Anomaly instruction detection of masqueraders and threat evaluation using fuzzy logic

One critical threat facing many organizations is the inside attacks from masqueraders, internal users or external intruders who exploit legitimate user identity and perform malicious attacks. Anomaly intrusion detection systems can be deployed to build a user behavior profile from his/her past activities in a computer system and detect masqueraders if a large deviation is observed. In this paper, we use a finite automata based model to construct a normal behavior reference model from the analysis of shell command sequences. A fuzzy evaluation mechanism is proposed to classify the degree of threat as linguistic terms. The fuzzy number calculated from the output of a fuzzy inference system is compared with predefined generalized fuzzy numbers representing different threat levels. A case wit! be labeled as the linguistic term which has the highest similarity value with it. Experiments conducted on two data sets both achieved high detection rates of masqueraders and few false alarms, which stand out other methods.