Abstract:
A hybrid model based mostly on a high-order Markov chain and occasionally on an independence model is proposed for pro ling the command-sequence of a computer user in order to identify a "signature behavior" for that user. Based on the model, an estimation procedure for such a signature behavior driven by Maximum Likelihood (ML) considerations is devised. The formal ML estimates are numerically intractable, but the ML-optimization problem can be substituted by a linear inverse problem with positivity constraints (LININPOS), for which the EM algorithm can be used as an equation solver to produce an approximate ML-estimate. A user's command-sequence is then compared to his and others' estimated signature-behavior in real time, by means of statistical hypothesis testing. A form of the likelihood-ratio test is used to test if a given sequence of commands is from the proclaimed user, with the alternative hypothesis being masquerader user. Data from a real-life experiment, conducted at a research lab, is used to assess the method.
Keywords:
Anomaly Detection; Unix; Mixture Transition Distribution (MTD); LININPOS; EM.
