164 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE … · E-mail: [email protected]. F. Baiardi is with the Department of Computer Science, Pisa University, Pisa 56017, Tuscany, Italy

DDSGA: A Data-Driven Semi-Global AlignmentApproach for Detecting Masquerade Attacks

Hisham A. Kholidy, Fabrizio Baiardi, and Salim Hariri,Member, IEEE Computer Society

Abstract—A masquerade attacker impersonates a legal user to utilize the user services and privileges. The semi-global alignment

algorithm (SGA) is one of the most effective and efficient techniques to detect these attacks but it has not reached yet the accuracy and

performance required by large scale, multiuser systems. To improve both the effectiveness and the performances of this algorithm, we

propose the Data-Driven Semi-Global Alignment, DDSGA approach. From the security effectiveness view point, DDSGA improves the

scoring systems by adopting distinct alignment parameters for each user. Furthermore, it tolerates small mutations in user command

sequences by allowing small changes in the low-level representation of the commands functionality. It also adapts to changes in the

user behaviour by updating the signature of a user according to its current behaviour. To optimize the runtime overhead, DDSGA

minimizes the alignment overhead and parallelizes the detection and the update. After describing the DDSGA phases, we present the

experimental results that show that DDSGA achieves a high hit ratio of 88.4 percent with a low false positive rate of 1.7 percent. It

improves the hit ratio of the enhanced SGA by about 21.9 percent and reduces Maxion-Townsend cost by 22.5 percent. Hence,

DDSGA results in improving both the hit ratio and false positive rates with an acceptable computational overhead.

Index Terms—Masquerade detection, sequence alignment, security, intrusion detection, attacks

Ç

1 INTRODUCTION

A masquerader is an attacker who authenticates as alegal user by stealing its credentials or by violating the

authentication service. An insider masquerader is a legalsystem user that misuses his/her privileges to access dis-tinct accounts and perform unauthorized actions. An out-sider aims to utilize all the privileges of a legal user.Alternative implementations of this attack [1] do exist, suchas duplication or ex-filtration of user password, installationof software with backdoors or malicious code, eavesdrop-ping and packet sniffing, spoofing and social engineeringattacks. These attacks may leave some trail in log files that,after the fact, can be linked to some user. In this case, a loganalysis by a host-based IDS remains the state-of-the art todetect these attacks. Attacks that do not leave an audit trailin the target system may be discovered by analyzing theuser behaviors through masquerade detection. At first, mas-querade detection builds a profile for each user by gatheringinformation such as login time, location, session duration,CPU time, commands issued, user ID and user IP address.Then, it compares these profiles against logs and signals as

an attack any behaviour that does not match the profile. Thecurrent detection approaches have not achieved the level ofaccuracy and performance for practical deployment in spiteof the large amount of information they used to build a pro-file such as command line commands, system calls, mousemovements, opened files names, opened windows title, andnetwork actions. Semi-global alignment (SGA) [2] is one ofthe most efficient detection algorithms and its accuracy wasimproved by Coull et al. [3]. We refer to this new improve-ment as “Enhanced-SGA”. This paper introduces the Data-Driven Semi-Global Alignment (DDSGA) approach, whichimproves both the detection accuracy and the computa-tional performance of the Enhanced-SGA and of HSGAA[4] that is also based upon SGA. The main idea underlyingDDSGA is to consider the best alignment of the active ses-sion sequence to the recorded sequences of the same user.After discovering the misalignment areas, we label them asanomalous and several anomalous areas are a strong indica-tor of a masquerade attack. DDSGA improves the securityefficiency by using not only lexical matching such as stringmatching or longest common substring searches, but alsoby tolerating small mutations in the sequences with smallchanges in the low-level representation of the user com-mands. To this purpose, a command can be aligned withone that implements the same functionalities. To increasethe hit ratio and reduce both false positive and false nega-tive rates, DDSGA pairs each user with distinct gap inser-tion penalties according to the user behavior. Furthermore,it improves both the alignment scoring system and theupdate phase of Enhanced-SGA to tolerate changes inbehaviours without significantly reducing the alignmentscore. To reduce both the runtime overhead and the mas-querader live time inside the system, DDSGA implementsthe detection and update operations in parallel threads andsimplifies the alignment. After highlighting the SEA dataset[5] that we use to compare DDSGA against other

� H.A. Kholidy is with the Faculty of Computers and Information,Fayoum University, Fayoum, Egypt, the Department of Computer Sci-ence and Engineering, Qatar University, Doha, Qatar, the NSF Cloudand Autonomic Computing Center, College of Electrical and ComputerEngineering, University of Arizona, Tucson, Arizona, and the Dipar-timento di Informatica, Universit�a di Pisa, Pisa, Italy.E-mail: [email protected].

� F. Baiardi is with the Department of Computer Science, Pisa University,Pisa 56017, Tuscany, Italy. E-mail: [email protected].

� S. Hariri is with the NSF Cloud and Autonomic Computing Center,College of Electrical and Computer Engineering, University of Arizona,Tucson, Arizona. E-mail: [email protected].

Manuscript received 3 June 2012; revised 27 Jan. 2014; accepted 2 May 2014.Date of publication 2 June 2014; date of current version 13 Mar. 2015.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference the Digital Object Identifier below.Digital Object Identifier no. 10.1109/TDSC.2014.2327966

164 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 12, NO. 2, MARCH/APRIL 2015

1545-5971 � 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

techniques, Section 2 briefly reviews masquerade detection.Section 3 discusses the SGA algorithm. Section 4 introducesDDSGA and describes its three main phases namely, config-uration, detection, and update. It also describes the modulesand experimental results for each phase and compares themagainst other approaches. Lastly, Section 5 draws some con-clusion and outlines future work.

1.1 SEA Dataset

Currently, five data sets may be used to evaluatemasqueradedetection techniques: SEA, Greenberg, Purdue, RUU, andour CIDD dataset [5], [7], [8], [9], and [10]. The SEA datasethas become the de-facto standard because it has been used bymany researchers working onmasquerade detection. In prin-ciple, this simplifies the comparison of distinct approaches.SEA consists of commands and user names collected fromUNIX acct audit data. The data describe 50 different userseach issuing 15,000 commands. The first 5,000 commands ofeach user are assumed to be genuine. The remaining com-mands of a user are splitted into 100 blocks of 100 commandseach. Each block maybe seeded with masquerade users, i.e.with commands of other users. There is a 1 percent probabil-ity that a block is a masquerader and, in this case, there is aprobability of 80 percent that the next one is a masqueraderas well. As a result, approximately 5 percent of the test dataare masquerades. One of the most critical defects of SEA isthat it neglects command arguments and parameters. Due tothe way acct collects audit data, it is difficult to distinguishcommands typed by human users from those generated byshell scripts. Due to the repetitive execution of shell scripts,for some users this may result in a very regular pattern with afew commands. To address some methodological shortcom-ings, two alternative configurations of SEA, namely 1v49 [11]and SEA-I [12], have been defined but they have not beenwidely used and do not truthfully represent real world mas-querader activities.

2 RELATED WORK IN MASQUERADE DETECTION

We briefly outline some masquerade detection approaches.The uniqueness approach [6] assumes that commands thathave not been seen in the training data indicate a masquer-ader. Moreover, the probability that a masquerader hasissued a command is inversely related to the number ofusers that use such a command. While uniqueness has arelatively poor performance, it is one of the fewapproaches that target false alarm rate of 1 percent. Na€ıveBayes One-step Markov [13] is based upon one-step transi-tions from a command to the next. It builds two transitionmatrices for each user from, respectively, the training data-base and the testing one and it triggers an alarm whenthese matrices noticeably differ. The false alarm rate of thismethod is not satisfactory. The Hybrid Multi-Step Markovmethod [14] is based on Markov chains. When a Markovmodel cannot be adopted because too many commands inthe testing data have not been observed in the training, asimple independence model with probabilities estimatedfrom a contingency table of users versus commands maybe more appropriate. Schonlau et al. [6] toggled between aMarkov model and the simple independence one. Thisapproach achieves the best performance among the

considered methods. The main idea underlying the com-pression approach [6] is that new and old data from thesame user should compress at about the same ratio.Instead, data from a masquerading user will compress at adifferent ratio. Among the proposed methods, this resultsin the worst performance. Incremental Probabilistic ActionModeling (IPAM) [15] is based upon one-step commandtransition. It estimates the probability of each transitionfrom the training data set and uses it to predict thesequence of user commands. Too many false predictionssignal a masquerader. This method is in the lowest-per-forming group. Sequence-matching [16] computes a simi-larity match between the user profiles and thecorresponding sequence of commands. Any score lowerthan a threshold signals a masquerader. Its performanceon the SEA data set is not very high. Support VectorMachine (SVM) [17] denotes a set of machine learningalgorithms for binary data classification. It exploits a set ofsupport vectors in the training data that outlines a hyper-plane in feature space [17]. SVM can potentially learn alarge set of patterns but it results in high false alarm ratesand a low detection rate. Furthermore, the user profile hasto be updated to reduce false alarms. Szymanski andZhang [18] propose a recursive data mining approach thatdiscovers frequent patterns in the sequence of user com-mands, encodes them with unique symbols, and rewritesthe sequence with the new coding. Then, a one-class SVMclassifier detects masqueraders. This approach demandsmixing user data and may not be ideal or easily imple-mented in real-world. It also suffers of some of the SVMshortcomings. Maxion and Townsend [11] applied a Na€ıveBayes classifier widely used in text classification tasks andthat classifies sequences of user-command data into eitherlegitimate or masquerader. The method has not yetachieved the level of accuracy for practical deployment.Dash et al. [19] introduced an episode based Na€ıve Bayestechnique that extracts meaningful episodes from a longsequence of commands. The Na€ıve Bayes algorithm identi-fies these episodes either as masquerade or normal accord-ing to the number of commands in masquerade blocks.The proposed technique significantly improves the hit ratiobut it still has high false positive rates and it does notupdate the user profile. Alok et al. [20] integrates a Na€ıveBayes approach with one based on a weighted radial basisfunction, WRBF, similarity. The Na€ıve Bayes algorithmincludes information on the probabilities of commands byone user over the other users. Instead, the WRBF similaritytakes into account the similarity measure based on the fre-quency of commands, f, and the weight associated with thefrequency vectors. Here, f is a similarity score between aninput frequency vector and a frequency vector from thetraining data set. The experiments confirm that WRBF-NBsignificantly improves the hit ratio but, as the previousapproach, it suffers from the high false positive rates. Fur-thermore, it increases the overall overhead by computingboth the Na€ıve Bayes and the WRBF and integrating theirresults. Lastly, it does not update the user profile andneglects the low level representation of user commands.Dash et al. [21] introduced an adaptive Na€ıve Bayesapproach based on the premise that both the commands ofa legitimate user and those of an attacker may differ from

KHOLIDY ET AL.: DDSGA: A DATA-DRIVEN SEMI-GLOBAL ALIGNMENT APPROACH FOR DETECTING MASQUERADE ATTACKS 165

the trained signature but the deviation of the legitimateuser is momentary, whereas the attacker one persists lon-ger.The improvement in the performance of detection hasbeen empirically verified using several data sets. However,the false positive rate is still high. Malek and Salvatore [22]have modeled user OS commands as bag-of-words withouttiming information. They used a one-class support vectormachine to achieve a better performance than threshold-based comparison with a distance metric. The ability ofsequence alignment algorithms to find areas of similaritycan be exploited to differentiate legitimate usage from mas-querade attacks. To do so, a signature of the normal userbehavior should be created by collecting sequences of auditdata. Then, this signature is aligned with audit data frommonitored sessions to find areas of similarity. Areas thatdo not align properly are assumed to be anomalous, andseveral anomalous areas are a strong indicator of masquer-ade attacks [2]. Among sequence alignment algorithmssuch as global, local and semi-global alignments, the mostefficient one is semi-global alignment. Adesina et al. [23]modified the scoring function of the semi-global alignmentalgorithm to improve the detection efficiency. They used asystematically generated ASCII coded sequence audit datafrom Windows and UNIX systems as simulations for theintrusion data set. However, a real time evaluation usingone of the current data sets is missing.

Coull et al. [2] modified the Smith-Waterman align-ment algorithm [24] to a semi-global alignment algorithmthat is described with some evolutions and enhancements[3] in the next section. Fig. 1 compares different techni-ques in terms of the Receiver Operator Characteristic(ROC) curves [3], [25] and the Maxion-Townsend costfunction [11] and it shows that SGA achieves the bestperformances. The Maxion-Townsend cost function ratesa masquerade detection algorithm and defines the detec-tion cost as in Eq. (1).

Cost ¼ 6 � False Positive Rateþ ð100�HitRatioÞ: (1)

3 SGA AND THE ENHANCED-SGA

This section describes in some details SGA and some pro-posals to enhance it.

SGA is more accurate and efficient than currentapproaches. It has low false positive and missing alarmrates and high hit ratio. It can be adopted in heterogeneousenvironment with distinct operating system because it canbe applied to distinct audit data such as command lineentries, mouse movements, system calls, registry events, fileand folder names, sequence of opened windows titles andnetwork access audit data. SGA aligns large sequence areasas in global alignments, while preserving the nature of localalignments. It can ignore both prefixes and suffixes and itonly aligns the conserved area with the maximal similarity.Fig. 2 shows an application of SGA and the influentialparameters of an alignment namely: match score, mismatchscore, test_gap penalty, signature_gap penalty, and detec-tion threshold.

To discover the optimal alignment, SGA exploitsdynamic programming. To this purpose, it initializes anmþ 1 by nþ 1 score matrix, M, and then determines thevalue of each position of M by one of three transitions, seeFig. 3:

1) Diagonal transition. It aligns the i� 1 symbol in thesignature sequence with the j� 1 symbol in the testsequence. The alignment score depends upon thelexical match of the symbols being aligned and it isadded toMði� 1; j� 1Þ.

2) Vertical transition. A gap is inserted into the signa-ture sequence and it is aligned with the j�1 sym-bol in the test sequence. The gap penalty is addedto Mði; j� 1Þ.

3) Horizontal transition. A gap is inserted into the testsequence and aligned with the i�1 symbol in the

Fig. 1. ROC curves for detection techniques that use SEA Dataset.

Fig. 2. An alignment example using SGA algorithm.

Fig. 3. The three transitions to fill each cell in the transition-matrix.


signature sequence. The gap penalty is added toMði� 1; jÞ.

The SGA scoring system determines the gap penalties intransitions 2 and 3. The actual alignment depends upon themaximum value of the three transitions and its value isassigned to M(i, j). M(i, j) is the score of the optimal align-ment of all symbols up to location i�1 in the signaturesequence and j�1 in the test one. Hence, M(m, n) as thescore of the optimal alignment of the two sequences. Wecan rebuild this alignment by tracing back the transitionsthat have produced the score.M(m, n) measures the similar-ity of the two sequences according to the scoring systemused and it is an indicator of masquerade attacks.

3.1 The Enhanced-SGA

Coull and Syzmanski [3] modified the SGA algorithm tohandle the problems of the traditional Smith-Watermanalignment algorithm from two perspectives. The first oneconsiders that the usage patterns of legal users maychange due to changes in their role or to new software. Astatic user signature is therefore prone to label as attackssome variations of legal users. To avoid these falsepositives, the signature is updated as new behaviour isencountered by exploiting the ability of SGA of discover-ing areas of similarity.

Furthermore, as discussed in Section 4.2.3, they definedtwo scoring systems, the command grouping and binaryscoring systems, to set the alignment scores and the gapinsertion penalties. The signature update scheme is appliedwith the binary scoring, their most efficient system. Thisscheme augments both the current signature sequence withinformation on the new behaviours and the user lexiconwith the new commands the user invokes. The scheme alsointroduces a threshold for each user profile to ensure thatboth the signature sequence and user lexicon remain free oftainted commands from masquerade attacks. The thresholdis used in both detection and update processes, and it isbuilt through a snapshot of the user signatures. The otherperspective considers that the Smith-Waterman algorithmis computationally expensive and impractical to detect mas-querade attacks on multi-user systems. By selectively align-ing only the portions of the user signature with the highestsuccess probability, Heuristic Aligning [3] can significantlyreduce the computational overhead with almost no loss ofaccuracy in detection. These modifications have been testedon the SEA data set to simplify the comparison with otherapproaches.

4 THE DATA-DRIVEN SEMI-GLOBAL ALIGNMENT

APPROACH

DDSGA is a masquerade detection approach based uponEnhanced-SGA [3]. It aligns the user active sessionsequence to the previous ones of the same user and itlabels the misalignment areas as anomalous. A masquer-ade attack is signaled if the percentage of anomalous areasis larger than a dynamic, user dependent threshold.DDSGA can tolerate small mutations in the user sequenceswith small changes in the low level representation of usercommands and it is decomposed into a configurationphase, a detection phase and an update one. The

configuration phase, computes, for each user, the align-ment parameters to be used by both the detection andupdate phases. The detection phase aligns the user currentsession to the signature sequence. The computational per-formance of this phase is improved by two approachesnamely the Top-Matching Based Overlapping (TMBO) andthe parallelized approach. In the update phase, DDSGAextends both the user signatures and user lexicon list withthe new patterns to reconfigure the system parameters.Fig. 4 shows these phases and the modules that implementthem that we discuss in the following.

4.1 DDSGA Main Features and Improvements

DDSGA improves both the computational and the securityefficiency of the Enhanced-SGA.

From a computational perspective, DDSGA improves theperformance of both the detection and the update through aparallel multithreading scheme and a new Top-MatchingBased Overlapping approach that improves the HeuristicAligning and saves computational resources. While theHeuristic Aligning splits the signature sequence into a fixedoverlapped subsequences of size 2n, where n is the size ofthe test sequence, TMBO simplifies the alignment throughshorter overlapped subsequences. Besides saving computa-tional resources, this speeds up the detection and updatephases and consequently reduces the masquerader livetime inside the system.

With respect to the accuracy of masquerade detection,DDSA introduces distinct scoring parameters for each user,namely the gap penalties and the overlapping length. Theadoption of distinct scoring parameters for each userimproves the detection accuracy, the false positive and falsenegative rates and increase the detection hit ratio withrespect to the traditional and enhanced SGA that use thesame parameters for any user. This neglects differencesamong the behaviours of distinct users and reduces theaccuracy of detection, because the alignment cannot tolerateeven slight changes in the user behaviour over time. Start-ing from the data of each user, the configuration phase ofDDSGA computes the scoring parameters that result in themaximum alignment score for the considered user. Toimprove the accuracy of the alignment, DDSGA integratesbinary and command group, two scoring systems suggestedby Coull et al.’s, into two other scoring systems, restrictedand free permutation. The resulting systems tolerate permu-tations of previously observed patterns with a low

Fig. 4. DDSGA Phases and modules.


reduction of the score. To tolerate changes in the low-levelrepresentation of commands with the same functionality,they classify user commands into several groups and aligntwo commands in the same group without reducing thealignment score. The DDSGA configuration phase also cre-ates a dynamic threshold for each user to be used by boththe detection phase and the update one. While Enhanced-SGA builds this threshold through a snapshot of a userprofile, DDSGA builds a more sensitive and dynamicthreshold by considering any data in the profile. Further-more, DDSGA runs two update modules: the inline andlong term modules. The inline module updates the user sig-nature patterns, the user lexicon list, and their correspond-ing command categories in a reconfiguration phase. Thelong-term module updates the system with the latestchanges in the alignment parameters. It also updates thedynamic threshold values, scoring parameters, and theoverlapping length i.e., the length of the overlapped signa-ture subsequence according to maximum number ofinserted test gaps. The dynamic threshold, the scoring sys-tems, and the two update modules enable DDSGA to toler-ate slight changes in the user behaviour overtime. Table 1briefly compares DDSGA and Enhanced-SGA.

In the following sections we detail the current implemen-tation of DDSGA.

4.2 The Configuration Phase

We briefly define the parameters that this phase computesfor each user and that are used by the following phases. Thedetailed calculation of each parameter is described in theremainder of this section.

� Optimal gap penalties. The optimal test gap penaltyand the optimal signature gap penalty are paidwhen inserting a gap into the test sequence and thesignature one respectively. While in Enhanced-SGAall the users share the same fixed penalties, DDSGAcomputes two distinct penalties for each user accord-ing to distinct user behaviours. In this way, DDSGAdetermines the smallest penalties corresponding tothe maximum alignment score.

� Mismatch score. DDSGA evaluates the mismatchscore through the restricted permutation scoring

system and the free permutation one. These systemsintegrate the command grouping and binary scoringsystems defined in [3].

� Average optimal threshold. DDSGA computes a dis-tinct threshold value for each user according to thechanges in the user behavior. The threshold is usedin both the detection and update phases and its sen-sitivity affects the accuracy of both phases, as dis-cussed in the average threshold module.

� Maximum factor of test gaps (mftg). This parameterrelates the largest number of gaps inserted into theuser test sequences to the length of these sequences.DDSGA computes a distinct parameter for each userand updates it in the update phase. The detectionphase uses the parameter to evaluate the maximumlength of the overlapped signature subsequences inthe TMBO.

The configuration phase is implemented using the fol-lowing five modules.

4.2.1 DDSGA Initialization Module

To provide an independent set of test and signature sequen-ces for the configuration phase of each user, we split theuser signatures into nt non-overlapped-blocks each oflength n and use them as test sequences to the user. Thesesequences represent all given combinations of users signa-ture sequences and all the modules in the configurationphase use them to compute the user alignment parameters.These sequences differ from those used in the detectionphase. To define the signature sequences, we divide theuser signature sequence into a set of overlapped groups oflength m ¼ 2n. In this way, the last n symbols of a blockalso appear as the first n of the next one. ns, the number ofsignature subsequences is equal to nt-1 groups to considerall possible adjacent pairs of the signature sequences of sizen. We have chosen a length 2n to overlap the signaturesequence because any particular alignment uses subsequen-ces with a length that is, at most, 2n. Any longer subse-quence necessary scores poorly, because of the number ofgaps to be inserted. In fact, since the scoring alignmentdepends upon the match between the test and the signaturesubsequences, the former should be shorter than the latter.As a consequence, the signature sequence for this phaseconsists of 2n command produced by overlapping the sig-nature sequence. Hence, there are nt-1 groups that are cre-ated as in Fig. 5.

In the case of SEA, ns ¼ 49 subsequences and a testedblock consists of 100 commands because SEA markseach 100 command block as an intrusion or a non-intru-sion. Since SEA does not supply any information onwhich commands in a block correspond to the intrusion,the correctness of larger or smaller blocks cannot bechecked. The dynamic average threshold for both thedetection and update phases is the average score of allthe alignments between each test sequence of length 100-command and the 49 overlapped 2n signature subse-quences. A test sequence is not aligned with the signa-ture subsequence that contains the test sequence itselfbecause this returns a 100 percent alignment score. Wewill detail this step in the average threshold module.

TABLE 1A Comparison between DDSGA and Enhanced-SGA

Enhanced-SGA DDSGA

Accuracy 1- Command group-ing and binary scor-

ing systems2- Fixed and equalgab insertion penal-ties for all the users.3- Compute the

threshold for eachuser using snapshots

of user data.4- Signature update.

1- Free and restricted per-mutation scoring systems2- Define gab insertionpenalties for each user

independently, based onuser previous data.

3- Compute an optimalthreshold for each userwith all user signature

sequences.4- Signature update (inline

and long term).ComputationalPerformance

Heuristic Aligning. 1-TMBO Approach.2-Parallel computation.


4.2.2 User’s Lexicon Categorization Module

This module builds a lexicon for each user, i.e. list of lexicalpatterns classified according to their functionality and thatis used to tolerate changes in the low level representation ofa pattern. In SEA data set, these patterns are UNIX com-mands. This module combines the user lexicon list and com-mand grouping approach introduced in [3].

Table 2 shows an example of a classification of user com-mands into several categories according to their functionali-ties e.g., since a user can use either cat or vi to write a file,the two commands can be aligned because both belong tothe same group, “Text processing”. In the same way, grepcan be aligned with find because they both belong to“searching”.

4.2.3 Scoring Parameters Module

Starting from the test and signature subsequences of eachuser, this module returns three parameters: optimal test gappenalty, optimal signature gap penalty, and mismatch score.At first, the module inserts into the list top_match_list allthe test sequences with the top match score. This list enablesDDSGA to align the top match test sequences only ratherthan all the nt sequences. To build the top_match_list, weselect the highest match scores for all the nt sequences. Thematch score MS of a test sequence is computed as in Eq. (2).

Then, the top_match_list sequences are aligned to the nsoverlapped signature subsequences using any possible gappenalty, i.e. the test gap penalty ranges from 1 to n, whilethe signature gap penalty ranges from 1 to n. The mismatchscore is 0 and the match score is þ2.

MS ¼Xni¼1

Xntk¼1

MinðNoccur Itself pið Þ;Noccur seqkðpiÞÞ; (2)

where:

- n is the length of the test sequence, nt is number oftest sequences,

- Noccur_Itself (pi) is number of occurrence of patterni in the current evaluated sequence,

- Noccur_Seq k(pi) is number of occurrence of patterni in test sequence k.

By computing each alignment separately, we produce sev-eral alignment scores for each combination of the scoringparameters and select as the optimal parameters thoseresulting in the maximum score. If several alignments resultin this score, we select the one with the smallest penalties ofinserting a gap into the signature subsequence and test one,respectively. To justify this solution, consider that the high-est alignment score denotes a high level of alignmentbetween the test and the signature subsequences and SGAnormally subtracts these penalties from the score. Wehave applied the previous steps to each user in SEA dataset to define the corresponding optimal penalties. Fig. 6and Table 3 show the penalties for user 1.

This algorithm computes the mismatch_score parame-ter using the restricted and the free permutation scoringsystems as shown in Figs. 7a and 7b. Both systems inte-grate command grouping and binary scoring [3] and are

Fig. 5. The non-overlapped test sequences and the overlapped signa-ture subsequences.

TABLE 2User 1 Lexicon List

User’s Lexicon List Functional Group

cat File system, Text processingvi Text processingsh Shell programmingenv User environmentkill Process Managementreaper Networkingmail Internet Applicationshostname System Informationnawk Development, Shell

Programminggetopt Development, Shell

Programminggrep Searching, Text processingfind Searching

Fig. 6. The best alignment score that corresponds to the optimal combi-nations of gap penalties for user 1 in SEA Dataset.

TABLE 3Example of the Top Match Scores of User 1

Max align-ment score

Testsequenceindex (i)

Signaturegap penalty

Test gappenalty

Optimalcombina-

tion

154 2 99 95 -154 5 100 95 -154 8 97 100 -154 13 97 99 ok


based on distinct assumption about mutations in the auditdata. Command grouping assumes that sequences of auditdata mutate by replacing some original symbols with func-tionally similar ones. Command grouping assigns a staticreward of +2 to exact matches and scores a mismatchthrough the functional groups of the two commands. If acommand in the signature aligns with a mismatched com-mand in the test sequence but that belongs to the samegroup, the mismatch score is set to +1 rather than to �1. Theassumption on mutation of the binary scoring system fol-lows the results in [26] where mutation does not replacebase symbols in the user lexicon. In fact, these symbols are astrong indicator of a legal use, but the original base symbolscan be permuted in some fashion [3]. The binary scoringsystem rewards exact matches by adding +2 to the align-ment score. A mismatch is scored to +1 if the mismatchedcommand has previously occurred in the user lexicon andto �1 otherwise. Both scoring systems penalize the insertionof a gap into the signature sequence and into the test oneby, respectively, �3 and �2.

Restricted permutation scoring system. It rewards a mis-matched command in the test sequence if the two commandsbelong to the same group. These groups are manually cre-ated from a set of commonUNIX commands in the signature

sequences. Furthermore, the mismatched command of thetest sequence should have previously occurred in the userlexicon. This tolerates various permutations of previouslyobserved patternswithout reducing the score significantly.

Free permutation scoring system. This system is more toler-ant than the previous one because it does not require thatthe mismatched commands belong to the same group and iteven rewards a mismatched command provided that itbelongs to the user lexicon. This tolerates a larger numberof permutations of the signature patterns without reducingthe score significantly.

4.2.4 Average Threshold Module

This module computes a dynamic average threshold foreach user to be used in the detection phase and that may beupdated in the update phase. In the detection phase, if thezalignment score is lower than the threshold, then thebehavior is classified as a masquerade attack. Whilethe Enhanced-SGA only considers snapshots of the userdata, this module considers all the user data. This improvesthe sensitivity of the threshold that, in turns, determines theone of the detection. The module uses the same test and sig-nature subsequences of the initialization module and it canwork with a test sequence of any length because, in practicaldeployment user test session can be of any length. At first,the module builds a trace-matrix, to record all alignmentdetails of the current user. We align each test sequence to allns overlapped signature subsequences and run the moduletwice, one for each scoring systems to select the one to beused. The detection phase uses the output of this module tocompare the two scoring systems. These alignments use theoptimal scoring parameters for the current user. The mod-ule applies Eq. (3) to compute the average alignment of testsequence i, avg_align_i, and the sub_average score for allprevious alignment scores, score_align_i, of test sequence i.In the equation, max_score_align_i is the largest alignmentscore resulting from the alignment of sequence i to all ns sig-nature subsequences. Then, the module applies Eq. (4) tocompute the detection_update_threshold, the overall aver-age of the nt sub average scores.

avg align i ¼Pns

j¼1 score align ij

� �=ns

max score align i� 100 (3)

detection update threshold ¼Pnt

k¼1 avg align iknt

(4)

To compute the optimal alignment path and number oftest gaps (ntg) to be inserted into test sequence i, we applythe trace backward algorithm (TBA) to trace back the transi-tions to derive each optimal score. An example is shown inTable 4.

The Trace backward algorithm. Any dynamic programmingalgorithm can select the optimal alignment path by tracingback through the optimal scores computed by SGA. TheTBA implements one of the known dynamic programmingalgorithms to build the backward-transition-matrix, seeFig. 8, in a way that helps in filling the trace-matrix in

Fig. 7. (a) The restricted permutation scoring system, (b) The free per-mutation scoring system.


Table 4 as previously discussed. The alignment process alsoapplies the TBA to extract the final alignment path. TheTBA traces back the transition-matrix according to thelabels that the alignment has inserted into this matrix. Oneof four labels may be inserted: “M” if a match has occurred,“!M” if a mismatch has occurred, “GS” or “GT” if a gap hasbeen inserted into a signature subsequence or into the testone. Fig. 8 outlines the TBA and shows the transition-matrixand the corresponding backward-transition-matrix to alignthe test sequence “AWGHE” to the signature sequence“PAWHE”.

4.2.5 Maximum Test Gap Module

We recall that the Enhanced-SGA Heuristic Aligningdecomposes the signature subsequence into 2n overlappedsubsequences because if subsequences of length n arealigned, the maximum number of gaps that can be insertedinto the test sequence is n for all users. By tracing the SGAalgorithm, we have noticed that the maximum number ofgaps is much lower than n, the length of the test sequence,and it differs for each user according to the level of similar-ity among the subsequences in the user signature and to thelength of the test sequence. Even if the test sequence is longenough, the number of gaps is at most half of the sequencelength. This means that by partitioning the signaturesequence into 2n overlapped subsequences, the MaximumTest Gap module can divide it as in Eq. (5) to computemftg,the largest number of test gaps inserted into the user testsequences by the average threshold module. The Computa-tional Enhancement (CE) for the session alignment of a usercan be computed according to Eq. (6). We refer to the detec-tion phase for an example that explains this section.

L ¼ nþ Maxnt

k ¼ 1

ntgkltsk

� �� n

� ; (5)

where:

- ntg is number of test gaps inserted to each test sequence,- lts is the length of the test sequence,- nt is number of the test sequences of the user, fifty in case

of SEA,

CE ¼ ðn� mftgd eÞ � ð100=ð2 � nÞÞ% (6)

Where, Maximum Factor of Test Gaps inserted into all usertest sequences (mftg) is computed as in Eq. (7).

mftg ¼ Maxnt

k ¼ 1

ntgkltsk

� �� : (7)

4.3 The Detection Phase

We have run a complete alignment experiment based uponthe test and signature blocks of the SEA data set to evaluatethe alignment parameters and the two scoring systems. Thetest blocks are the actual SEA testing data and they differfrom those described in the initialization module. To simplifya comparison with other approaches, we use the ROC curveand theMaxion-Townsend cost function defined in Eq. (1).

Our experimentation focuses on the effects of the align-ment parameters on the false positive and false negativerates and on the hit ratio. This experiment did not apply themaximum test gap module. False positives, false negativesand hits are computed for each user, transformed into thecorresponding rates that are then summed and averagedover all 50 users. Equations (8), (9), and (10) show theDDSGAmetrics.

TotalFalsePositive ¼Xnuk¼1

fpknk

!nu

!� 100 (8)

Where:

- fp ¼ No. of false positive alarms,- n ¼ No. of non-intrusion command sequence blocks,- nu ¼ No. of users (50 in our case)

TotalFalseNegative ¼Xnuik¼1

fnk

nik

!nui

!� 100 (9)

Where:

- fn ¼ No. of false negatives,- ni ¼ No. of intrusion command sequence blocks,- nui ¼ No. of users who have at least one intrusion block

Fig. 8. The transition and Backward_Transition matrices respectively.The thick and the thin arrows show, respectively, the optimal path thatleads to the maximum alignment score and those that do not lead to themaximum alignment score.

TABLE 4An Example for the Trace Matrix

Test

sequence

ID

Length of

test

sequence

(lts)

Signature sub-

sequence ID

Optimal

alignment

Number of

Test gaps (ntg)

Avg-align

of test

sequence i (%)

1 100 1 27 65

..

. ... ..

. ... ..

.

1 100 49 77 22 70.31

..

. ... ..

. ... ..

. ...

50 100 1 122 9

..

. ... ..

. ... ..

.

50 100 49 102 11 73.75


TotalHitRatio ¼ 100� TotalFalseNegative: (10)

To plot the ROC curve, the experiment with the tradi-tional SGA algorithm have used distinct values of the align-ment parameters to obtain different false positive rates inthe x-axis and the corresponding hit ratios in y-axis. Wealso repeat the experiment with distinct values of somealignment parameters such as reward for matches andrewards or penalties for mismatches computed by the twoscoring systems. Fig. 9 shows the ROC curve for the twoscoring systems, the Enhanced-SGA scoring systems, andother detection approaches that also use SEA data set, basedupon the previous metrics.

According to this figure, the restricted permutation sys-tem results in higher hit ratio with corresponding low falsepositive rates. As the false positives rate increases, the freepermutation system achieves a higher hit ratio than therestricted one because it can tolerate a large number ofmutations and deviations in user behaviours. According tothis experiment, we have adopted the restricted permuta-tion system as a suitable scoring system for all the phasesof DDSGA. Table 5 compares DDSGA using the restrictedand the free permutation scoring systems against the cur-rent masquerade detection approaches sorted by Maxion-Townsend cost. The results for the various detectionapproaches, including all ROC curve values, are publishedin the references shown in Table 5 and are sorted by“Maxion Townsend cost” that is used to siplify the compar-ison by considering both the false positive and hit ratio. Were-implemented all Coul et al. works in [2], [3] to compareit against DDSGA.

The computational enhancement modules. The computa-tional complexity of SGA is rather large. As an example,it requires about 500,000 operations to test one user ses-sion for masquerade attacks in the SEA data set, becausethe length of the signature sequence is 5,000 while thatof the test sequence is 100. The resulting overhead isunacceptable in multiuser environments like cloud

systems or in computationally limited devices like wire-less systems. To reduce this overhead, we introduce twocomputational enhancements that concern, respectively,the Top-Matching Based Overlapping module and theparallelized detection module that are executed in eachalignment session. In the following, we outline in detailsthese two modules.

4.3.1 The Top-Matching Based Overlapping Module

To align the session patterns to a set of overlapped subse-quences of the user signatures, this module uses therestricted permutation scoring system, Maximum Factorof Test Gaps (mftg) in Eq. (7), and the scoring parametersof each user. As explained in Section 4.1, the TMBOimproves the Heuritic Aligning of the Enhanced-SGA.After splitting the signature sequence into a set of over-lapped blocks of length L, see Eq. (5), it chooses the sub-sequence with the highest match to be used in thealignment process. In the worst case, all overlapped

Fig. 9. ROC curve for our two scoring systems, SGA ones and otherdetection approaches.

TABLE 5A Comparison between Our Two Scoring Systems

and the Current Detection Approaches

Approach Name Hit Ratiopercent

False Positivepercent

Maxion-Town-send Cost

DDSGA(RestrictedPermutation)

83.3 3.4 37.1

DDSGA (FreePermutation)

80.5 3.8 42.3

SGA (SignatureUpdating) [3]

68.6 1.9 42.8

SGA (SignatureUpdating þHeuristicAligning) [3]

66.5 1.8 44.3

Na€ıve Bayes(WithUpdating) [11]

61.5 1.3 46.3

SGA (BinaryScoring) [3]

60.3 2.9 57.1

Adaptive Na€ıveBayes [21]

87.8 7.7 58.4

Recursive DataMining [18]

62.3 3.7 59.9

Na€ıve Bayes (NoUpdating) [11]

66.2 4.6 61.4

WRBF-NB [20] 83.1 7.7 63.1Episode basedNa€ıveBayes [19]

77.6 7.7 68.6

Uniqueness [8] 39.4 1.4 69.0HybridMarkov [14]

49.3 3.2 69.9

SGA (PreviousScoring) [2]

75.8 7.7 70.4

Bayes 1-StepMarkov [13]

69.3 6.7 70.9

IPAM [15] 41.1 2.7 75.1SGA (CommandGrouping) [3]

42.2 3.5 78.8

SequenceMatching [16]

36.8 3.7 85.4

Compression [6] 34.2 5.0 95.8


subsequences should be aligned as they have the samehighest match value. We have verified that on average,the number of alignments is rather smaller because of thevariation between the overlapped signature subsequen-ces. The evaluation of the proposed TMBO approachmainly depends upon two parameters: (a) Number ofaverage alignments for the detection process, (b) Theeffect of the TMBO on false alarm rates and hit ratio.

To evaluate our approach with respect to (a) we showthrough an example how it reduces the alignment com-putations. As far as concerns (b), we use the ROC curveand Maxion-Townsend. To evaluate TMBO, Fig. 10shows the user session patterns to be aligned to the sig-nature patterns. The configuration phase returns thesevalues: signature_gap_penalty ¼ 9, test_gap_penalty ¼ 5,optimal_score_sys ¼ “Restricted Permutation”, detectio-n_update_threshold ¼ 82.2%, and mftg (maximum factorof test_gaps) ¼ 33%.

The first step of TMBO computes the following length ofthe overlapped subsequences according to Eq. (5):

L ¼ nþ mftg �nd eð Þ ¼ 10þ 33=100 � 10d eð Þ¼ 10þ 3:3d e ¼ 10þ 4 ¼ 14:

With respect to the one in the initialization module, thecurrent overlapping runs with length L rather than 2n.Fig. 10 shows the resulting overlapped signature subse-quences of size L ¼ 14. The last subsequence, i.e. subse-quence 15, may be shorter than L, but it is still longer thanthe test sequence.

The second step computes the match corresponding toeach subsequence as shown in the front of each subse-quence in Fig. 10. We only consider the matching of subse-quence 1 because those for other subsequences are similar.If we denote by Match(X, s), the minimum between theoccurrences of X in, respectively, a user session and in asubsequence, then

MMMatchðsssubseq:1Þ¼X

ðX in A;B;C;D;E;FðMatchðX; subseq:1ÞÞ¼X

ðMinð3; 1Þ;Minð2; 2Þ;Minð1; 2Þ;Minð1; 2Þ;Minð2; 2Þ;Minð1; 2ÞÞ

¼X

ð1; 2; 1; 1; 2; 1Þ ¼ 8:

The third step chooses the top match subsequences, e.g.subsequences 2 and 15 in the example, as the best signaturesubsequences to be aligned against the test session patternsof the user. To evaluate the reduction of the workload dueto TMBO, consider the Number of Asymptotic Computa-tions (NAC) computed by Eq. (11). In the previous example,TMBO reduces the number of alignments from 3000 to 280with a saving of 90.66 percent.

NAC ¼ Avg n align � Sig len � Test len (11)

Where:

- Avg_n_align is the average number of alignmentsrequired for one detection session over all existing users.

- Sig_len is the length of the overlapped signaturesubsequence.

- Test_len is the length of the test sequence).To determine if the session patterns of the current user

contain a masquerader, the final step compares the highestscores of the previous two alignments against a detectio-n_update_threshold. As explained in the update phase, if atleast one of the previous eight alignments has a score largerthan or equal to the detection_update_threshold, then aninline update process should be executed for the signaturesubsequence and the user lexicon.

The evaluation using the SEA data set shows that TMBOreduces the maximum number of alignments from 49 to anaverage of 5.13 alignments per detection, a substantialimprovement in detection scenarios. Table 6 shows theasymptotic computations for three detection approaches.The first is our TMBO without the inline update module.The second one is the Heuristic Aligning with signatureupdate [3]. Finally, the third one is the traditional SGA algo-rithm without the Heuristic Aligning or update feature. TheNAC per one detection session can be computed as inEq. (11). If we considered that each of the fifty users in SEAdata set has one active session in a multi users system, thenTotal_NAC ¼ NAC � 50.

To evaluate false alarm rates and hit ratios, we havetested TMBO using the ROC curve and Maxion-Townsendscore. Table 7 and Fig. 11 show that TMBO has a lowerimpact on the overall accuracy than other approaches.

4.3.2 The Parallelized Detection Module

Since TMBO partitions the user signature into a set ofoverlapped subsequences, we can parallelize the detectionalgorithm because it can align the commands in the usertest session to each top match signature subsequence sepa-rately. In the example of Section 4.2.1, we can run in parallelthe threads to align subsequences 2 and 15. If a thread

Fig. 10. Overlapped Signature Subsequences of Size 14.


returns a computed alignment score at least equal to detec-tion_update_threshold, then it sends a “No Masquerader”message and then runs an inline update of both its signaturesubsequence and the lexicon of the current user. Instead, ifthe alignment score is lower than the detection_update_th-reshold, the thread raises a “Masquerader Detected” alert.Fig. 12 shows the parallelized detection module processes.

We have run several experiments using the SEA data setto evaluate how the parallel version of the module influen-ces the overall performance of detection. The experimentshave used an Intel Core 2 Duo Processor E4500 (2M Cache,2.20 GHz) with 4 GB of memory and running Windows 7SP1, Machine “A”. Machine “B” is Intel Core i3-2330M (3MCache, 2.30 GHz) with 6 GB of memory and running Win-dows 7 SP1.

The results show that there are two operational modes ofthemodule: Full ParallelizationMode (FPM) and Semi Paral-lelization (SPM) one. The module selects the most appropri-ate one according to the capabilities of the underlyingmachine and to n_aligns, the number of alignments perdetection. It selects the FPMmode if the machine capabilitiesmatch n_aligns so that the module achieves the best perfor-mance. This is themost commonmode in our experiments.

An example is the detection sessions of user 7 wheren_aligns ¼ 5, Fig. 13 shows that if five thread are used theneach thread runs a distinct alignment and this minimizesthe detection time.

The SPM mode is selected if the machine capabilitiesdo not match the required n_aligns. This results in asmall performance degradation due to inactive threads.The SPM mode is rarely selected in our experiments

TABLE 6TMBO Approach in Three Detection Approaches

Approach Name Avg-n-align NAC (1 user) NAC (50 users)

DDSGA with

L ¼ 145.73

5. 13 5. 13 � 145.73 �100 ¼ 74759.49

74759.49 �50 ¼ 3737974.5

SGA with Sig.

length ¼ 200

4.5 4.5 � 200 �100 ¼ 90,000

90,000 �50 ¼ 4,500,000

Traditional SGA

with Sig. length ¼ 200

49 49 � 200 �100 ¼ 980,000

980,000 �50 ¼ 49,000,000

TABLE 7The Masquerade Detection Approaches against DDSGA

with Its Two Scoring Systems

Approach Name Hit Ratio percent False Positive

percent

Maxion-Townsend

Cost

DDSGA (Restricted

Permutation, With-

out Updating)

83.3 3.4 37.1

DDSGA (Restricted

Permutation, With-

out Updating) þTMBO

81.5 3.3 38.3

DDSGA (Free Per-

mutation)

80.5 3.8 42.3

SGA (Signature

updating)

68.6 1.9 42.8

SGA (Signature

updating) þHeu-

ristic

66.5 1.8 44.3

Na€ıve Bayes (With

Updating)

61.5 1.3 46.3

SGA (Binary Scor-

ing, No Updating)

60.3 2.9 57.1

Fig. 12. The processes of the parallelized detection module.

Fig. 11. The impact of our TMBO approach on the system accuracy.


because the fifty users of the SEA data set results in avalue of Avg_n_align, equals to 5.13. Hence, on average,the parallelized detection module uses 6 threads to run adetection session. A SPM mode example is the detectionsessions of user 23 where n_aligns ¼ 9. Fig. 14 showsthat the shortest detection time is reached when running6 threads in machine “A” and 8 threads in machine “B”.In this case, 3 threads are idle in machine “A” and 1 inmachine “B”.

4.4 The Update Phase

The update of the user signature patterns is critical becauseany IDS should be automatically updated to the new legalbehaviours of a user. This update is implemented by twomodules: the inline update module and the long termupdate one.

4.4.1 The Inline Update Module

This module has two main tasks:

1) Finding areas in user signature subsequences to beupdated and augmented with the new user behaviorpatterns.

2) Update the user lexicon by inserting new commands.In the detection phase, after each alignment, each parallel

thread may update both the user signature subsequencesand the user lexicon. Three cases are possible in the TBA,see Fig. 15:

1) The test sequence pattern matches the correspondingsignature subsequence pattern,

2) A gap is inserted into either or both sequences3) There is at least a mismatch between the patterns in

the two sequences.In case (a), no update is required because the alignment

has properly used the symbol in the proper subsequence tofind the optimal alignment.

Also case (b) does not require an update because symbolsthat are aligned with gaps are not similar and should beneglected.

In case (c), we consider all the mismatches within the cur-rent test sequence. Then, both the signature subsequenceand the user lexicon are updated under two conditions. The

first one states that we can insert into the user signaturesonly those patterns that are free of masquerading records.This happens anytime the overall_alignment_score for thecurrent test sequence is larger than or equal to the detectio-n_update_threshold. The second condition states that thecurrent test pattern should have previously appeared inthe user lexicon or belongs to the same functional group ofthe corresponding signature pattern. The two conditionsimply that the inline module updates the user lexicon withthe new pattern if it does not belong to the lexicon. It alsoextends the pattern with the current signature subsequenceand adds the resulting subsequence to the user signatureswithout changing the original one. In other words, if a pat-tern in the user lexicon or in the same functional group of itscorresponding signature pattern has participated in a con-served alignment, then a new permutation of the behaviorof the user has been created. For instance, if the alignmentscore of the test sequence in Fig. 16 is larger than or equal tothe detection_update_threshold, then the pattern ‘E’ at theend of this test sequence has a mismatch with ‘A’ at the endof the signature subsequence. If ‘E’ exists in the user lexicon

Fig. 13. FPM and SPMmodes for user 7 in Machines “A” and “B”. Fig. 14. FPM and SPMmodes for user 23 in Machines “A” and “B”.

Fig. 15. The inline update steps.


or belongs to the same functional group of ‘A’, the signaturesubsequence is augmented so that the position with ‘A’matches with both ‘A’ or ‘E’. If ‘E’ does not belong to the lex-icon, it is also inserted into it. This simply embeds observedvariations in the signature sequence without destroying anyinformation it encodes. In this case, a new augmented sub-sequence (HEE) is inserted into the user signature subse-quences. If only the first condition is satisfied, only the userlexicon is updated so that the following checks use the newpattern. In fact, it is highly likely that a pattern that hasappeared within a conserved, high scoring alignment hasbeen created by the legitimate user.

Besides improving the computational performance ofsystem update, the module also improves the signatureupdate scheme of the Enhanced-SGA [3] as following:

1) It uses the parameters, the threshold, and the scoringsystem returned by the configuration phase.

2) It runs in parallel with the detection phase and startsas soon as the alignment score is computed. Instead,the signature update scheme runs independentlyafter each detection process and it repeats the back-ward tracing step.

3) It improves flexibility in the signature update byconsidering any occurrence of commands permuta-tions or functionality matching.

To evaluate how the inline update module reduces thefalse alarm rates and improves the hit ratio, we have usedthe ROC curve and the Maxion-Townsend score after apply-ing the inline update module. Fig. 16 and Table 8 show thatthe inline update module reduces the false alarm rates andincreases the hit ratio. Therefore, it significantly improvesthe accuracy with respect to other approaches.

4.4.2 The Long Term Update Module

This module reconfigures the system parameters throughthe outputs of the inline update module. There are threestrategies to run the module: periodic, idle time, and thresh-old. The proper one is selected according to the characteris-tic and requirements of the monitored system.

The periodic strategy runs the reconfiguration step with afixed frequency, i.e. 3 days or 1 week. To reduce the over-head, the idle time strategy runs the reconfiguration stepanytime the system is idle. This solution is appropriate inhighly overloaded systems that require an efficient use of thenetwork and computational resources. The threshold strat-egy runs the reconfiguration step as soon as the number oftest patterns inserted into the signature sequences reaches athreshold that is distinct for each user and frequentlyupdated. This approach is highly efficient because it runs themodule only if the signature sequence is changed.

5 CONCLUSION AND FUTURE WORK

Masquerading is by far one of the most critical attacksbecause an attacker that can successfully logs to a systemcan also maliciously control it. The semi-global alignments(SGA) is based upon sequence alignment and it is one ofthe most effective detection techniques that can be appliedto distinct sequences of audit data. While SGA may resultin low false positive and missing alarms rates, even itsenhanced version has not yet achieved the level of accu-racy and performance for practical deployment. This isthe reason underlying the design of the Data-DrivenSemi-Global Alignment Approach, DDSGA. From thesecurity efficiency perspective, DDSGA models more accu-rately the consistency of the behaviour of distinct users byintroducing distinct parameters. Furthemore, it offers twoscoring systems that tolerate changes in the low-levelrepresentation of the commands functionality by

Fig. 16. The impact of the inline update on the system accuracy.

TABLE 8Masquerade Detection Approaches against DDSGA with Its Inline Update Module

Approach Name HitRatio percent

FalsePositive percent

Maxion-Townsend Cost

DDSGA (Inline Update þ TMBO þ Restricted Permutation) 88.4 1.7 21.8DDSGA (Restricted Permutation, Without Updating) 83.3 3.4 37.1DDSGA (Restricted Permutation, Without Updating) þ TMBO 81.5 3.3 38.3DDSGA (Free Permutation) 80.5 3.8 42.3SGA (Signature updating) 68.6 1.9 42.8SGA (Signature updating) þHeuristic 66.5 1.8 44.3Na€ıve Bayes (With Updating) 61.5 1.3 46.3SGA (Binary Scoring, No Updating) 60.3 2.9 57.1


categorizing user commands and aligning commands inthe same class without reducing the alignment score. Thescoring systems also tolerates both permutation of itscommands and changes in the user behaviour over time.All these features strongly reduce false positive and miss-ing alarm rates and improve the detection hit ratio. In theexperiments using the SEA data set, the performance ofDDSGA is always better than the one of SGA. From thecomputational perspective, the Top-Matching Based Over-lapping approach reduces the computational load ofalignment by decomposing the signature sequence into asmaller set of overlapped subsequences. Furthermore, thedetection and the update processes can be parallelizedwith no loss of accuracy.

For future work, we plan to apply our approach to detectmasquerade attacks in cloud environment by improing ourCIDS framework [4]. As a first step, we have developed anew data set, CIDD [10] that includes distinct audit datafrom distinct host operating systems and physical networkenvironment. This will supports an evaluation of DDSGAthat can use different kinds of audit sequences.

ACKNOWLEDGMENTS

This work was supported by QNRF (a member of QatarFoundation), Fayoum University, Pisa University, AFOSRDDDAS award # FA9550-12-1-0241, and the US NationalScience Foundation (NSF) awards IIP-0758579, DUE-1303362, and SES-1314631.

REFERENCES

[1] A. H. Phyo and S. M. Furnell. “A detection-oriented classificationof insider it misuses,” in Proc. 3rd Security Conf. 2004.

[2] S. E. Coull, J. W. Branch, B. K. Szymanski, and E. A. Breimer,“Intrusion detection: A bioinformatics approach,” in Proc. 19thAnnu. Comput. Security Appl. Conf., Las Vegas, NV, USA, Dec.2003, pp. 24–33.

[3] S. E. Coulla and B. K. Szymanski, “Sequence alignment formasquerade detection,” J. Comput. Statist. Data Anal., vol. 52,no. 8, pp. 4116–4131, Apr. 2008.

[4] Hisham A. Kholidy and Fabrizio Baiardi, “CIDS: A frameworkfor intrusion detection in cloud systems,” in Proc. 9th Int.Conf. Inf. Technol.: New Generations, Las Vegas, Nevada, USA,Apr. 2012, pp. 16–18.

[5] (2001) [Online]. Available: http://www.schonlau.net/intrusion.html

[6] M. Schonlau, W. DuMouchel, W. Ju, A. F. Karr, M. Theus, and Y.Vardi, “Computer intrusion: Detecting masquerades,” Statist. Sci.vol. 16, no. 1, pp. 58–74, 2001.

[7] “Greenberg: Using unix: Collected traces of 168 users,” Dept.Comput. Sci., Univ. Calgary, Calgary, Canada, Res. Rep. 88/333/45, 1988.

[8] T. Lane and C. E. Brodley, “An application of machine learning toanomaly detection,” in Proc. 20th Nat. Inf. Syst. Security Conf.,1997, pp. 366–380.

[9] RUU data set: (2008) [Online] Available: http://sneakers.cs.columbia.edu/ids/RUU/data/.

[10] Hisham. A. Kholidy and Fabrizio Baiardi, “CIDD: A cloud intru-sion detection data set for cloud computing and masqueradeattacks,” in Proc. 9th Int. Conf. Inf. Technol.: New Generations, LasVegas, NV, USA, Apr. 2012, pp. 16–18.

[11] R. A. Maxion and T. N. Townsend, “Masquerade detection usingtruncated command lines,” in Proc. Int. Conf. Dependable Syst.Netw., Washington, DC, USA, Jun. 2002, pp. 219–228.

[12] R. Posadas, J. C. Mex-Perera, R. Monroy, and J. A. Nolazco-Flores,“Hybrid method for detecting masqueraders using session fold-ing and hidden markov models,” in Proc. 5th Mexican Int. Conf.Artif. Intell., 2006, pp. 622–631.

[13] W. Dumouchel. (1999). “Computer intrusion detection based onBayes Factors for comparing command transition probabilities”.Technical report 91, National Institute of Statistical Sciences,[Online]. Available: www.niss.org/downloadabletechreports.html

[14] W. Ju and Y. Vardi. (1999). “A hybrid high-order Markov chainmodel for computer intrusion detection”. Nat. Inst. Statist. Sci.Research Triangle Park, NC, USA, Tech. Rep. 92. [Online]. Avail-able: www.niss.org/downloadabletechreports.html

[15] Brian D. Davison and Haym Hirsh, “Predicting sequences of useractions,” in Proc. Joint Workshop Predicting Future: AI ApproachesTime Ser. Anal., 1998, pp. 5–12.

[16] T. Lane and C. E. Brodley, “Approaches to online learning andconcept drift for user identification in computer security,” in Proc4th Int. Conf. Knowl. Discovery Data Mining, New York, NY, USA,Aug. 1998, pp. 259–263.

[17] B. Christopher, “A tutorial on support vector machines for patternrecognition,” Data Mining Knowl. Discovery, vol. 2, no. 2, pp. 121–167, 1998.

[18] B. Szymanski and Y. Zhang, “Recursive data mining for masquer-ade detection and author identification,” in Proc. IEEE 5th Syst.,Man .Cybern. Inf. Assurance Workshop, West Point, NY, USA, Jun.2004, pp. 424–431.

[19] S. K. Dash, K. S. Reddy, and A. K. Pujari, “Episode based mas-querade detection,” in Proc. 1st Int. Conf. Inf. Syst. Security, 2005,pp. 251–262.

[20] A. Sharma and K. K. Paliwal, “Detecting masquerades using acombination of Na€ıve Bayes and weighted RBF approach,” J. Com-put. Virology, vol. 3, no. 3, pp, 237–245, 2007.

[21] Subrat Kumar Dash, K. S. Reddy, and K. A. Pujari, “AdaptiveNaive Bayes method for masquerade detection”, Security Com-mun. Netw., vol. 4, no. 4, pp. 410–417, 2011.

[22] S. Malek and S. Salvatore, “Detecting masqueraders: A compari-son of one-class bag-of-words user behavior modelingtechniques,” in Proc. 2nd Int. Workshop Managing Insider SecurityThreats, Morioka, Iwate, Japan. Jun. 2010, pp. 3–13.

[23] A. S. Sodiya, O. Folorunso, S. A. Onashoga, and P. O. Ogundeyi,“An improved semi-global alignment algorithm for masqueradedetection,” Int. J. Netw. Security, vo1. 12, no. 3, pp. 211–220, May2011.

[24] T. F. Smith andM. S. Waterman, “Identification of commonmolec-ular subsequences,” J. Molecular Biol., vol. 147, pp. 195–197, 1981.

[25] D. B. Christopher and T. D. Herbert, “Receiver operating charac-teristic curves and related decision measures: A tutorial,” Chemo-metrics Intell. Lab. Syst., vol. 80, pp. 24–38, 2006.

[26] K. Wang and S. J. Stolfo, “One class training for masqueradedetection,” in Proc. IEEE 3rd Conf. Workshop Data Mining Comput.Secur., Florida, Nov. 2003.

Hesham AbdElazim Ismail Mohamed Kholidyreceived the PhD degree in computer scienceand engineering in a joint PhD program betweenthe University of Pisa in Italy and the University ofArizona. He was an associate researcher in theUS National Science Foundation (NSF) Cloudand Autonomic Computing Center, Electrical andComputer Engineering Department, University ofArizona, and a research fellow at Galileo GalileiDoctorate School at the University of Pisa. Herecently published a new patent in Data Encryp-

tion in the United State Patent and Trademark Office (USPTO). He pub-lished more than 25 papers in top journals and conferences, and hesupervises a group of master’s and PhD students. His research interestsinclude information security, distributed and high-performance systemsincluding Grid and Cloud computing systems, critical and SCADA sys-tems, and bioinformatics.


Fabrizio Baiardi received the degree from Uni-versit�a di Pisa, where he is currently a full profes-sor of computer science. He has chaired themaster’s degree on computer security, andteaches some courses on the security of cloudsystems. His main research interests include for-mal tools for the risk assessment and manage-ment of cloud systems and critical infrastructures.He is currently involved in several projects onintrusion detection of cloud and SCADA systems.

Salim Hariri received the MSc degree from OhioState University in 1982 and the PhD degree incomputer engineering from the University ofSouthern California in 1986. He is a professorin the Electrical Communication EngineeringDepartment at the University of Arizona and thedirector of the US National Science Foundation(NSF) Center: Cloud and Autonomic ComputingCenter. His current research focuses on high-per-formance distributed computing, design and anal-ysis of high-speed networks, and developing

software design tools for high-performance systems. He has coauthoredmore than 200 journal and conference research papers, and is a coau-thor/editor of three books on parallel and distributed computing. He is amember of IEEE Computer Society.

" For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


Documents

164 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE … · E-mail: [email protected]. F. Baiardi is with the Department of Computer Science, Pisa University, Pisa 56017, Tuscany, Italy