Abstract
Traditionally, researchers have focused on network level intrusion detection and program level intrusion detection to improve computer security. However, neither approach is foolproof. Typically, a successful attacker manifests in the form of the attacker becoming a user on the host either with elevated or normal user privileges. The reason for this situation is that current research and technology development have focused on external, not internal. At this point, user-level intrusion detection attempts to deter and curtail an attacker even after the system has been compromised. This paper proposed a novel method for anomaly detection of user behavior. Considering the complexity and fluctuation of user behavior, our method builds a finite automaton to profile the user’s normal behavior with closeness of commands within patterns and timing sequence and frequency information between patterns. This allows discrete data used for training to have a holistic structure that allows for a more accurate expression of the normal behavior of the user. In the detection stage, our method builds a threat evaluation system using fuzzy logic. Experimental results on data sets of Purdue University, SEA and self-collected data show that an accurate, effective and efficient detection can be achieved using the proposed approach.
Similar content being viewed by others
References
Terran, D.: Lane: Machine learning techniques for the computer security domain of anomaly detection. Purdue University, West Lafayette (2001)
Schonlau, M.: Computer intrusion: detecting masquerades. Stat. Sci. 16(1), 58–74 (2001)
Ye, N., Zhang, Y., Borror, C.M.: Robustness of the Markov-chain model for cyber-attack detection. IEEE. T. Reliab. 53(1), 116–123 (2004)
Huang, L., Stamp, M.: Masquerade detection using profile hidden Markov models. Comput. Secur. 30(8), 732–747 (2011)
Bzhalava, Z., Hultin, E., Dillner, J.: Extension of the viral ecology in humans using viral profile hidden Markov models. PLoS ONE 13(1), 1–12 (2018)
Vemparala, S., Di Troia, F., Corrado, V.A., et al.: Malware detection using dynamic birthmarks. IWSPA. 6, 41–46 (2016)
Yu, W., Wei-Ping, W., Dan, M.: Mining user cross-domain behavior patterns for insider threat detection. Chin. J. Comput. 39(8), 1555–1569 (2016)
Hodge, V.J., Austin, J.: A survey of outlier detection methodologies. Artif. Intellig. Rev. 22(2), 85–126 (2013)
Gupta, M., Gao, J., Aggarwal, C., et al.: Outlier detection for temporal data: a survey. IEEE Knowl. Data En 26(9), 2250–2267 (2014)
Garg, A., Upadhyaya, S., Kwiat, K.: A user behavior monitoring and profiling scheme for masquerade detection. Handbook Stat. 31, 353–379 (2013)
Stolfo S J, Ben Salem M, Hershkop S. Methods, systems, and media for masquerade attack detection by monitoring computer user behavior: US, US9311476, 2016.
Emmott, A.F., Das, S., Dietterich, T., et al.: Systematic construction of anomaly detection benchmarks from real data. SIGKDD. 23, 16–21 (2015)
Tajer, A., Veeravalli, V.V., Poor, H.V.: Outlying sequence detection in large data sets: a data-driven approach. IEEE Signal Proc. Mag. 31(5), 44–56 (2014)
Berezinski, P., Jasiul, B., Szpyrka, M.: An entropy-based network anomaly detection method. Entropy. 17(4), 2367–2408 (2015)
Kanda, Y., Fontugne, R., Fukuda, K., et al.: ADMIRE: Anomaly detection method using entropy-based PCA with three-step sketches. Comput. Commun. 36(5), 575–588 (2013)
Yin, M., Yao, D., Luo, J., et al.: Network backbone anomaly detection using double random forests based on non-extensive entropy feature extraction. ICNC. 28, 80–84 (2014)
Liu, D., Lung, C.H., Seddigh, N., et al.: Entropy-based robust PCA for communication network anomaly detection. ICCC. 15, 171–175 (2014)
Wang, W., Guyet, T., Quiniou, R., et al.: Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowl-based. Syst. 70, 103–117 (2014)
Wang, Z., Yang, J., Li, F.: An on-line anomaly detection method based on a new stationary metric-entropy-ratio. TrustCom. 16, 175–192 (2014)
Przemysław B, Szpyrka M, Jasiul B, et al.: Network anomaly detection using parameterized entropy. CISIM. (2014)
Giotis, K., Argyropoulos, C., Androulidakis, G., et al.: Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput. Netw. 62(5), 122–136 (2014)
Ding, M., Tian, H.: PCA-based network traffic anomaly detection. Tsinghua Sci. Technol. 21(5), 500–509 (2016)
Tang, Y., Liu, Z., Pan, M., et al.: Detection of magnetic anomaly signal based on information entropy of differential signal. IEEE Geosci. 13, 1–5 (2018)
Thaseen, I.S., Kumar, C.A.: Intrusion detection model using fusion of chi-square feature selection and multi class SVM. JKSU-CIS. 29(4), 1319–1578 (2016)
Thaseen, I.S., Kumar, C.A.: Intrusion detection model using fusion of PCA and optimized SVM. IC3I. 12, 879–884 (2015)
Kim, H.S., Cha, S.D.: Empirical evaluation of SVM-based masquerade detection using UNIX commands. Comput. Secur. 24(2), 160–168 (2005)
Al-Yaseen, W.L., Othman, Z.A., Nazri, M.Z.A.: Hybrid modified K-Means with C4.5 for intrusion detection systems in multiagent systems. Sci. World J. 2015(2), 1–14 (2015)
Sahu S K, Jena S K. A multiclass SVM classification approach for Intrusion detection. IDCS (2016)
Abdullah, A., Ponnan, R., Asirvatham, D.: Improving multiclass classification in intrusion detection using clustered linear separator analytics. ISMS. 32, 37 (2018)
Pan J, Liu S, Sun D, et al. Learning Dual Convolutional Neural Networks for Low-Level Vision. In: The IEEE conference on computer vision and pattern recognition (CVPR), 3070–3079 (2018).
Xiaolong Wang, Ross Girshick, Abhinav Gupta et al. Non-local neural networks. In: The IEEE conference on computer vision and pattern recognition (CVPR), 7794–7803 (2018).
Hirschberg, J., Manning, C.D.: Advances in natural language processing. Science 349(6245), 261–266 (2015)
Goldberg Y. A Primer on Neural Network Models for Natural Language Processing. Comput. Sci. 2015.
Kim G, Yi H, Lee J, et al. LSTM-based system-call language modeling and robust ensemble method for designing host-based intrusion detection systems. 2016.
LeCun, Y., Bengio, Y., Hinton, G.: Deep learning[J]. Nature 521(7553), 436–444 (2015)
Chen, L., Sultana, S., Sahita, R.: HeNet: a deep learning approach on intel circled processor trace for effective exploit detection. IEEE. (2018). https://doi.org/10.1109/SPW.2018.00025
Naseer, S., Saleem, Y.: Enhanced network intrusion detection using deep convolutional neural networks[J]. KSII Trans Internet Inf Syst 12(10), 5159–5178 (2018)
Carrettoni F, Castano S, Martella G, et al.: RETISS: a real time security system for threat detection using fuzzy logic. IEEE CCST. 161–167 (1991)
Sherif, J.S., Ayers, R., Dearmond, T.G.: IMCS. 11(4), 175–186 (2013)
Zadeh, L.A.: Fuzzy sets. Inf. Control 8, 338–353 (1965)
Garg, H.: Novel intuitionistic fuzzy decision making method based on an improved operation laws and its application. Eng. Appl. Artif. Intell. 60, 164–174 (2017)
Garg, H., Kumar, K.: Some aggregation operators for linguistic intuitionistic fuzzy set and its application to group decisionmaking process using the set pair analysis. Arab. J. Sci. Eng. 43(6), 3213–3227 (2018)
Firozja, M.A., Balf, F.R., Firouzian, S.: Vague ranking of fuzzy numbers. Math. Sci. 11(3), 189–193 (2017)
Maxion R A, Townsend T N.: Masquerade detection using truncated command lines. In: IEEE international conference on dependable systems and networks. 219–228 (2002)
Wang, X., Wang, Y.: Masquerader detection based on command closeness model. Acta Electronica Sinica. 42(6), 1225–1229 (2014)
Schonlau, M., DuMouchel, R., et al.: Computer intrusion: detecting masquerades. Stat. Sci. 16(1), 58–74 (2001)
Acknowledgements
The authors are thankful to all the reference for their comments and suggestions in obtaining the present form of the paper.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Liu, W., Mao, Y., Ci, L. et al. A Fuzzy Approach to User-level Intrusion Detection. Int. J. Fuzzy Syst. 23, 862–877 (2021). https://doi.org/10.1007/s40815-020-00947-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s40815-020-00947-1