![Security:
User behavior profiling
In this, the characteristics of information accessed by a particular user is studied. These
characteristics may include when, how and how much. The user’s activity
Introduction Intrusion detection systems (IDS) are special security mechanisms to protect
computer systems from stream of harmful activities. Since the amount of attacks against
computer systems increases regularly, it is very important for the system to be able to detect
novel attacks as accurately as previously known attacks. For this reason, there have been
developed numerous techniques to discover that a system has an intruder inside. Though, a lot of
existing systems have many problems, and the perfect system or method is far from being
invented yet. Basically, IDS are categorized into misuse or signature based detection and
anomaly detection (AD) [6]. The misuse detection method can recognize only known attacks
based on the available signature of the particular attack type. It usually performs its job quite
accurately with no false alarms to be raised. However, this method is not effective for detecting
previously unknown intrusions, whose signatures have not provided. Conversely, an anomaly
based method is able to detect entirely new intrusions, since it does not scan for particular
patterns, but is based on the normal activities of the system and looks for any variations from
them. 1.1 Anomaly Intrusion Detection (AID) AD technique overcomes the constraint of misuse
detection, since it does not take attack behaviors as its framework. Yet, it concentrates on normal
system behaviors which reside in a profile and then looks for variations between current
activities and the statistical model of previous behaviors [6]. Therefore, current system activities,
which are different from the profile (i.e. irregular) can be classified as potential intrusions. Same,
AD is not able to distinguish whether irregular activities are intrusions or just unusual but legal
ones, and so non-intrusion can be labeled as intrusion. Consequently, it generates a large amount
of false alarms. Also it is powerless to identify and classify the specific type of detected
intrusions, and there are a few different types of such systems depending on the kind of
intrusions they look for [6]. However, the main drawback of AD is a possibility for an intrusive
behavior to be a part of the normal behaviors if the attack occurs while creating a normal
behavior profile. That can happen if a profile is created under the assumption that no intrusions
have been detected in an experiential system during the training period. Because of this,
nowadays the main goal of AD is increasing the number of detected attacks and at the same time
reducing the amount of false alarms. To meet the goal, it is essential to choose a proper set of
features in order to build a user’s behavior profile [4, 5]. 1.2 Users’ Activities Profiling in UNIX
Profiling is a technique of grouping individuals into categories based on certain features.
Profiling computer users is widely utilized in the realm of computer security and particularly in
AID. For an accurate detection of anomalies in user behavior the normal behavior profile must
be formed to satisfy to system characteristics. A user’s behavior profile in UNIX can be build
upon different parameters, which can be acquired from the logfile. To profile users, characteristic
sequences of actions (UNIX commands) generated by users are studied [10]. It has been
demonstrated [11] that the login host, the login time, the UNIX command set, and the command](https://image.slidesharecdn.com/securityraw-200311150207/85/Security-raw-1-320.jpg)
Security raw
- 1. Security: User behavior profiling In this, the characteristics of information accessed by a particular user is studied. These characteristics may include when, how and how much. The user’s activity Introduction Intrusion detection systems (IDS) are special security mechanisms to protect computer systems from stream of harmful activities. Since the amount of attacks against computer systems increases regularly, it is very important for the system to be able to detect novel attacks as accurately as previously known attacks. For this reason, there have been developed numerous techniques to discover that a system has an intruder inside. Though, a lot of existing systems have many problems, and the perfect system or method is far from being invented yet. Basically, IDS are categorized into misuse or signature based detection and anomaly detection (AD) [6]. The misuse detection method can recognize only known attacks based on the available signature of the particular attack type. It usually performs its job quite accurately with no false alarms to be raised. However, this method is not effective for detecting previously unknown intrusions, whose signatures have not provided. Conversely, an anomaly based method is able to detect entirely new intrusions, since it does not scan for particular patterns, but is based on the normal activities of the system and looks for any variations from them. 1.1 Anomaly Intrusion Detection (AID) AD technique overcomes the constraint of misuse detection, since it does not take attack behaviors as its framework. Yet, it concentrates on normal system behaviors which reside in a profile and then looks for variations between current activities and the statistical model of previous behaviors [6]. Therefore, current system activities, which are different from the profile (i.e. irregular) can be classified as potential intrusions. Same, AD is not able to distinguish whether irregular activities are intrusions or just unusual but legal ones, and so non-intrusion can be labeled as intrusion. Consequently, it generates a large amount of false alarms. Also it is powerless to identify and classify the specific type of detected intrusions, and there are a few different types of such systems depending on the kind of intrusions they look for [6]. However, the main drawback of AD is a possibility for an intrusive behavior to be a part of the normal behaviors if the attack occurs while creating a normal behavior profile. That can happen if a profile is created under the assumption that no intrusions have been detected in an experiential system during the training period. Because of this, nowadays the main goal of AD is increasing the number of detected attacks and at the same time reducing the amount of false alarms. To meet the goal, it is essential to choose a proper set of features in order to build a user’s behavior profile [4, 5]. 1.2 Users’ Activities Profiling in UNIX Profiling is a technique of grouping individuals into categories based on certain features. Profiling computer users is widely utilized in the realm of computer security and particularly in AID. For an accurate detection of anomalies in user behavior the normal behavior profile must be formed to satisfy to system characteristics. A user’s behavior profile in UNIX can be build upon different parameters, which can be acquired from the logfile. To profile users, characteristic sequences of actions (UNIX commands) generated by users are studied [10]. It has been demonstrated [11] that the login host, the login time, the UNIX command set, and the command
- 2. execution time can be used to profile a user with a high degree of accuracy. As well, different system parameters such as memory usage, page fault usage, buffer overflow, etc can be considered in user’s activities profiling.