Methods, systems, and media for masquerade attack detection by monitoring computer user behavior

US 8,769,684 B2
Filed: 12/01/2009
Issued: 07/01/2014
Est. Priority Date: 12/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method for detecting masquerade attacks, the method comprising:

monitoring, by a hardware processor, a first plurality of user actions in a computing environment;

monitoring files in the computing environment that contain decoy information;

generating a user intent model for a category that includes at least one of the first plurality of user actions;

monitoring a second plurality of user actions;

comparing the second plurality of user actions with the generated user intent model by determining whether at least one of the second plurality of user activities deviates from the generated user intern model;

determining whether the second plurality of user actions includes accessing the files in the computing environment that contain the decoy information in response to determining that at least one of the second plurality of user actions deviates from the generated user intent model;

identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and

generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the flies in the computing environment that contain the decoy information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided. In accordance with some embodiments, a method for detecting masquerade attacks is provided, the method comprising: monitoring a first plurality of user actions and access of decoy information in a computing environment; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment.

172 Citations

36 Claims

1. A method for detecting masquerade attacks, the method comprising:
- monitoring, by a hardware processor, a first plurality of user actions in a computing environment;
  
  monitoring files in the computing environment that contain decoy information;
  
  generating a user intent model for a category that includes at least one of the first plurality of user actions;
  
  monitoring a second plurality of user actions;
  
  comparing the second plurality of user actions with the generated user intent model by determining whether at least one of the second plurality of user activities deviates from the generated user intern model;
  
  determining whether the second plurality of user actions includes accessing the files in the computing environment that contain the decoy information in response to determining that at least one of the second plurality of user actions deviates from the generated user intent model;
  
  identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and
  
  generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the flies in the computing environment that contain the decoy information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising assigning, a category type to each of a plurality of user commands, applications, registry-based activities, and dynamic link library (DLL) activities in the computing environment.
  - 3. The method of claim 2, further comprising generating a taxonomy of categories based on the category type.
  - 4. The method of claim 3, further comprising:
    - selecting one or more categories from the taxonomy;
      
      extracting a plurality of features for each category; and
      
      generating the user intent model by using the first plurality of user actions with respect to the extracted features.
  - 5. The method of claim 3, wherein the categories in the taxonomy are generated based on the computing environment.
  - 6. The method of claim 1, further comprising calculating a Hellinger distance between a first frequency table that models the first plurality of user actions and a second frequency table that models the second plurality of user actions.
  - 7. The method of claim 6, further comprising identifying that the second plurality of user actions is the masquerade attack in response to the calculated Hellinger distance being greater than a predefined threshold value.
  - 8. The method of claim 6, further comprising:
    - calculating a second Hellinger distance between the second frequency table that models the second plurality of user actions and a third frequency table that models a third plurality of user actions;
      
      comparing the second Hellinger distance with the Hellinger distance to determine whether the third plurality of user actions is the masquerade attack.
  - 9. The method of claim 1, further comprising calculating support vector machines to identify that the second plurality of user actions is the masquerade attack.
  - 10. The method of claim 1, further comprising associating the user intent model with at least one of a particular user, the operating environment, a network, and a user type.
  - 11. The method of claim 1, wherein the decoy information includes a beacon that is configured to operate in connection with a monitoring application, and wherein the monitoring application monitors the computing environment for a signal from the beacon.
  - 12. The method of claim 1, wherein the decoy information includes a beacon, further comprising using a sensor that monitors the beacon in the decoy information to determine whether the decoy information has been accessed.

13. A system for detecting masquerade attacks, the system comprising:
- a hardware processor that;
  
  monitors a first plurality of user actions in a computing environment;
  
  monitors files in the computing environment that contain decoy information;
  
  generates a user intent model for a category that includes at least one of the first plurality of user actions;
  
  monitors a second plurality of user actions;
  
  compares the second plurality of user actions with the generated user intent model, by determining whether at least one of the second plurality of user activities deviates from the generated user intent model;
  
  determines whether the second plurality of user actions includes accessing the files in the continuing environment that contain the decoy information in response to determining that at least one of the second plurality of user actions deviates from the generated user intent model;
  
  identifies whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and
  
  generates an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the files in the computing environment that contain the decoy information.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the processor is further configured to assign a category type to each of a plurality of user commands, applications, registry-based activities, and dynamic link library (DLL) activities in the computing environment.
  - 15. The system of claim 14, wherein the processor is further configured to generate a taxonomy of categories based on the category type.
  - 16. The system of claim 15, wherein the processor is further configured to:
    - select one or more categories from the taxonomy;
      
      extract a plurality of features for each category; and
      
      generate the user intent model by using the first plurality of user actions with respect to the extracted features.
  - 17. The system of claim 15, wherein the categories in the taxonomy are generated based on the computing environment.
  - 18. The system of claim 13, wherein the processor is further configured to calculate a Hellinger distance between a first frequency table that models the first plurality of user actions and a second frequency table that models the second plurality of user actions.
  - 19. The system of claim 18, wherein the processor is further configured to identify that the second plurality of user actions is the masquerade attack in response to the calculated Hellinger distance being greater than a predefined threshold value.
  - 20. The system of claim 18, wherein the processor is further configured to:
    - calculate a second Hellinger distance between the second frequency table that models the second plurality of user actions and a third frequency table that models a third plurality of user actions;
      
      compare the second Hellinger distance with the Hellinger distance to determine whether the third plurality of user actions is the masquerade attack.
  - 21. The system of claim 13, wherein the processor is further configured to calculate support vector machines to identify that the second plurality of user actions is the masquerade attack.
  - 22. The system of claim 13, wherein the processor is further configured to associate the user intent model with at least one of:
    - a particular user, the operating environment, a network, and a user type.
  - 23. The system of claim 13, wherein the decoy information includes a beacon that is configured to operate in connection with a monitoring, application, and wherein the monitoring application monitors the computing environment for a signal from the beacon.
  - 24. The system of claim 13, wherein the decoy information includes a beacon, and wherein is further configured to use a sensor that monitors the beacon in the decoy information to determine whether the decoy information has been accessed.

25. A non-transitory computer-readable medium containing, computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting masquerade attacks, the method comprising:
- monitoring a first plurality of user actions in a computing environment;
  
  monitoring files in the computing environment that contain decoy information;
  
  generating a user intent model for a category that includes at least one of the first plurality of user actions;
  
  monitoring a second plurality of user actions;
  
  comparing the second plurality of user actions with the generated user intent model by determining whether at least one of the second plurality of user activities deviates from the generated user intent model;
  
  determining whether the second plurality of user actions includes accessing the files in the computing environment that contain the decoy information in response to determining that at least one of the second plurality of user actions deviates from the generated user intent model;
  
  identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and
  
  generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the files in the computing environment that contain the decoy information.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The non-transitory computer-readable medium of claim 25, wherein the method further comprises assigning a category type to each of a plurality of user commands, applications, registry-based activities, and dynamic link library (DLL) activities in the computing environment.
  - 27. The non-transitory computer-readable medium of claim 26, wherein the method further comprises generating a taxonomy of categories based on the category type.
  - 28. The non-transitory computer-readable medium of claim 27, wherein the method further comprises:
    - selecting one or more categories from the taxonomy;
      
      extracting a plurality of features for each category; and
      
      generating the user intent model by using the first plurality of user actions with respect to the extracted features.
  - 29. The non-transitory computer-readable medium of claim 27, wherein the categories in the taxonomy are generated based on the computing environment.
  - 30. The non-transitory computer-readable medium of claim 25, wherein the method further comprises calculating a Hollinger distance between a first frequency table that models the first plurality of user actions and a second frequency table that models the second plurality of user actions.
  - 31. The non-transitory computer-readable medium of claim 30, wherein the method further comprises identifying that the second plurality of user actions is the masquerade attack in response to the calculated Hellinger distance being greater than a predefined threshold value.
  - 32. The non-transitory computer-readable medium of claim 30, wherein the method further comprises;
    - calculating a second Hollinger distance between the second frequency table that models the second plurality of user actions and a third frequency table that models a third plurality of user actions;
      
      comparing the second Hellinger distance with the Hellinger distance to determine whether the third plurality of user actions is the masquerade attack.
  - 33. The non-transitory computer-readable medium of claim 25, wherein the method further comprises calculating support vector machines to identify that the second plurality of user actions is the masquerade attack.
  - 34. The non-transitory computer-readable medium of claim 25, wherein the method further comprises associating the user intent model with at least one of:
    - a particular user, the operating environment, a network, and a user type.
  - 35. The non-transitory computer-readable medium of claim 25, wherein the decoy information includes a beacon that is configured to operate in connection with a monitoring application, and wherein the monitoring application monitors the computing environment for a signal from the beacon.
  - 36. The non-transitory computer-readable medium of claim 25, wherein the decoy information includes a beacon, and wherein the method further comprises using a sensor that monitors the beacon in the decoy information to determine whether the decoy information has been accessed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Stolfo, Salvatore J., Hershkop, Shlomo, Salem, Malek Ben
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US12/628,587
Publication Number

US 20100269175A1
Time in Patent Office

1,673 Days
Field of Search

726 22- 25, 713187-188, 709217-219, 709223-229
US Class Current

726/23
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1491   using deception as counterm...

Methods, systems, and media for masquerade attack detection by monitoring computer user behavior

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

172 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and media for masquerade attack detection by monitoring computer user behavior

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

172 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links