User Profiling for Intrusion Detection in Windows NT Tom Goldring R23.

Slides:

Advertisements

Similar presentations

Recommender Systems & Collaborative Filtering

Advertisements

Florida International University COP 4770 Introduction of Weka.

Temporal Query Log Profiling to Improve Web Search Ranking Alexander Kotov (UIUC) Pranam Kolari, Yi Chang (Yahoo!) Lei Duan (Microsoft)

Authenticating Users by Profiling Behavior Tom Goldring Defensive Computing Research Office National Security Agency.

Coding and Debugging. Requirements and Specification Recall the four steps of problem solving: Orient, Plan, Execute, Test Before you start the implementation.

COMP423 Intelligent Agents. Recommender systems Two approaches – Collaborative Filtering Based on feedback from other users who have rated a similar set.

Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.

Research Experiment Design Sprint: Keystroke Biometric Intrusion Detection Ned Bakelman Advisor: Dr. Charles Tappert.

Assuming normally distributed data! Naïve Bayes Classifier.

Intrusion Detection Systems and Practices

Common Factor Analysis “World View” of PC vs. CF Choosing between PC and CF PAF -- most common kind of CF Communality & Communality Estimation Common Factor.

Keystroke Biometric Studies Keystroke Biometric Identification and Authentication on Long-Text Input Book chapter in Behavioral Biometrics for Human Identification.

Sequence comparisons June 23, 2009 Learning objectives-Understand the concept of sliding window programs. Understand difference between identity, similarity.

MACHINE LEARNING 6. Multivariate Methods 1. Based on E Alpaydın 2004 Introduction to Machine Learning © The MIT Press (V1.1) 2 Motivating Example  Loan.

Information Filtering LBSC 796/INFM 718R Douglas W. Oard Session 10, November 12, 2007.

Finding Advertising Keywords on Web Pages Scott Wen-tau YihJoshua Goodman Microsoft Research Vitor R. Carvalho Carnegie Mellon University.

Chapter 7 WORKING WITH GROUPS.

WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.

Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Anomaly detection Problem motivation Machine Learning.

Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.

Review – Backpropagation

Masquerade Detection Mark Stamp 1Masquerade Detection.

Language Identification of Search Engine Queries Hakan Ceylan Yookyung Kim Department of Computer Science Yahoo! Inc. University of North Texas 2821 Mission.

Mohammed Mohsen Links Links are what make the World Wide Web web-like one document on the Web can link to several other documents, and those.

Tutorial 5 Making a Document Interactive. XP Objectives Explore the different button states Add a button from the Button library Create a button Learn.

ArrayCluster: an analytic tool for clustering, data visualization and module ﬁnder on gene expression proﬁles 組員：李祥豪謝紹陽江建霖.

Printing: This poster is 48” wide by 36” high. It’s designed to be printed on a large-format printer. Customizing the Content: The placeholders in this.

The identification of interesting web sites Presented by Xiaoshu Cai.

Detecting Semantic Cloaking on the Web Baoning Wu and Brian D. Davison Lehigh University, USA WWW 2006.

Bayesian networks Classification, segmentation, time series prediction and more. Website: Twitter:

Information Filtering LBSC 796/INFM 718R Douglas W. Oard Session 10, April 13, 2011.

Grant Pannell. Intrusion Detection Systems  Attempt to detect unauthorized activity  CIA – Confidentiality, Integrity, Availability  Commonly network-based.

An Overview of Intrusion Detection Using Soft Computing Archana Sapkota Palden Lama CS591 Fall 2009.

One-class Training for Masquerade Detection Ke Wang, Sal Stolfo Columbia University Computer Science IDS Lab.

The Role of Metadata in Machine Learning for TAR Amanda Jones Marzieh Bazrafshan Fernando Delgado Tania Lihatsh Tami Schuyler

Second Line Intrusion Detection Using Personalization DISA Sponsored GWU-CS.

Spam Detection Ethan Grefe December 13, 2013.

Study of Protein Prediction Related Problems Ph.D. candidate Le-Yi WEI 1.

MedIX – Summer 07 Lucia Dettori (room 745)

CONFIDENTIAL1 Hidden Decision Trees to Design Predictive Scores – Application to Fraud Detection Vincent Granville, Ph.D. AnalyticBridge October 27, 2009.

DTRAB Combating Against Attacks on Encrypted Protocols through Traffic- Feature Analysis.

Class Imbalance in Text Classification

Post-Ranking query suggestion by diversifying search Chao Wang.

Intrusion Detection System

PROGRAMMING IN PYTHON LETS LEARN SOME CODE TOGETHER!

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Computational Biology Group. Class prediction of tumor samples Supervised Clustering Detection of Subgroups in a Class.

Instructional/6-8/General Session 1 of 1 Get Going with eChalk Digital File Locker.

CSC321: Introduction to Neural Networks and Machine Learning Lecture 17: Boltzmann Machines as Probabilistic Models Geoffrey Hinton.

Using HTTP Access Logs To Detect Application-Level Failures In Internet Services Peter Bodík, UC Berkeley Greg Friedman, Lukas Biewald, Stanford University.

Vertical Search for Courses of UIUC Homepage Classification The aim of the Course Search project is to construct a database of UIUC courses across all.

Opinion spam and Analysis 소프트웨어공학 연구실 G 최효린 1 / 35.

What types of problems we study, Part 1: Statistical problemsHighlights of the theoretical results What types of problems we study, Part 2: ClusteringFuture.

A Smart Tool to Predict Salary Trends of H1-B Holders

Recommender Systems & Collaborative Filtering

Supervised Time Series Pattern Discovery through Local Importance

Evaluating a Real-time Anomaly-based IDS

An Enhanced Support Vector Machine Model for Intrusion Detection

Authenticating Users by Profiling Behavior

Roland Kwitt & Tobias Strohmeier

Detecting Insider Information Theft Using Features from File Access Logs Every action, on your phone, on your computer, online, has some risk associated.

Mitchell Kossoris, Catelyn Scholl, Zhi Zheng

Somi Jacob and Christian Bach

ACTIVE DIRECTORY An Overview.. By Karan Oberoi.

Web Mining Research: A Survey

Modeling IDS using hybrid intelligent systems

Presentation transcript:

User Profiling for Intrusion Detection in Windows NT Tom Goldring R23

What are we doing? Observe normal behavior of computer users Build models from training data Score new sessions against these models.

Why do it? User is authenticated by behavior, therefore very hard to spoof Detect malicious insider

Comparison with Program Profiling We believe User Profiling is a harder problem –People do not come with “specs” –So user behavior is much less predictable –In fact, a certain level of anomalous activity is to be expected and must be taken into account –In a point and click environment, some users look very much alike.

Which data source? Command line activity –can pretty well guess what user is doing –but: misses windows, scripts –on many systems, it’s an endangered species if not already extinct System calls –very fine granularity –But: (machine behavior) / (human behavior) very high –Next to impossible to guess what the user is doing Process table –best of both worlds, plus tree structure –But: we still need to filter out machine behavior and reduce the data so that we can reconstruct what the user did

The good news Adding window titles to the process informatiion gives superior data –now very easy to filter out system noise by matching process id’s with that of active window –solves the “explorer” problem –anyone can read the data and tell what the user is doing –a wealth of new information, e.g. subject lines of s, names of web pages, files and directories

But … Our data now consists of successive window titles with process information in between So we have a mixture of two different types of data, making feature selection somewhat less obvious. Ideally, feature values should –be different for different users, but –be similar for different sessions belonging to the same user.

Some Candidate Features time between windows time between new windows # windows open at once (sampled at some time interval) # windows open at once, weighted by time open # words in window title (# WA words in window title) / (#words in window title)

Modeling and Scoring Using a feature set we like, convert each session into a feature stream We now have a standard classification problem, e.g. we might use –naïve Bayes For a feature matrix, some candidates are –random forests –support vector machines

What’s next Build in specific methods for major application programs Monitor keystrokes and mouse movements Characterize insider misuse.