Solo Metadatos

Detection of masqueraders based on graph partitioning of file system access events

dc.creatorToffalini F.spa
dc.creatorHomoliak I.spa
dc.creatorHarilal A.spa
dc.creatorBinder A.spa
dc.creatorOchoa M.spa
dc.description.abstractMasqueraders are users who take control of a machine and perform malicious activities such as data exfiltration or system misuse on behalf of legitimate users. In the literature, there are various approaches for detecting masqueraders by modeling legitimate users' behavior during their daily tasks and automatically determine whether they are doing something suspicious. Usually, these techniques model user behavior using features extracted from various sources, such as file system, network activities, system calls, etc. In this work, we propose a one-class anomaly detection approach that measures similarities between a history of a user and events recorded in a timewindow of the user's session which is to be classified. The idea behind our solution is the application of a graph partitioning technique on weighted oriented graphs generated from such event sequences, while considering that strongly connected nodes have to belong into the same cluster. First, a history of vertex clusters is build per each user and then this history is compared to a new input by using a similarity function, which leads either to the acceptance or rejection of a new input. This makes our approach substantially different from existing general graph-based approaches that consider graphs as a single entity. The approach can be applied for different kinds of homogeneous event sequences, however successful application of the approach will be demonstrated on file system access events only. The linear time complexity of the approach was demonstrated in the experiments and the performance evaluation was done using two state-of-the-art datasets - WUIL and TWOS - both of them containing file system access logs of legitimate users and masquerade attackers; for WUIL dataset we achieved an average per-user AUC of 0.94, a TPR over 95%, and a FPR less than 10%, while for TWOS dataset we achieved an average per-user AUC of 0.851, a TPR over 91% and a FPR around 11%. © 2018 IEEE.eng
dc.publisherInstitute of Electrical and Electronics Engineers Inc.spa
dc.relation.citationTitleProceedings - 2018 IEEE Symposium on Security and Privacy Workshops, SPW 2018
dc.relation.ispartofProceedings - 2018 IEEE Symposium on Security and Privacy Workshops, SPW 2018,(2018); pp. 217-227spa
dc.rights.accesoAbierto (Texto Completo)spa
dc.source.instnameinstname:Universidad del Rosariospa
dc.source.reponamereponame:Repositorio Institucional EdocURspa
dc.subject.keywordBehavioral researchspa
dc.subject.keywordFile organizationspa
dc.subject.keywordGraphic methodsspa
dc.subject.keywordNetwork securityspa
dc.subject.keywordReal time systemsspa
dc.subject.keywordAnomaly detectionspa
dc.subject.keywordFile systemsspa
dc.subject.keywordGraph Partitioningspa
dc.subject.keywordInsider Threatspa
dc.subject.keywordMarkov clusterspa
dc.subject.keywordGraph theoryspa
dc.subject.keywordAnomaly detectionspa
dc.subject.keywordFile systemspa
dc.subject.keywordGraph partitioningspa
dc.subject.keywordInsider threatspa
dc.subject.keywordMarkov clusterspa
dc.titleDetection of masqueraders based on graph partitioning of file system access eventsspa
dc.type.spaDocumento de conferenciaspa