Int. J. of Security and Networks   »   2015 Vol.10, No.1



Title: Masquerade detection on GUI-based Windows systems


Authors: Arshi Agrawal; Mark Stamp


Department of Computer Science, San Jose State University San Jose, CA 95192, USA
Department of Computer Science, San Jose State University San Jose, CA 95192, USA


Abstract: A masquerader is an attacker who attempts to mimic the behaviour of a legitimate user so as to evade detection. Much previous research on masquerade detection has focused on analysis of command-line input in UNIX systems. However, these techniques may fail to detect attacks on modern graphical user interface (GUI)-based systems, where typical user activities include mouse movements, in addition to keystrokes. We have developed an event logging tool for Windows systems which has been used to collect a large, publicly available dataset suitable for testing masquerade detection strategies. Using this dataset, we employ hidden Markov model (HMM) analysis to compare the effectiveness of various detection strategies. Our results show that a linear combination of keyboard activity and mouse movements, yields stronger results than when relying on keyboard activity alone, or mouse movements alone. These preliminary results can serve as a baseline for future masquerade detection research.


Keywords: masquerade detection; Windows; GUI; graphical user interface; HMM; hidden Markov models; mouse movements; keystrokes; event logging; keyboard activity; masqueraders; masquerade attacks; security.


DOI: 10.1504/IJSN.2015.068409


Int. J. of Security and Networks, 2015 Vol.10, No.1, pp.32 - 41


Submission date: 23 May 2014
Date of acceptance: 25 Aug 2014
Available online: 28 Mar 2015



Editors Full text accessPurchase this articleComment on this article