Intrusions on computer infrastructures present growing problems for the computer and information system industry. One of the most damaging attacks or intrusion is masquerading, where an attacker assumes the identity of a legitimate user of a computer system. Masquerade attacks occur when an intruder obtains a legitimate user's login credentials by misappropriation, theft or other unscrupulous methods. It is difficult to detect this type of security breach, because the attacker appears to be a legitimate or normal user with valid authority and privileges. A masquerade attacker may be an insider, one who is an authorized user of the systems that misuses their privileges to access distinct accounts and perform unauthorized actions. A masquerade attacker may be an outsider, one who does not have authorized access to a system, but aims to utilize all of the privileges of an authorized user of the system. A masquerade attack may also be implemented with any convention hacking methods, including, but not limited to duplication or ex-filtration of an authorized user's password, installation of software with backdoors or malicious code, eavesdropping and packet sniffing, spoofing and social engineering attacks. A masquerade attack may also be implemented through phishing emails or email attachments
Some of the attacks above may leave an audit trail in the target system's log files. Conventional masquerade detection systems can analyze these logs to detect the attacks. Attacks that do not leave an audit trail in the target system may be discovered by analyzing the user behaviors through masquerade detection. Conventional masquerade detection systems for detecting masquerade attacks, first, build a profile for each user of the system by gathering information such as login time, location, session duration, CPU time, commands issued, user ID and user IP address. These profiles may also take into account user interactions with a system, including, but not limited to, command line commands, system calls, mouse movements, opened files names, opened windows title, and network actions. These conventional masquerade detection systems then compare these profiles against logs and identify any behavior that does not match the profile as an attack. These conventional masquerade detection systems have a level of accuracy and performance practical for small scale deployments. Large scale computer systems experience difficulties attempting to distinguish between attackers and normal users with a high accuracy.
There is a need for an intrusion detection system for masquerade attacks that is accurate and has a level of performance, which is practical for large scale multi-user systems.