TY - GEN
T1 - Building robust temporal user profiles for anomaly detection in file system accesses
AU - Mehnaz, Shagufta
AU - Bertino, Elisa
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016
Y1 - 2016
N2 - Protecting sensitive data against malicious or compromised insiders is a big concern. In most cases, insiders have authorized access in file systems containing such data which they misuse or exfiltrate for financial profit. Moreover, external parties can compromise identity credentials of valid file system users by means of exploiting security vulnerabilities, phishing attacks etc. Therefore, in order to protect sensitive information from such attackers, security measures, e.g., access control and encryption are often combined with anomaly detection. Anomaly detection is based on the key observation that the access behavior of an attacker is significantly different from the regular access pattern of a benign user. However, due to the complexity of users' interactions with a file system, the modeling of user profiles is a challenging problem. As a result, most of the existing anomaly detection techniques suffer from poor user profiles that contribute to high false positive and high false negative rates. In this paper, we propose an approach that as a first step discovers the users' tasks (sets of file accesses that represent distinct file system activities) by applying frequent sequence mining on the access log. In the next step, our approach builds robust temporal user profiles by extensively analyzing the timestamp information of users' file system accesses and thus precisely models the relation between the users' tasks and their temporal properties using a multilevel temporal data structure. Finally, we evaluate the performance of our approach on a real dataset.
AB - Protecting sensitive data against malicious or compromised insiders is a big concern. In most cases, insiders have authorized access in file systems containing such data which they misuse or exfiltrate for financial profit. Moreover, external parties can compromise identity credentials of valid file system users by means of exploiting security vulnerabilities, phishing attacks etc. Therefore, in order to protect sensitive information from such attackers, security measures, e.g., access control and encryption are often combined with anomaly detection. Anomaly detection is based on the key observation that the access behavior of an attacker is significantly different from the regular access pattern of a benign user. However, due to the complexity of users' interactions with a file system, the modeling of user profiles is a challenging problem. As a result, most of the existing anomaly detection techniques suffer from poor user profiles that contribute to high false positive and high false negative rates. In this paper, we propose an approach that as a first step discovers the users' tasks (sets of file accesses that represent distinct file system activities) by applying frequent sequence mining on the access log. In the next step, our approach builds robust temporal user profiles by extensively analyzing the timestamp information of users' file system accesses and thus precisely models the relation between the users' tasks and their temporal properties using a multilevel temporal data structure. Finally, we evaluate the performance of our approach on a real dataset.
UR - http://www.scopus.com/inward/record.url?scp=85018500708&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85018500708&partnerID=8YFLogxK
U2 - 10.1109/PST.2016.7906928
DO - 10.1109/PST.2016.7906928
M3 - Conference contribution
AN - SCOPUS:85018500708
T3 - 2016 14th Annual Conference on Privacy, Security and Trust, PST 2016
SP - 207
EP - 210
BT - 2016 14th Annual Conference on Privacy, Security and Trust, PST 2016
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 14th Annual Conference on Privacy, Security and Trust, PST 2016
Y2 - 12 December 2016 through 14 December 2016
ER -