Authors: Arshi Agrawal; Mark Stamp
Addresses: Department of Computer Science, San Jose State University San Jose, CA 95192, USA ' Department of Computer Science, San Jose State University San Jose, CA 95192, USA
Abstract: A masquerader is an attacker who attempts to mimic the behaviour of a legitimate user so as to evade detection. Much previous research on masquerade detection has focused on analysis of command-line input in UNIX systems. However, these techniques may fail to detect attacks on modern graphical user interface (GUI)-based systems, where typical user activities include mouse movements, in addition to keystrokes. We have developed an event logging tool for Windows systems which has been used to collect a large, publicly available dataset suitable for testing masquerade detection strategies. Using this dataset, we employ hidden Markov model (HMM) analysis to compare the effectiveness of various detection strategies. Our results show that a linear combination of keyboard activity and mouse movements, yields stronger results than when relying on keyboard activity alone, or mouse movements alone. These preliminary results can serve as a baseline for future masquerade detection research.
Keywords: masquerade detection; Windows; GUI; graphical user interface; HMM; hidden Markov models; mouse movements; keystrokes; event logging; keyboard activity; masqueraders; masquerade attacks; security.
International Journal of Security and Networks, 2015 Vol.10 No.1, pp.32 - 41
Available online: 28 Mar 2015Full-text access for editors Access for subscribers Purchase this article Comment on this article