A Host-Based Abnormal Behavior Model For Detecting Masquerader

With the rapid growth of economic and continuous innovation of computing technology, enterprise informatization has significantly developed. It brings to the organizations and enterprises greatly convenience in management. At the same time, it also brought new challenges to the information security field. Threats of insider attack come from the organization are increasing year by year, causing great losses every day.Masquerade attack refers to the staffs use other’s identity or privileges to steal information through disguising as other legal user. As one kind of inside attack methods, it is hard to against. As an effective detect method, existing identity authentication method have some shortages. Traditional static identity authentication technology can not ensure the legal identity of the current user in real time. Some existing continuous authentication methods have the shortcomings like long validation time, validation scenarios fixed, which make it difficult to satisfy the real-time request and accuracy at the same time. Therefore, research on masquerade attack detection technology is of great significance.Based on the behavior biometric, we have carried on the related implementation and research on real-time detecting technology of host-based masquerade attack. The detail works are as follows:(1) Based on the investigation of existing methods,combined with the analysis of data fusion based identity authentication method and model fusion based identity authentication method, we proposed continuous identification method based on intervention scene.(2) With the idea of randomly injecting intervention events, we design and implement the cursor hidden scene and the mouse fixed scene used for authentication. With the experimental data set, we respectively got3.9%of the FAR,2.56%of the FRR and4%of the FAR,2.86%of the FRR. The experimental results show that our proposed method not only achieves proper accuracy compared with existing algorithms, but also greatly shortens the time of detection. It improves the real-time performance of authentication.(3) Design and implement the prototype system which supports multiple scenarios masquerader detection experiment. The system supports the deployment of different authentication scenarios, data collection and result analysis.