Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix

Oka, M.; Oyama, Yoshihiro; Abe, Hirotake; Kato, K.

doi:10.1007/978-3-540-30143-1_12

Cited by 53 publications

(31 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The authors enhanced it and presented a sequence alignment method using a binary scoring and a signature updating scheme to cope with concept drift [5]. Oka et al [12] noticed that the dynamic behavior of a user appearing in a sequence can be captured by correlating not only connected events, but also events that are not adjacent to each other while appearing within a certain distance (nonconnected events). To that extent, they have developed the layered networks approach based on the Eigen Co-occurrence Matrix (ECM).…”

Section: Related Workmentioning

confidence: 99%

Modeling User Search Behavior for Masquerade Detection

Salem

Stolfo

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Masquerade attacks are a common security problem that is a consequence of identity theft. This paper extends prior work by modeling user search behavior to detect deviations indicating a masquerade attack. We hypothesize that each individual user knows their own file system well enough to search in a limited, targeted and unique fashion in order to find information germane to their current task. Masqueraders, on the other hand, will likely not know the file system and layout of another user's desktop, and would likely search more extensively and broadly in a manner that is different than the victim user being impersonated. We identify actions linked to search and information access activities, and use them to build user models. The experimental results show that modeling search behavior reliably detects all masqueraders with a very low false positive rate of 1.1%, far better than prior published results. The limited set of features used for search behavior modeling also results in large performance gains over the same modeling techniques that use larger sets of features. *

show abstract

Section: Related Workmentioning

confidence: 99%

Modeling User Search Behavior for Masquerade Detection

Salem

Stolfo

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The results are the average results of all users at block size 100 for compatibility with the application of naive Bayes. Semi−global alignment,2008 [27] n−gram STF−IDF, 2011 [25] One−class SVM, 2010 [17] ECM, 2004 [24] HMM, 2011 [29] Two−class NB , 2004 [7] One−class Bayesian, 2011 [19] PHMM, 2011 [29] Sequence alignment,2008 [27] Two−class NB w updating, 2004 [7] One−class OCLEP, 2006 [18] Hybrid Markov, 2001 [11] As seen in the figure, the performance of the methods MC and MOCS,2 (exact matching of 2-length command sequences) are quite close. The users' behavior of typing the same command pairs could distinguish them from masqueraders as the command-based approaches.…”

Section: Analysis Of the Proposed Sequence-based Approachesmentioning

confidence: 99%

Sequence‐based masquerade detection for different user groups

Şen

2014

Security Comm Networks

View full text Add to dashboard Cite

Insider threats are one of the biggest threats that organizations are confronted with today. A masquerader who impersonates another user for his malicious activities has been studied extensively in the literature. The approaches proposed on masquerade detection mainly assume that masquerader behavior will deviate from the typical behavior of the victim. This research presents a rigorous evaluation of sequence-based approaches based on this assumption. The main idea underlying sequence-based approaches is that users type similar commands, in a similar order, every time to do a specific job and, these similarities could distinguish users from others. Sequence-based approaches in the literature only consider commands typed in a specific order, at all times. In this research, we also take into account typing similar commands in a command sequence, but in an unordered way, in the newly proposed method, Matching of Unordered Command Sequences. We compare this new technique with another sequence-based approach called Matching of Ordered Command Sequences, and a command-based approach called Matching of Commands. These techniques are evaluated with varying parameters in order to explore how the order of commands, the variations in a command sequence, and the variety of commands affect masquerade detection. Furthermore, the performance of these methods on different types of users and masqueraders is analyzed. We explore what kind of users are easily distinguishable from others, and what kind of masqueraders are difficult to detect.

show abstract

“…Work on masquerade detection (and, more generally, on profiling user behavior for security purposes) has proliferated over the last decade, especially concerning the study of different detection strategies. Some of the proposals include the use of Bayes classifiers and Support Vector Machines [12][13][14][15][16]; information-theoretic approaches [17,18]; hidden Markov models [19]; or sequence-and text-mining [20][21][22][23] schemes, among others. Despite the diversity of principles behind these methods, the reported results show that they all perform similarly in terms of accuracy.…”

Section: Evaluation Frameworkmentioning

confidence: 99%

Online Randomization Strategies to Obfuscate User Behavioral Patterns

2012

View full text Add to dashboard Cite

When operating from the cloud, traces of user activities and behavioral patterns are accessible to anyone with enough privileges within the system. This could be, for example, the case of dishonest technical staff who may well be interested in selling user logs to competitors. In this paper, we investigate some of the security and privacy leakages derived from the analysis of user activities. We show that the working behavioral patterns exhibited by users can be easily captured into computationally useful representations that would allow an adversary to predict future activities, detect the occurrence of events of interest, or infer the organization's internal structure. We then introduce the idea of obfuscating user behaviour through Online Action Randomization Algorithms. In doing so, we introduce an indistinguishability-based definition for perfectly obfuscated actions and a concrete scheme to randomize user traces in an incremental way. We report experimental results confirming the obfuscation quality and other properties of the proposed schemes.

show abstract

Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix

Cited by 53 publications

References 11 publications

Modeling User Search Behavior for Masquerade Detection

Modeling User Search Behavior for Masquerade Detection

Sequence‐based masquerade detection for different user groups

Online Randomization Strategies to Obfuscate User Behavioral Patterns

Contact Info

Product

Resources

About