User Profiling for Intrusion Detection in Windows NT
Tom Goldring, (U.S. DOD), firstname.lastname@example.org
In User Profiling, we observe the normal behavior of computer users and from this, seek to automatically learn models that characterize this behavior. Then for a new session, these models are used to either authenticate the login name, or to identify a malicious insider. A related problem is Program Profiling, in which models for normal activity of an application program are learned, then used to identify attacks. This is a somewhat easier problem because humans do not come with "specs", so compared to programs, our behavior is infinitely less predictable. In fact, a certain level of anomalous activity in human behavior is inevitable and must be taken into account.
Most if not all published work on this subject has used command line activity as its data source, collected on a Unix system. In this environment there are multiple ways to do most things, leaving much room for individual expression, yet even so the reported results have been less than stellar. Now consider today's point and click world, where command line activity is virtually nonexistent. Even worse, the Windows suite of interlinked applications provides a "path of least resistance", with the result that people look more alike than ever. Add to this the fact that much of the activity occurring on a host, especially if it's networked, is generated by the operating system and not user related. This requires massive filtering, but how to it accurately can be far from obvious. These considerations underscore the inherent difficulty of the problem.
For nearly two years we have been monitoring real users doing their daily work on an operational Windows NT network. This talk will describe the data we collect and methods we have used to analyze it, and present results obtained to date.