PROFILING USERS FOR BEHAVIORAL INTRUSION DETECTION Grant Pannell
Intrusion Detection Systems
Attempt to detect unauthorized activity CIA – Confidentiality, Integrity, Availability
Commonly network-based Obsolete? Network traffic encryption
Moving to host-based Honeypots (emulated services) Application’s execution flow Behavior of the user
Detection Methods
Misuse Detection Rule-based User states: I use Notepad, not WordPad Low false-positives, high detection Can’t predict and learn how a user behaves
Anomaly Detection Gather audit data (user’s actions) over time Analyze with statistical methods Create a profile – User uses Notepad, system
learns Higher false-positives, lower detection rate
Combination of both is best
Profiling a User
Must determine “normal” behavior for anomaly detection Ø User Profile
Characteristics: Applications running Number of Windows, Number of Processes Performance of running applications (CPU
usage) Keystrokes (delays, speed) Websites visited
Motivation
Determine unauthorized use Adoption of encryption of network
traffic Multiple characteristics
Previous studies focus on single characteristics for profiling
Microsoft Windows - graphical user interface Previous studies focus on command
usage
So, what is it exactly?
• A behavioral host-based intrusion detection system• That profiles a user, using multiple characteristics…• To detect unauthorized use of a machine …• That will run on Microsoft Windows, to take advantage of GUI characteristics
Research Questions
Is it possible? Feasible? Real-world? Possible in a graphical user interface
environment? Combination of characteristics improves
performance? Taxes system resources? Detection performance?
Low false-positives (disallowed authorized users) High detection rate (disallowed intruders)
Detect in a practical amount of time?
Literature Review Not much research in the public domain… Behavioural Intrusion Models
Dates back to 1980 by Anderson Manually collect Audit Trails from machines
Track file and resource access Furthered by Denning (1987)
Detailed model of Anderson’s work Tan (1995), Gunetti et al.(1999), Balajinath et al.
(2001), Pillai (2004) All based on UNIX Characterizes by command usage or performance
(CPU, Memory, I/O, etc.) Different due to the learning algorithm used
Methodology
Developed System Developed in Microsoft.NET C# Allow each characteristic to be
“snapped-in” Extensive logging output for analysis
and testing 7 Systems Test
2 “Power Users” (Win7 x64, XP x64) 2 Office Based (2x XP x86) 1 Gaming (Vista x64) 2 Web Browsing (Vista x86, XP x86)
Methodology
Learning Mode for ~10 days System worked for 28880 collections then
disabled itself “Perfect” Learning
All false positives Decreasing false-positives over time (learning)
Detection Mode after 10 days Only used to break the profile Used to determine how long it takes to break
the profile Stress test each characteristic
Prototype Architecture
Algorithms
CPU & Memory Usage 3 Techniques:
Standard Deviation (0.5 Pts) (Last 120 Values) Rolling Average (1 Pts (Overall) Sliding Limit (2 Pts) (Overall)
Websites Viewed Can only check if user visits new sites, not if
revisiting them Rolling average
New sites per hour, but check every 30 seconds Works for learning two cases
Many new sites per hour No new sites per hour
Algorithms
Number of Windows Wanted to check Window Titles and Positions
Titles, never static (i.e. “<doc name> - MS Word”) Positions, seeming random for most windows
Rolling average like Websites Viewed Not always accurate
Number of Processes Sliding limits Fully learned profile should include all processes
Therefore deny all new?
Algorithms Keystroke Usage
Use digraphs D->i, i-> g, g->r, r->a, a->p, p->h, h->s
Delay between digraphs Standard Deviations
Collect last 100 values
Overall Scoring System Directly related to User Activity (2 Pts)
Keystrokes, Number of Windows, Websites Viewed Indirectly related (Application Profiling) (1
Pt) CPU Usage, Memory Usage, Number of Processes
False-Positives vs. Number of Collections
(Time)(CPU Usage)
1-5759 5760-11519 11520-17279 17280-23039 23040-288000
50
100
150
200
250
300
350
400
450
500
Gaming Web Browsing 1Web Browsing 2Power User 1Power User 2Office 1Office 2
False-Positives per Machine
(Memory Usage)
Gaming Web Browsing
1
Web Browsing
2
Power User 1
Power User 2
Office 1 Office 20
2000
4000
6000
8000
10000
12000
14000
16000
Total False Positives (after scoring system triggered)Total Stdev TriggerTotal Sliding Limits TriggerTotal Triggers
False-Positives per Machine
(Num Windows)
Gaming Web Browsing 1 (Firefox)
Web Browsing 2 (IE)
Power User 1 Power User 2 Office 1 Office 20
2
4
6
8
10
12
False-Positives vs. Number of Collections
(Time)(Websites Viewed)
1-5759 5760-11519 11520-17279 17280-23039 23040-288000
2
4
6
8
10
12
14
Gaming Web Browsing 1Web Browsing 2Power User 1Power User 2Office 1Office 2
False-Positives vs. Number of Collections
(Time)(Keystroke Usage)
1-5759 5760-11519 11520-17279 17280-23039 23040-288000
50
100
150
200
250
300
350
400
Gaming Web Browsing 1Web Browsing 2Power User 1Power User 2Office 1Office 2
False-Positives vs. Number of Collections
(Time)(Overall Scoring)
1-5759 5760-11519 11520-17279 17280-23039 23040-288000
20
40
60
80
100
120
140
160
Gaming Web Browsing 1Web Browsing 2Power User 1Power User 2Office 1Office 2
False Positive Rate per Characteristic
Memor
y Usa
ge
CPU U
sage
Keyst
roke
Usa
ge
Web
site
s Vie
wed
Numbe
r of W
indo
ws
Numbe
r of P
roce
sses
Overa
ll Sc
orin
g (D
ata
Min
ing
Engi
ne)
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
Fals
e Po
sitiv
e Ra
te (%
)
Results - Intrusions
Test intrusions in Detection Mode Trying to trigger each characteristic
Keystrokes – another user’s patterns Only using mouse to open many new processes
and windows Use running processes, attempt abnormalities
Completely new user on same profile Scoring system
5 point maximum 2 points for directly related 1 point for indirectly related Minimum 3 accumulations (3*30 secs) to trigger
Average Time to Detect Intrusions per Intrusion
Test
Keystroke Usage
Number of Processes
CPU Usage Memory Usage
Number of Windows
Sites Viewed New User0
20
40
60
80
100
120
140
160
180
Tim
e (s
)
Further Research
Time block testing Categorization Mouse clicks More complex learning algorithms Intruder has physical access to the
machine System Performance
Conclusion
Is it possible? Feasible? Real-world? Better on directly related characteristics
Possible in a graphical user interface environment? GUI objects turned out to be not as useful as first proposed
Combination of characteristics improves performance? Scoring system lowers false-positives
Taxes system resources? Large history, real-time typing analysis could be better
Detection performance? Highest false-positive rates at 4.5% with a malfunctioning
characteristic Detect in a practical amount of time?
90 - 180 second detection times
Questions?
?
Top Related