Indirect Human Computer Inteaction - Based

Biometrics for Intrusion Detection Systems

CHRISTIAN T. CROOC BSIT 4-2
November 29, 2010

Abstract able for their actions. This prevents the

users from avoiding security policies.
An Intrusion Detection System (IDS) is a
system for detecting misuse/ malicious at- • Reconstructing Events: Audit trails may
tacks of network or computer resources. IDS also be used to reconstruct events after a
characterize activity at the level of user’s problem occurred. The amount of dam-
sessions and applications transactions. By age that occurred with an incident can
means of indirect human computer interac- be assessed by reviewing audit trails of
tion based biometrics which can be obtained system activity to point how, when and
by examine user’s HCI behaviour using com- why the incident occurred.
puter software like audit logs, call stack and
other forms of HCI-based biometrics. This • Problem Monitoring: Audit trails may
paper concentrates on seven aspects of in- also use as online tools to help monitor
direct HCI Based Biometrics. It character- problems has occurred. Such real time
ized each of them and provides a suggestion monitoring helps detection of problems
on each implementation being done by each like disk failures over utilization of sys-
Indirect HCI Based Biometrics for Intrusion tem resources or network outages.
Detection System.Criticism and analysis for
• Intrusion Detection: Intrusion detection
each indirect HCI Based Biometrics is also
refers to the process of identifying at-
present on this paper to provide an ideas and
tempts to penetrate a system and gain
information which may use for other under-
unauthorized access. Audit trails can
takings for this study.
help in intrusion detection if they record
A. AUDIT LOGS
appropriate events. Determining what
An audit logs/trail is a series of records of events to audit so that audit trails can
computer events about an operating system, be used in an effective manner to aid in-
an application or user activities. It is gen- trusion detection is one of the present
erated by an auditing system that monitors research issues being looked into by the
system activity. Audit Trails have many uses research community.
in the area of computer security:
In traditional, the best way to detect in-
• Individual Accountability: An individ- trusion was to create logs or audit trails of
ual’s actions are tracked in an audit trail all security relevant activity using Post-Event
allowing users to be personally account- audit Trail Analysis. As a result most OS,

1
databases, routers and application generate
audit trails but no one had time to read all
audit logs data. Also, as the number of users,
systems, applications and databases grow, it
means the audit logs as well develop so large
that may actually cause denial of services
problems from using up too mush disk space.
Some production company routinely turn off
audit trails to avoid disruptions to produc-
tion systems[?]. Audit logs are too large to
be analyzed and must be reduced and filtered
before the data can be analyzed or stored.
The audit facilities of contemporary operat-
ing system (Windows NT and Solaris) do not
suit the needs of intrusion detection system as
well. In general, Intrusion detection system
want to characterize at the level of users, ses-
sions and application transaction while audit
logs present activity at the system calls, pro-
cess and network packet level of abstraction.
The large size of audit logs is not an obsta-
cle to long term storage and analysis given
effective data compression algorithms. Sam-
ple of this algorithm is LempelZiv compres-
sion algorithms which used Solaris BSM and
Windows NT that are highly compressible,
resulting in 80-95 percent reduction of size.
The audit log must also preserve supporting
data that enable us to understand the mean-
ing of logged data [7].
Figure 1. Sample of Audit Logs
2
Implementation: As mentioned earlier, tra-
ditional Intrusion Detection has been to per-
form of post-event audit trail analysis. Based
on, there are two key advantages of using post
event audit trail analysis. First, it addresses
the tremendous difficulties that organizations
experience examining and managing audit
trails and Investigators/administrators can
go back in time and do historical analysis of
events that have occurred in the past. But
from network -based security perspective, the
disadvantages with a pure after the fact” is
that by the time it detects the security prob-
lem. Too late to responds and protect the
data which resulting consequences of the at-
tack go far deeper in the network without re-
sistance. In this case, some company used
Real-Time Activity Monitoring which is effec-
tive method for Intrusion Detection for Audit
Logs.
Real-Time Activity Monitoring:
It is effective method for real-time intru-
sion detection in sense of monitor security re-
lated activity occurring on the various sys-
tems and devices that make up network.
While most activity monitors watch the oper-
ating system audit trails, more sophisticated
tools also track audit logs from applications
and databases. Real -time activity monitors
can detect attacks such as attempts to access
unauthorized sensitive files or to replace log-
in program with new version. It also deploy
close to the mission-critical data and applica-
tions for security of audit logs [6].
An ideal application in intrusion detection
will be gather in sufficient (normal and ab-
normal) audit data for a user or program,
I suggest to apply a classification algorithm
to learn a classifier that can label or pre-
dict new unseen data as belonging to nor-
mal/abnormal class.
B. CALL STACK
The call stack of a program execution can
be a very good information source for intru-
sion detection by analysing return addresses.
There is no prior work on dynamically ex-
tracting information from call stack and effec-
tively using it to detect exploits. In observe,
plenty of research has focused on anomaly de-
tection by learning program behavior sample
of this is Feng et. al[2] proposed anomaly de-
tection. Most of the methods proposed were
based on modelling system call traces. How-
ever, there has not been much improvement
on system call based methods recently in part
because system calls themselves only provide
limited amount of information. Invoking sys-
tem calls is only one aspect of program be-
havior. I consider such as the information
contained in the call stack, for intrusion de-
tection purposes.
Figure 2. Call Stack and Chain of frame
pointers
Based on Feng et. al.[2], some methods in
anomaly detection used a system call based,
but program counter (PC) information must
be construct states both explicit and im-
plicit. Program counter obtained lot infor-
mation about current status and history of
program execution from the calls tack which Figure 3. The Virtual Path from the last
in the sense of return addresses. Figure 2
shows the number of frames on a program
stack and the chain frame pointer references C. GUI INTERACTION
that are used for stack unwinding in extract-
ing return addresses. It also may be useful
for intrusion detection. Therefore, call stack
can be good information sources of intrusion
detection.
Implementation: Giffin et. al. proposed an
approach on precision and efficiency in too
low many programs by indicates ”inserting
null calls” that will largely decrease of non-
determinism and help solve the impossible
path problem. It will rewrite of the executa-
bles and the changes of call name space in call
stack. But, I consider this approach may be
used only for host based anomaly detection
that intrusion. As follow, the network delays
thousands of null calls which may delay for
one real system call. In this case, Feng et al.
proposed VtPath Model that uses call stack
history as the current PC information which
helps detect more intrusion. It will use virtual
path that will integrate signal handling. In
Figure 3 shows the virtual path for the system
call. The definition of virtual path abstracts
the execution of system calls. The program
sequentially returns some functions and grad-
ually enters some other functions. This will
reflect the idea of call history.
System Call to the Current System Call
3
 In almost all Unix - like systems, most of
the user activities are performed by typing
commands on a terminal. These activities
include opening of new applications, closing
them and manage other computer processes.
Most of the existing Intrusion Detection Sys-
tems base their detection decision on this
command line based dataset. Although this
dataset can provide effective anomaly detec-
tion capabilities in these systems, they are
not sufficient to provide anomaly detection
in a graphical user interface (GUI) based en-
vironments like Windows operating system
and some modification of Unix (Linux, Mac
OS and etc.) which are designed to be more
visual and users are expected to use mouse
clicks for activating commands rather than
typing on command terminal (Schonlau).
On the other hand, there is inadequacy in
user’s behavior in GUI based systems and
command line based systems. In GUI based
system. Most of the user activities are per-
formed using either mouse movement and
clicks or a combination of mouse movement
and keystrokes while command line data can-
not capture this GUI based behavior and fur-
ther efforts are required to incorporate this
behavior information for effectively detecting
anomalies[4]. In Figure 4, shows the general
trends of various types of user which drawn
based on user’s activities and achieve task by
these users.
4
Figure 4. Behavioral Path for various types
of User
Implementation: Garg et. al proposed intru-
sion detection in masquerade using profiling
users in GUI that detect as binary classifi-
cation problem and use Support Vector Ma-
chine (SVM) to learn classify these features
vectors in masquerades. Furthermore, it im-
plements to apply of behavioural path of var-
ious users that could provide details about
behavioural profiles and thus enable more ac-
curate anomaly detection as compared to uti-
lizing the command or audit data alone.
Summary of Contributions Proposed in In-
trusion Detection System by Garg et. al.
The main contribution of the paper is in im-
proving the masquerade detection capabili-
ties based systems. The specific contribu-
tions:
• A logger tool for capturing the user be-
havior actions such as mouse movement,
keyboard activity and system processes
in a GUI based system
• A parser tool to analyze and extract the
user behavior profile parameters from
logged data
• Use of Support Vector machines for
learning and classifying unique user pro-
file parameters
I found out that user behavior features
based on mouse activity or others on a GUI
based system can be used to uniquely iden-
tify users and thus provide better masquerade
detection capability in intrusion.
D.NETWORK TRAFFIC
Network Intrusion Detection systems are
placed at a strategic point/s within the net-
work to monitor traffic to and from all devices
on the network.
Advantages of Network based Intrusion De-
tection System:
 • Lower cost of ownership: It can deploy
for each network segment. This reduces
management overhead, as there is no
need to maintain sensor software at the
host level.
• Easier to deploy: Network based IDs are
easier to deploy because it does not affect
existing systems or infrastructure and it
is operating systems independent.
• Detect network based attacks: It can
detect attacks which checks for the en-
tire packet header for any malicious at-
tack. It can quickly detect SYN attack
by looking at the contents of the packets
at the real time
• Real time Detection and quick response:
Network based IDS can monitors traffic
on a real time. It can detect malicious
activity as they occur.
• Detection of failed attacks: It can de-
ployed outside of firewalls can detect the
malicious attacks on resources behind E. REGISTRY ACCESS
the firewall.
Disadvantages of Network based Intrusion
Detection System:
• Network based IDS may have difficult
processing all the packets in al rage busy
network and fail to recognize an attack
launched during period of high traffic.
• Network based IDS cannot analyze en-
cryption information
• Most Network based IDS cannot tell
whether or not attack was suceesful.
Implementation: Some studies investigate
to use of neural network classification of
computer network attacks using statis-
tical anomaly detection, carried out by
HIDE. HIDE is a hierarchical, multitier,
5
multiobservation-window, anomaly based
network intrusion detection system, proto-
typed in our laboratory for the US Army’s
Tactical Internet. HIDE monitors several
network traffic parameters simultaneously,
constructs a probability density function
(PDF) for each, statistically compares it
to a reference PDF of normal behavior
using a similarity metric, then combines
the results into an anomaly status vector
that is classified by a neural network clas-
sifier. Many simulation experiments have
been carried out focusing on the denial of
service (DOS) class of attacks, including
UDP, ICMP and TCP flooding attacks.
On the results, the detection effectiveness
of the perceptron (P), backpropagation
(BP),perceptron-backpropagation-hybrid
(PBH), fuzzy ARTMAP, and radial-based
function (RBF) artificial neural network
(ANN) classifiers[1].
In intrusion attacks, it is utilize of ma-
licious software. There are two widely de-
ployed: First lines of defense against mali-
cious software are virus scanners and secu-
rity patches. Virus scanners attempt to de-
tect malicious software and security patches
OS updates to fix security holes that mali-
cious software exploits. Both of these meth-
ods suffer from the same drawback. They are
effective in Known attacks but are unable to
detects and prevent new types of attacks ( ).
The second line of defense is though IDS sys-
tems. Using Host-based IDS systems monitor
a host system and attempt to detect an intru-
sion. It also detects the effects or behavior of
malicious software rather then distinct signa-
tures of that software.

Table 1. Registry Access Records
There a new proposed Intrusion Detection
system using the Windows Registry by Apap
et al. Registry is important part of the op-
erating system and is very heavily used mak-
ing it a good source of audit data. By build-
ing a sensor on the registry and applying the
information gathered to an anomaly detec-
tor, it can detect activity that corresponds to
malicious software ( ).I considered that the
main advantages of monitoring the registry
is that activity is regular by nature can be
monitored with low computational overhead
and almost all system activities interact with
the registry. The important of registry that it
has characteristics to tends to be regular over
time. It makes registry an excellent place to
look for irregular, anomalous activity since a
malicious program may substantially depart
from normal activity and can be detected.
Implementation: Detecting malicious Soft-
ware by Monitoring Anomalous Windows
Registry Accesses by Apap et al. used an
anomaly detection algorithm for use in IDS
System and evaluates the performance. The
Registry is an effective data source to mon-
itor attacks because many attacks show up
as anomalous registry behavior. Many at-
tacks take advantage of operating system reg-
istry. Indeed, many intrusion attacks them-
6
selves rely on the registry of operating system
in order to function properly.
Some examples of malicious programs and
how they produce anomalous in registry ac-
tivity:
• Setup Trojan: It adds launched add fulls
read/write sharing access on the file sys-
tem of the host machine.
• Back Orifice 2000: This program opens
vulnerability on a host machine which
grants anyone with the back orifice client
program complete control over the host
machine.
• Aimrecover: It steals the passwords from
AOL users. Its accessing a key that usu-
ally is accessed by a different program
that created that key.
• Disable Norton: Exploitation of registry
that disables Norton Antivirus. It access
to key that was created by different pro-
gram.
• LophtCrack: Password cracking pro-
gram for Windows machine. It flaws
the Windows encryption scheme which
allows the program to discover some of
the characters of the passwords.
F. STORAGE ACTIVITY
The storage system is another interesting
vantage point for intrusion system. Several
intruders’ actions are quite visible at the stor-
age interface. Examples include manipulat-
ing system utilities, tampering with audit log
contents and resetting attributes. By design,
a storage server sees all changes to persistent
data allowing it to transparently watch sus-
picious changes and issues alerts about the
corresponding client systems [3].
Storage-based Intrusion Detection enables
storage devices to examine the request the
service for suspicious client behavior. I sug-
gest that storage IDS must be compromise in-
dependent of the host OS, meaning it cannot
be disabled by an intruder who only success-
fully gets past a hosts OS -level protection.
It can be embedded in many kinds of storage
systems and allows watching for data modifi-
cation characteristics of systems intrusions.
Figure 5.The compromise independence of a
storage IDS
In figure 5, shows the storage interface pro-
vides a physical boundaries behind which a
storage server can observe teh requests it is
asked to service.
Based on Adam et .al, there are four cate-
gories of warning signs that storage IDS can
monitor:
• Data/Attribute Modification: It will
managed computing environments, the
simplest category of warning signs con-
sists of data /metadata changes files
that administrators expect to remain un-
changed except during explicit upgrades.
• Update Patterns: It consists of suspi- variety of observable data to distinguish
cious access patterns (audit logs, times- between legitimate and illegitimate activi-
tamp reversal, DoS attacks) particularly ties. Using system-call data sets gener-
updates.
• Content Integrity: It includes of changes
that violate internal consistency rules of
specific files.
• Suspicious Content: Example of this is
virus or rootkit, detectable via signa-
tures. Other is hidden files and empty
files.
Implementation: Storage based intrusion
System may be embedded in an NFS server to
demonstrate both feasibility and efficiency of
storage-based intrusion detection. It is pro-
posed by Ganger et. al[3], that supports on-
line, ruled based detection of suspicious mod-
ifications. It supports the detection of four
categories of suspicious activities: it can de-
tect unexpected changes to system files and
binaries, it can detect patterns of changes like
non-append modification and reversing mode
of time, it can detect specifically restricted
content changes critical files and lastly. It can
detect the appearance of specific files names
or content.It also have two features combine
to make it a well positioned platform for
enhnacing intrusion detection efforts. first,
storage devices are independent of host OSes.
Second, it will comprise intruder action will
cause storage activity that can be captured
and analyzed.
However in this proposed system, it en-
compasses limitations and weaknesses. Like
any IDS, it will produce some false positives,
it will spot some intrusions because it can-
not contain notice intrusions whose actions
do not cause odd storage behavior and lastly
storage based intrusion detection is not free.
Checking rules comes with some cost in pro-
cessing and memory resources
G. SYSTEM CALLS
Intrusion detection systems rely on a wide
ated by several different programs.A sys-
7
tem calls is how a program requests a ser-
vice from an operating system’s kernel that
it does not normally have permission to
run. It provides the interface between pro-
cess and the operating system. In sequence
calls, there is anomaly signals are generated.
The sequence-based methods tend to produce
multiple mismatches even for a single mis-
placed system call, because that system call
affects multiple sequences [5].
There are many ways in which system call
data could be used to characterize normal be-
havior of programs, each of which involves
building or training a model using traces
of normal processes. Some of methods dis-
cussed by Forrest et al. are Enumerating Se-
quences, Frequency-based Methods, Hidden
Markov Model and Finite State Machines.
They compared four methods for characteriz-
ing normal behavior and detecting intrusions
based on system calls in privileged processes.
Each method was tested on the same suite
of data sets, consisting of different types of
programs and different intrusion techniques.
On this test suite, three of the four meth-
ods performed adequately. Hidden Markov
models, generally recognized as one of the
most powerful data modeling methods in ex-
istence [8]. However, I assume no one method
consistently gave the best results on all pro-
grams, and results between programs varied
more than results between methods. Vari-
ations in false positives were due more to
the complexity of the traced programs and
their environments than to differences in the
analysis methods. Implementation: Forrest
et al. introduced a simple intrusion detec-
tion method based on monitoring the sys-
tem calls used by active, privileged processes.
Each process is represented by its trace-the
ordered list of system calls used by that pro-
cess from the beginning of its execution to
the end. This work showed that a program’s
normal behavior could be characterized by lo-
8
cal patterns in its traces, and deviations from
these patterns could be used to identify secu-
rity violations of an executing process. There
are two important characteristics of the ap-
proach introduced in. First, it identifies a
simple observable (short sequences of system
calls) that distinguishes between normal and
intrusive behavior. Second, the method used
to analyze, or model, the sequences is also
much simpler than other proposals. It records
only the presence or absence of sequences;
it does not compute frequencies or distribu-
tions, or identify which sequences are most
important. In addition, they proposed ”The
Evolution of System-call Monitoring” illus-
trate how system call monitoring was used
in anomaly intrusion detection and response.
This system was sufficiently lightweight that
it could monitor all running programs in real-
time, and even respond to prevent attacks be-
fore they caused harm by using the normal
profile using short sequences of system calls
but it remains a fundamental technique un-
derlying many current projects and research.
Figure 6.Representing system call streams
Figure 6 shows some of these representa-
tions of possible ways to represent short se-
quences of system calls like lookahead pairs,
n-grams, trees, etc in the The Evolution of
System-call Monitoring.
References
[1] Apap, F. Detecting malicious software
by monitoring anomalous windows reg-
istry accesses. IEEE Security abd Privacy
(2002).

[2] Feng, H. Kolesnikov, O., and W.,

L. Anomaly detection using call stack
information. IEEE Security abd Privacy
(2003).

[3] Ganger, G. Storage-based intrusion

detection: Watching storage activity for
suspicious behavior. USENIX Security
(2002).

[4] Garg, A. Rahalkar, R., and K., K.

Profiling users in gui based systems for
masquerade detection. IEEE Workshop
on Information Assurance United States
Military Academy (2006).

[5] Ghosh, A. Learning program behavior

profiles for intrusion detection. USENIX
Security (1999).

[6] Kidd, T. Intrusion detection and infor-

mation security audits. IGI Global (2007).

[7] Lee, W. Stolfo, S., and Mok, K. A

data mining framework for building intru-
sion detection models. IEEE Transactions
on Evolutionary Computation (2002).

[8] Varghese, S. Anomaly detection using

system calls sequence sets. IEEE Security
abd Privacy (2007).