User profiling in intrusion detection: A review

Journal of Network and Computer Applications

Volumn 72, Issue , 2016, Pages 14-27

  Peng, Jian ^a   Choo, Kim Kwang Raymond ^a,b,c   Ashman, Helen ^a  

^a UNIVERSITY OF SOUTH AUSTRALIA   (Australia)

^b UNIVERSITY OF TEXAS AT SAN ANTONIO   (United States)

^c CHINA UNIVERSITY OF GEOSCIENCES   (China)

Author keywords

Behavioural biometrics; Intrusion detection and prevention systems; Psychometrics; User behaviour; User profiling

Indexed keywords

BEHAVIORAL RESEARCH; BIOMETRICS; MERCURY (METAL);

COGNITIVE FUNCTIONS; HIGHER-ORDER; INTRUSION DETECTION AND PREVENTION SYSTEMS; INTRUSION DETECTION SYSTEMS; PSYCHOMETRICS; SECURITY CONTEXT; USER BEHAVIOUR; USER PROFILING;

INTRUSION DETECTION;

EID: 84978971732     PISSN: 10848045     EISSN: 10958592     Source Type: Journal    
DOI: 10.1016/j.jnca.2016.06.012     Document Type: Review

References (106)

1. Abbasi, A., Chen, H., Writeprints: a stylometric approach to identity-level identification and similarity detection in cyberspace. ACM Trans. Inf. Syst. 26:2 (2008), 1–29.
2. Abdel-Hafez, A., Xu, Y., A survey of user modelling in social media websites. Comput. Inf. Sci., 6(4), 2013.
3. Abou-Assaleh, T., et al., 2004. Detection of new malicious code using N-grams signatures. In: Proceeding of Second Annual Conference on Privacy, Security and Trust, October: pp. 13–15.
4. Afroz, S., Brennan, M., Greenstadt, R., 2012. Detecting hoaxes, frauds, and deception in writing style online. In: Proceedings of the IEEE Symposium on Security and Privicy (Sp) pp. 461–475.
5. Alexandre, T.J., Biometrics on smart cards: an approach to keyboard behavioral signature. Future Gener. Comput. Syst. 13 (1997), 19–26.
6. Anderson, J.P., Computer Security Threat Monitoring and Surveillance. 1980, James P. Anderson Company, Fort Washington, PA.
7. Astroturfing, 〈 https://en.wikipedia.org/wiki/Astroturfing〉.
8. Bailey, K.O., Okolica, J.S., Peterson, G.L., User identification and authentication using multi-modal behavioral biometrics. Comput. Secur. 43 (2014), 77–89.
9. Barron-Cedeno, A., et al. Word length n-grams for text re-use detection. Comput. Linguist. Intell. Text Process., 2010, 687–699 2010: p. 687-699.
10. Beghdad, R., Modelling and solving the intrusion detection problem in computer networks. Comput. Secur. 23:8 (2004), 687–696.
11. Bergadano, F., Gunetti, D., Picardi, C., Identity verification through dynamic keystroke analysis. Intell. Data Anal 7:5 (2003), 469–496 7(5): p. 469-496.
12. Bienkov, A., Astroturfing: what is it and why does it matter? 〈 http://www.theguardian.com/commentisfree/2012/feb/08/what-is-astroturfing〉, 2012.
13. Biermann, E., A comparison of Intrusion Detection systems. Comput. Secur. 20 (2001), 676–683.
14. Blasing, T., et al., 2010. An android application sandbox system for suspicious software detection. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (Malware 2010) (MALWARE'2010), Nancy, France, France.
15. Brusilovsky, P., 2001. Adaptive Hypermedia. User Modeling and User-Adapted Interaction, Vol. 11, no. 1, pp. 87–110.
16. Cabrera, J.B.D., Lewis, L., Mehra, R.K., Detection and classification of intrusions and faults using sequences of system calls. SIGMOD Rec. 30:4 (2001), 25–34.
17. Casas, P., Mazel, J., Owezarski, P., Unsupervised network intrusion detection systems: detecting the unknown without knowledge. Comput. Commun. 35:7 (2012), 772–783.
18. Cavnar, W.B., J.M. Trenkle, 1994. N-gram-based text categorization. In Proceedings of 3rd Annual Symposium on Document Analysis and Information Retrieval, SDAIR-94, pp. 161–175.
19. Chandola, V.A., Banerjee, Kumar, V., Anomaly detection. ACM Comput. Surv. 41:3 (2009), 1–58.
20. Chandola, V.,B.A., Kumar, V., Anomaly detection for discrete sequences: a survey. IEEE Trans. Knowl. Data Eng. 24:5 (2012), 823–839.
21. Chebrolua, S., Abrahama, A., Thomas, J.P., Feature deduction and ensemble design of intrusion detection systems. Comput Secur 24 (2005), 295–307.
22. Chen, C.M., et al., 2013. Battling the internet water army: detection of hidden paid posters. In: Proceedings of the 2013 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, ASONAM'13, pp. 116–120.
23. Chen, C.M., et al., 2013. Battling the internet water army: detection of hidden paid posters. In: Proceedings of the 2013 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, ASONAM'13, pp. 116–120.
24. Cortes, C., Pregibon, D., Signature-based methods for data streams. Data Min. Knowl. Discov. 5 (2001), 167–182.
25. Davis, J., Clark, A., Data preprocessing for anomaly based network intrusion detection. A Rev. Comput. Secur. 30 (2011), 353–375.
26. Denning, D.E., An intrusion detection model. IEEE Trans. Softw. Eng. SE-13:2 (1987), 222–233.
27. Eugene, S., An information security pioneer. IEEE Secur. Priv., 6(1), 2008, 9.
28. F., Q. and C. J., 2006. Automatic identification of user interest for personalized search. In: Proceedings of the 15th Intnational World Wide Web Conference, 2006: pp. 727–736.
29. Forrest, S., et al., 1996. A sense of self for Unix processes. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, IEEE Computer Society Press, 1996: pp. 120–128.
30. Fox, N., Ehmoda, O., Charniak, E., 2012. Statistical Stylometrics and the Marlowe-Shakespeare Authorship Debate.
31. Frantzeskou, G., et al., 2006. Effective identification of source code authors using byte-level information. In: Proceedings of the 28th International Conference on Software engineering, ICSE'06, pp. 893–896.
32. Gates, C. and C. Taylor, 2006. Challenging the anomaly detection paradigm: a provocative discussion. In: Proceedings of the 2006 Workshop on New Security Paradigms, ACM, Germany, pp. 21–29.
33. Han, H., X.-l. Lu, and L.-y. Ren, 2002. Using data mining to discover singatures in network-based intrusiton detection. Proceedmgs of the First International Conference on Machme Learmng and Cybemeucs, Beqmg, 4–5 November 2002.
34. Hirst, G., Feiguina, O., Bigrams of syntactic labels for authorship discrimination of short texts. Lit. Linguist. Comput. 22:4 (2007), 405–417.
35. Houvardas, J., Stamatatos, E., N-gram feature selection for authorship identification AIMSA 2006, LNCS(LNAI)., 4183, 2006, 77–86.
36. Hovold, J., 2005. Naive Bayes spam filtering using word-position-based attributes. In: Proceedings of the Second Conference on Email and Anti-spam, CEAS, Stanford University.
37. http://www.myersbriggs.org/my-mbti-personality-type/mbti-basics/.
38. Huang, L., Stamp, M., Masquerade detection using profile hidden Markov models. Comput. Secur. 30:8 (2011), 732–747.
39. Iqbal, F., et al. Mining writeprints from anonymous e-mails for forensic investigation. Digit Investig. 7:1–2 (2010), 56–64.
40. Iqbal, F., et al. A novel approach of mining write-prints for authorship attribution in e-mail forensics. Digit Investig. 5 (2008), S42–S51.
41. Jacob, G., Debar, H., Filiol, E., Behavioral detection of malware: from a survey towards an established taxonomy. J. Comput. Virol. 4:3 (2008), 251–266.
42. Jagadeesan, H. and M.S. Hsiao, 2009. A Novel Approach to Design of User Re-Authentication Systems.
43. Jin, L., et al. Understanding user behavior in online social networks: a survey. IEEE Commun. Mag., 2013, 143–150.
44. Jøsang, A., Ismail, R., Boyd, C., A survey of trust and reputation systems for online service provision. Decis. Support Syst. 43:2 (2007), 618–644.
45. Kandias, M., et al. An insider threat prediction model. Trust, Priv. Secur. Digit Bus. 6264 (2010), 26–37.
46. Keselj, V., et al., 2003. N-gram-based author profiles for authorship attribution. In: Proceedings of the Pacific Association for Computational Linguistics, pp. 255–264.
47. Khan, S., Gani, A., Abdul Wahab, A., Bagiwa, M., Shiraz, M., Khan, S., Buyya, R., Zomaya, A., Cloud log forensics: foundations, state of the art, and future directions. ACM Comput. Surv., 49(1), 2016 Article 7.
48. Kheyri, D., Karami, M., A comprehensive survey on anomaly-based intrusion detection in MANET. Comput. Inf. Sci., 5, 2012, 4.
49. Koong, C.S., Yang, T.I., Tseng, C.C., A user authentication scheme using physiological and behavioral biometrics for multitouch devices. Sci. World J., 2014, 2014, 781234.
50. Koppel, M., Schler, J., Argamon, S., Computational methods in authorship attribution. J. Am. Soc. Inf. Sci. Technol. 60:1 (2009), 9–26.
51. Lane, T. and C.E. Brodley, 1997. An application of machine learning to anomaly detection. In: Proceedings of the 20th National Information Systems Security Conference, pp. 366–380.
52. Li, L., S. Sui, and C.N. Manikopoulos, 2006. Windows NT User profiling for masquerader detection. In: Proceedings of the 2006 IEEE International Conference on Networking, Sensing and Control, ICNSC'06. pp. 386–391.
53. Li, X., Y. Xue, and B. Malin, 2012. Detecting anomalous user behaviors in workflow-driven web applications. In: Proceedings of the 31st International Symposium on Reliable Distributed Systems (SRDS 2012), pp. 1–10.
54. Li, W.-J., et al., 2005. Fileprints: identifying file types by N-gram analysis. In: Proceedings of the 2005 IEEE Workshop on Information Assurance and Security, pp. 64–71.
55. Corney, M., Mohay, G., 2011. Detection of anomalies from user profiles generated from system. In: Proceeding AISC'11 Proceedings of the Ninth Australasian Information Security Conference, 116: pp. 23–32.
56. Maor, E., 〈 https://securityintelligence.com/behavioral-profiling-finding-man-wasnt/〉, April 17, 2013.
57. Marceau, C., 2000. Characterizing the behaviour of a program using multiple-length N-grams. In: Proceedings of the 2000 Workshop on New Security Paradigms, ACM, Ballycotton, County Cork, Ireland, pp. 101–110.
58. Martini, B., Choo, K.-K.R., Distributed filesystem forensics: XtreemFS as a case study. Digit Investig. 11:4 (2014), 295–313.
59. Martin, S., et al., 2005. Analyzing behaviorial features for email classification. In: Prodeedings of the IEEE Second Conference on Email and Anti-Spam (CEAS 2005).
60. Masri, W., Assi, R.A., El-Ghali, M., Generating profile-based signatures for online intrusion and failure detection. Inf. Softw. Technol. 56:2 (2014), 238–251.
61. Masud, M.M., L. Khan, and B. Thuraisingham, 2007. A hybrid model to detect malicious executables. In: Proceedings of the IEEE International Conference on Communication (ICC'07), pp. 1443–1448.
62. Maxion, R.A., 2003. Masquerade detection using enriched command lines. In: Proceedings of International Conference on Dependable Systems and Networks, pp. 5–14.
63. Mazzariello, C. and F. Oliviero, 2006. An autonomic intrusion detection system based on behavioural network engineering. In: Proceedings of the 25th IEEE International Conference on Computer Communications, INFOCOM 2006. pp. 1–2.
64. McKinney, S. and D.S. Reeves, 2009. User identification via process profiling: extended abstract. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, pp. 1–4.
65. Mezghani, M., et al., 2012. A user profile modeling using social annotations: a survey. In: Proceedings of the 21st International Conference Companion on World Wide Web, WWW'12 Companion, pp. 969–976.
66. Mitchell, R., Chen, I.-R., A survey of intrusion detection techniques for cyber-physical systems. ACM Comput. Surv. 46:4 (2014), 1–29.
67. Mitchell, R., Chen, I.-R., A survey of intrusion detection in wireless network applications. Comput. Commun. 42 (2014), 1–23.
68. Mohammad Faysel, S.H., Towards cyber defense: research in intrusion detection and intrusion prevention systems. Int. J. Comput. Sci. Netw. Secur. 10:7 (2010), 316–325.
69. Monowar, H., Bhuyan, D.K.B., Kalita, J.K., Network anomaly detection: methods, systems and tools. IEEE Commun. Surv. Tutorials 16:1 (2013), 303–336.
70. Bhaskaran, N., Frank, M., 2011. Lie to me: Deceit detection via online behavioral learning. In: Proceedings of the IEEE International Conference on Automatic Face & Gesture Recognition and Workshops (FG 2011), pp. 24.
71. Osanaiye, O., Choo, K.-K.R., Dlodloa, M., Distributed denial of service (DDoS) resilience in cloud: Review and conceptual cloud DDoS mitigation framework. J. Netw. Comput. Appl. 67 (2016), 147–165.
72. Osanaiye O., Cai H., Choo K.-K. R., Dehghantanha A., Xu Z., Dlodlo M. Ensemble-based multi-filter feature selection method for DDoS detection in cloud computing. EURASIP Journal on Wireless Communications and Networking, 2016b, Paper no. 130.
73. Pannell, G. and H. Ashman, 2010. User modelling for exclusion and anomaly detection: a behavioural intrusion detection system. In: Proceedings of User Modeling, Adaptation, and Personalization, 6075: pp. 207–218.
74. Pannell, G. and H. Ashman, 2010. Anomaly detection over user profiles for intrusion detection. In: Proceedings of the 8th Australian Information Security Mangement Conference.
75. Patcha, A., Park, J.-M., An overview of anomaly detection techniques: Existing solutions and latest technological trends. Comput. Netw. 51:12 (2007), 3448–3470.
76. Peng, J., Choo, K.-K.R., Ashman, H., Bit-level n-gram based forensic authorship analysis on social media: Identifying individuals from linguistic profiles. J. Netw. Comput. Appl. 70 (2016), 171–182.
77. Pennington, A., et al. Storage-based intrusion detection. ACM Trans. Inf. Syst. Secur., 13, 2010, 4.
78. Plagiarism detection, 〈 https://en.wikipedia.org/wiki/Plagiarism_detection.
79. Quick, D., Martini, B., Choo, K.-K.R., Cloud storage forensics, 2013, 23–61.
80. Rahman, N.H.A., Choo, K.-K.R., A survey of information security incident handling in the cloud. Comput. Secur. 49 (2015), 45–69.
81. Ratkiewicz, J., M. Conover, and M. Meiss, 2011a. Detecting and tracking the spread of astroturf memes in microblog streams. Proceedings of the 20th International Conference Companion on World Wide Web, WWW'11; pp. 249–252.
82. Ratkiewicz, J., et al., 2001b. Detecting and tracking political abuse in social media. In: Proceedings of the Fifth International AAAI Conference on Weblogs and Social Media.
83. Revett, K., A bioinformatics based approach to user authentication via keystroke dynamics. Int J Control, Autom Syst 7:1 (2009), 7–15.
84. Rhee, J., Z. Lin, and D. Xu, 2011. Characterizing kernel malware behavior with kernel data access patterns. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, Hong Kong, pp. 207–216.
85. Rhodes, B., J. Mahaffey, and J. Cannady, 2000. Multiple self-organizing maps for intrusion detection. In: Proceedings of the 23rd National Information Systems Security Conference. Baltimore, MD.
86. Rodríguez, N.D., et al. A survey on ontologies for human behavior recognition. ACM Comput. Surv. 46:4 (2014), 1–33.
87. Shrestha, P., Solorio, T., Using a Variety of n-Grams for the Detection of Different Kinds of Plagiarism. Notebook for PAN at CLEF 2013, 2013, Valencia, España.
88. Stamatatos, E., A survey of modern authorship attribution methods. J. Am. Soc. Inf. Sci. Technol. 60:3 (2009), 538–556.
89. Stamatatos, E., 2009. Intrinsic plagiarism detection using character n-gram profiles. In: Proceedings of the SEPLN 2009 Workshop on Uncovering Plagiarism, Authorship, and Social Software Misuse (PAN 2009), pp. 38–46.
90. Stein, G., et al., 2005. Decision tree classifier for network intrusiondetection with GA-based feature selection. In: Proceedings of the 43rd Annual Southeast Regional Conference, 2, pp. 136–141.
91. Stein, B., Lipka, N., Prettenhofer, P., Intrinsic plagiarism analysis. Lang Resour Eval 45:1 (2010), 63–82.
92. Tabia, K. and S. Benferhat, 2008. On the use of decision trees as behavioral approaches in intrusion detection. In: Proceedings of the Seventh International Conference on Machine Learning and Applications, pp. 665–670.
93. Umphress, D., Williams, G., Identity verification through keyboard characteristics. Int. J. Man-Mach. Stud. 23:3 (1985), 263–273.
94. Venugopala, D., Hu, G., Efficient signature based malware detection on mobile devices. Mob. Inf. Syst. 4 (2008), 33–49.
95. Vizer, L.M., Zhou, L., Sears, A., Automated stress detection using keystroke and linguistic features: an exploratory study. Int. J. Human-Comput. Stud. 67:10 (2009), 870–886.
96. Wahab, O.A., et al. A survey on trust and reputation models for web services: single, composite, and communities. Decis. Support. Syst. 74 (2015), 121–134.
97. Woodhams, Jessica; Toye, Kirsty. 2007. An empirical test of the assumptions of case linkage and offender profiling with serial commercial robberies Psychology, Public Policy, and Law, 13, (1): pp. 59–85. 〈 http://dx.doi.org/10.1037/1076-8971.13.1.59.
98. Wressnegger, C., et al., 2013. A close look on n-grams in intrusion detection: anomaly detection vs. classificatio. In: Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security, pp. 67–76.
99. Wu, S.X., Banzhaf, W., The use of computational intelligence in intrusion detection systems: a review. Appl. Soft Comput. 10:1 (2010), 1–35.
100. https://www.private-eye.co.uk.
101. Xie, L., et al., 2010. pBMDS: A Behavior-based Malware Detection System for Cellphone Devices. In: Proceedings of The ACM Conference on Wireless Network Security (WiSec), pp. 37–48.
102. Yampolskiy, R.V., Govindaraju, V., Behavioural biometrics: a survey and classification. Int. J. Biom. 1:1 (2008), 81–113.
103. Yang, Y., Web user behavioral profiling for user identification. Decis. Support. Syst. 49:3 (2010), 261–271.
104. Yang, P., Fang, H., Opin-based User Profile Model Context Suggest, 2013, 80–83.
105. Yang, Y., Padmanabhan, B., Toward user patterns for online security: Observation time and online user identification. Decis. Support. Syst. 48:4 (2010), 548–558.
106. Yeung, D.-Y. and Y. Ding, 2002.User profiling for intrusion detection using dynamic and static behavioural models. In: Proceedings of the 6th Pacific-Asia Conference on Advances in Knowledge Discovery and Data Mining, Springer-Verlag, pp. 494–505.