Abstract

An intrusion occurs when an attacker gains unauthorized access to a valid user's account and performs disruptive behavior while masquerading as that user. The attacker may harm the user's account directly and can use it to launch attacks on other accounts or machines. Developing "signatures" of users of a computer system is a useful method for detecting when this scenario happens. Our approach concentrates on developing precise user signatures characterizing multiple aspects of user activity. Thus, anytime someone behaves in a manner inconsistent with their signature, our system will raise an alarm which strength corresponds to the unlikelihood of the current behavior to the signature.