Masquerade Detection Using Enriched Command Lines

A masquerade attack, in which one user impersonates another, is among the most serious forms of computer abuse, largely because such attacks are often mounted by insiders, and can be very difficult to detect. Automatic discovery of masqueraders is sometimes undertaken by detecting significant departures from normal user behavior, as represented by user profiles based on users’ command histories. A series of experiments performed by Schonlau et al. [12] achieved moderate success in masquerade detection based on a data set comprised of truncated command lines, i.e., single commands, stripped of any accompanying flags, arguments or elements of shell grammar such as pipes or semi-colons. Using the same data, Maxion and Townsend [8] improved on the Schonlau et al. results by 56%, raising the detection rate from 39.4% to 61.5% at false-alarm rates near 1%. The present paper extends this work by testing the hypothesis that a limitation of these approaches is the use of truncated command-line data, as opposed to command lines enriched with flags, shell grammar, arguments and information about aliases. Enriched command lines were found to facilitate correct detection at the 82% level, far exceeding previous results, with a corresponding 30% reduction in the overall cost of errors, and only a small increase in false alarms. Descriptions of pathological cases illustrate strengths and limitations of both the data and the detection algorithm.