Presentation is loading. Please wait.

Presentation is loading. Please wait.

User Profiling for Intrusion Detection in Windows NT Tom Goldring R23.

Published byMarian Allison Modified over 8 years ago

Similar presentations

Presentation on theme: "User Profiling for Intrusion Detection in Windows NT Tom Goldring R23."— Presentation transcript:

1

2 User Profiling for Intrusion Detection in Windows NT Tom Goldring R23

3 What are we doing? Observe normal behavior of computer users Build models from training data Score new sessions against these models.

4 Why do it? User is authenticated by behavior, therefore very hard to spoof Detect malicious insider

5 Comparison with Program Profiling We believe User Profiling is a harder problem –People do not come with “specs” –So user behavior is much less predictable –In fact, a certain level of anomalous activity is to be expected and must be taken into account –In a point and click environment, some users look very much alike.

6 Which data source? Command line activity –can pretty well guess what user is doing –but: misses windows, scripts –on many systems, it’s an endangered species if not already extinct System calls –very fine granularity –But: (machine behavior) / (human behavior) very high –Next to impossible to guess what the user is doing Process table –best of both worlds, plus tree structure –But: we still need to filter out machine behavior and reduce the data so that we can reconstruct what the user did

7 The good news Adding window titles to the process informatiion gives superior data –now very easy to filter out system noise by matching process id’s with that of active window –solves the “explorer” problem –anyone can read the data and tell what the user is doing –a wealth of new information, e.g. subject lines of emails, names of web pages, files and directories

8 But … Our data now consists of successive window titles with process information in between So we have a mixture of two different types of data, making feature selection somewhat less obvious. Ideally, feature values should –be different for different users, but –be similar for different sessions belonging to the same user.

9

10

11

12

13 Some Candidate Features time between windows time between new windows # windows open at once (sampled at some time interval) # windows open at once, weighted by time open # words in window title (# WA words in window title) / (#words in window title)

14

15

16

17 Modeling and Scoring Using a feature set we like, convert each session into a feature stream We now have a standard classification problem, e.g. we might use –naïve Bayes For a feature matrix, some candidates are –random forests –support vector machines

18 What’s next Build in specific methods for major application programs Monitor keystrokes and mouse movements Characterize insider misuse.

Download ppt "User Profiling for Intrusion Detection in Windows NT Tom Goldring R23."

Similar presentations

Recommender Systems & Collaborative Filtering

Recommender Systems & Collaborative Filtering
Florida International University COP 4770 Introduction of Weka.

Florida International University COP 4770 Introduction of Weka.
Temporal Query Log Profiling to Improve Web Search Ranking Alexander Kotov (UIUC) Pranam Kolari, Yi Chang (Yahoo!) Lei Duan (Microsoft)

Temporal Query Log Profiling to Improve Web Search Ranking Alexander Kotov (UIUC) Pranam Kolari, Yi Chang (Yahoo!) Lei Duan (Microsoft)
Authenticating Users by Profiling Behavior Tom Goldring Defensive Computing Research Office National Security Agency.

Authenticating Users by Profiling Behavior Tom Goldring Defensive Computing Research Office National Security Agency.
Coding and Debugging. Requirements and Specification Recall the four steps of problem solving: Orient, Plan, Execute, Test Before you start the implementation.

Coding and Debugging. Requirements and Specification Recall the four steps of problem solving: Orient, Plan, Execute, Test Before you start the implementation.
COMP423 Intelligent Agents. Recommender systems Two approaches – Collaborative Filtering Based on feedback from other users who have rated a similar set.

COMP423 Intelligent Agents. Recommender systems Two approaches – Collaborative Filtering Based on feedback from other users who have rated a similar set.
Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.

Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.
Research Experiment Design Sprint: Keystroke Biometric Intrusion Detection Ned Bakelman Advisor: Dr. Charles Tappert.

Research Experiment Design Sprint: Keystroke Biometric Intrusion Detection Ned Bakelman Advisor: Dr. Charles Tappert.
Assuming normally distributed data! Naïve Bayes Classifier.

Assuming normally distributed data! Naïve Bayes Classifier.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Common Factor Analysis “World View” of PC vs. CF Choosing between PC and CF PAF -- most common kind of CF Communality & Communality Estimation Common Factor.

Common Factor Analysis “World View” of PC vs. CF Choosing between PC and CF PAF -- most common kind of CF Communality & Communality Estimation Common Factor.
Keystroke Biometric Studies Keystroke Biometric Identification and Authentication on Long-Text Input Book chapter in Behavioral Biometrics for Human Identification.

Keystroke Biometric Studies Keystroke Biometric Identification and Authentication on Long-Text Input Book chapter in Behavioral Biometrics for Human Identification.
Sequence comparisons June 23, 2009 Learning objectives-Understand the concept of sliding window programs. Understand difference between identity, similarity.

Sequence comparisons June 23, 2009 Learning objectives-Understand the concept of sliding window programs. Understand difference between identity, similarity.
MACHINE LEARNING 6. Multivariate Methods 1. Based on E Alpaydın 2004 Introduction to Machine Learning © The MIT Press (V1.1) 2 Motivating Example  Loan.

MACHINE LEARNING 6. Multivariate Methods 1. Based on E Alpaydın 2004 Introduction to Machine Learning © The MIT Press (V1.1) 2 Motivating Example  Loan.
Information Filtering LBSC 796/INFM 718R Douglas W. Oard Session 10, November 12, 2007.

Information Filtering LBSC 796/INFM 718R Douglas W. Oard Session 10, November 12, 2007.
Finding Advertising Keywords on Web Pages Scott Wen-tau YihJoshua Goodman Microsoft Research Vitor R. Carvalho Carnegie Mellon University.

Finding Advertising Keywords on Web Pages Scott Wen-tau YihJoshua Goodman Microsoft Research Vitor R. Carvalho Carnegie Mellon University.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
WAC/ISSCI 20061 Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.

WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.
Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.

Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Similar presentations

Ads by Google