A job-centric approach to user-level intrusion detection

TLDR: A novel higher order representation of a user's profile is proposed, which includes the hierarchical notion of jobs/tasks, followed by the basic units of functionality which a user requires to accomplish these tasks and then the actual commands.

Abstract: Intrusion detection attempts to detect attacker activity should the preventive measures be inadequate. User-level intrusion detection attempts to deter and curtail an attack even after the system has been compromised. In this dissertation, the problem of user-level intrusion detection is approached in a more holistic manner. Currently known user-level intrusion detection algorithms rely on establishing statistically that an observed stream of commands belongs to a person other than the profiled user. However, by viewing the command stream merely as text, several useful properties about how a user uses a computer system are lost or incorrectly represented. The first part of the dissertation deals with this shortcoming. A novel higher order representation of a user's profile is proposed, which includes the hierarchical notion of jobs/tasks, followed by the basic units of functionality which a user requires to accomplish these tasks and then the actual commands. Such a representation is a significant departure from known techniques and provides several benefits such as user involvement in the security process, lowered false positive rates and per job profiling. Depending on which site the security system is deployed and what level at that site, a range of IDS components may be exposed to direct attack. Indeed, if the IDS is very effective, then the IDS itself becomes a more lucrative target. This is particularly of concern to a user-level IDS which is implemented in close vicinity to the user. In this dissertation, this specific issue is also addressed, wherein a structural analysis of dependencies reveals the ideal tamper-resistant configuration. Finally, investment in security systems of any kind and where they are planned to be installed requires careful deliberation. The fact that various options cannot be tried and tested on a live network, leaves the security analyst with very little leeway. Threat models provide a very useful and viable alternative in this regard. However, for user-level threats, currently known techniques such as attack graphs and privilege graphs are not appropriate. Instead, a new model is proposed called the key challenge graph, which specifically looks at user-level threat modeling. (Abstract shortened by UMI.)