School of Computer and Information Science, Edith Cowan University, Perth, Western Australia
Intrusion detection systems (IDS) have often been used to analyse network traffic to help network administrators quickly identify and respond to intrusions. These detection systems generally operate over the entire network, identifying “anomalies” atypical of the network’s normal collective user activities. We show that anomaly detection could also be host-based so that the normal usage patterns of an individual user could be profiled. This enables the detection of masquerading intruders by comparing a learned user profile against the current session’s profile. A prototype behavioural IDS applies the concept of anomaly detection to user behaviour and compares the effects of using multiple characteristics to profile users. Behaviour captured within the system consists of application usage, application performance (CPU and memory), the websites a user visits, the number of windows a user has open, and their typing habits. The results show that such a system is entirely feasible, that characteristics physically related to the user are more relevant to profiling behaviour and that the combination of characteristics can significantly decrease the time taken to detect an intruder.