Contextual Profiling of Homogeneous User Groups for Masquerade Detection
MetadataShow full item record
The complexity of modern computer networks creates a number of information security challenges for organizations. As the use of computer systems increases they become more targeted by criminals. In order to limit damages, the ability to detect probable criminal activity as soon as it occurs is of paramount concern. Intrusion Detection System (IDS) is a technology that has been in existence for a number of decades. It aims to identify patterns indicative of an attack, or alternatively, behaviour that is suspicious compared to some notion of normality. In order to ensure the effectiveness of these systems research efforts are required to adapt them to the ever changing threat landscape. Currently, internal threats pose a large risk to organizations bringing along with it additional challenges, as not all threats can be detected using known patterns. Behaviour based methods, know as anomaly detection, has the benefit of detecting previously unseen attacks. Profiling is a common technique used to establish a baseline for normal behaviour. However, normality can be difficult to define when considering individual profiles. Group profiling can offer additional context that can form the basis for better comparison in order to detect the presence of abnormal behaviour. It also reduces the scope of the IDS and in so doing removes some of the background noise. This thesis evaluates the application of group profiling methods as a contextual means to detect internal threats, specifically masquerade attacks. It delves into related theoretical knowledge and derives a framework used for masquerade detection research. The study frames the masquerade detection challenge as a classification problem, primarily focusing on the profiling task. A relevant feature representation method is chosen. Features are extracted from a simulated data set using a script developed in Bro, and classified using Support Vector Machine as a machine learning method. Individual and group profiling results are presented.