Mario Latendresse. Masquerade Detection via Customized Grammars, in Proceedings of Intrusion and Malware Detection and Vulnerability Assessment: Second International Conference, DIMVA, Vienna, Austria, no. 3548, July 2005.
We show that masquerade detection, based on sequences of commands executed by the users, can be effectively and efficiently done by the construction of a customized grammar representing the normal behavior of a user. More specifically, we use the Sequitur algorithm to generate a context-free grammar which efficiently extracts repetitive sequences of commands executed by one user – which is mainly used to generate a profile of the user. This technique identifies also the common scripts implicitly or explicitly shared between users – a useful set of data for reducing false positives. During the detection phase, a block of commands is classified as either normal or a masquerade based on its decomposition in substrings using the grammar of the alleged user. Based on experimental results using the Schonlau datasets, this approach shows a good detection rate across all false positive rates – they are the highest among all published results inpknown to the author.