Masquerade detection by boosting decision stumps using UNIX commands

Masqueraders who impersonate other users pose a serious threat to computer security. They are generally difficult to detect using firewalls or misuse-based intrusion detection systems. Although anomaly detection techniques provide a promising approach for masquerade detection, these techniques are not widely used due to their poor accuracy and relatively high false alarm rate. Previous studies of anomaly detection have mainly focused on model-based approaches, such as the support vector machine (SVM) and the hidden Markov model (HMM). Characteristics of user behavior were entered, and an evaluation value was calculated by the model. To judge whether or not the user was a masquerader, this value was compared with a predefined threshold within the model. However, the judgment processes in these models were invisible and uninterpretable by the security administrator. This study examines a different method for masquerader detection, a rule-based approach, which compares n-grams of command sequence using a technique known as boosting decision stumps. The main advantage of a rule-based method is that the generated rules are easier to interpret. The decision stump is the simplest form of a decision tree. Its “decision” is made by checking the presence or absence of a specified n-gram of command sequence. The boosting decision stumps method uses the weighted combination of the decision stumps in an application of the AdaBoost algorithm. Experiments were carried out on the common data set of UNIX commands that has been used in previous studies. The boosting decision stumps method results in an accuracy rate of 89.2% with a false alarm rate of 10.1%, while the best previously reported results had an accuracy rate of 80.1% with a false alarm rate of 9.7%. Experimental results show that the boosting decision stumps method is more effective and a more interpretable method for masquerade detection.