Profiling users in GUI based systems for masquerade detection

Masquerading or impersonation attack refers to the illegitimate activity on a computer system when one user impersonates another user. Masquerade attacks are serious in nature due to the fact that they are mostly carried by insiders and thus are extremely difficult to detect. Detection of these attacks is done by monitoring significant changes in user's behavior based on his/her profile. Currently, such profiles are based mostly on the user command line data and do not represent his/her complete behavior in a graphical user interface (GUI) based system and hence are not sufficient to quickly detect such masquerade attacks. In this paper, we present a new framework for creating a unique feature set for user behavior on GUI based systems. We have collected real user behavior data from live systems and extracted parameters to construct these feature vectors. These vectors contain user information such as mouse speed, distance, angles and amount of clicks during a user session. We model our technique of user identification and masquerade detection as a binary classification problem and use Support Vector Machine (SVM) to learn and classify these feature vectors. We show that our technique can provide detection rates of up to 96% with few false positives based on these feature vectors. We have tested our technique with various feature vector parameters and conclude that these feature vectors can provide unique and comprehensive user behavior information and are powerful enough to detect masqueraders.