramount to distinguishing a user from a masquerade. With this in mind, we have developed a new approach to masquerade detection, called file system navigation, and tested our ideas using the Windows-Users and Windows-Intruder simulations Logs Data set, (WUIL) which unlike other datasets of its kind includes close-to-real simulated attacks. We have shown that our approach makes it possible to capture computer behavior in an abstract way difficult to realize in a purely action-based approach. In this paper, we introduce an abstraction called locality, the tendency of programs to cluster references to memory. While temporal locality is applicable to both actions and objects, spatial locality is more suitable to objects, as it depends on a notion of position. We have successfully validated our working hypothesis: locality-based features better capture user behavior for masquerade detection. Particularly, results based on our approach report an Area Under the Curve (AUC) of the receiver operating characteristic curve value of 0.97 in average with 30% of users having an AUC equal to or above 0.99.

Temporal and Spatial Locality: An Abstraction for Masquerade Detection Academic Article in Scopus