TY - JOUR
T1 - Masquerade mimicry attack detection
T2 - A randomised approach
AU - Tapiador, Juan E.
AU - Clark, John A.
PY - 2011/7
Y1 - 2011/7
N2 - A masquerader is an (often external) attacker who, after succeeding in obtaining a legitimate user’s credentials, attempts to use the stolen identity to carry out malicious actions. Automatic detection of masquerading attacks is generally undertaken by approaching the problem from an anomaly detection perspective: a model of normal behaviour for each user is constructed and significant departures from it are identified as potential masquerading attempts. One potential vulnerability of these schemes lies in the fact that anomaly detection algorithms are generally susceptible to deception. In this work, we first investigate how a resourceful masquerader can successfully evade detection while still accomplishing his goals. For this, we introduce the concept of masquerade mimicry attacks, consisting of carefully constructed attacks that are not identified as anomalous. We then explore two different detection schemes to thwart such attacks. We first study the introduction of a blind randomisation strategy into a baseline anomaly detector. We then propose a more accurate algorithm, called Probabilistic Padding Identification (PPI) and based on the Kullback–Leibler divergence, which attempts to identify if a sufficiently anomalous attack is present within an apparently normal behavioural pattern. Our experimental results indicate that the PPI algorithm achieves considerably better detection quality than both blind randomised strategies and adversarial-unaware approaches.
AB - A masquerader is an (often external) attacker who, after succeeding in obtaining a legitimate user’s credentials, attempts to use the stolen identity to carry out malicious actions. Automatic detection of masquerading attacks is generally undertaken by approaching the problem from an anomaly detection perspective: a model of normal behaviour for each user is constructed and significant departures from it are identified as potential masquerading attempts. One potential vulnerability of these schemes lies in the fact that anomaly detection algorithms are generally susceptible to deception. In this work, we first investigate how a resourceful masquerader can successfully evade detection while still accomplishing his goals. For this, we introduce the concept of masquerade mimicry attacks, consisting of carefully constructed attacks that are not identified as anomalous. We then explore two different detection schemes to thwart such attacks. We first study the introduction of a blind randomisation strategy into a baseline anomaly detector. We then propose a more accurate algorithm, called Probabilistic Padding Identification (PPI) and based on the Kullback–Leibler divergence, which attempts to identify if a sufficiently anomalous attack is present within an apparently normal behavioural pattern. Our experimental results indicate that the PPI algorithm achieves considerably better detection quality than both blind randomised strategies and adversarial-unaware approaches.
UR - http://www.scopus.com/inward/record.url?scp=79960838421&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2011.05.004
DO - 10.1016/j.cose.2011.05.004
M3 - Article
SN - 0167-4048
VL - 30
SP - 297
EP - 310
JO - Computers & Security
JF - Computers & Security
IS - 5
ER -