Fuzzy approach for intrusion detection based on user’s commands

The article concerns the problem of detecting masqueraders in computer systems. A masquerader in a computer system is an intruder who pretends to be a legitimate user in order to gain access to protected resources. The article presents an intrusion detection method based on a fuzzy approach. Two types of user’s activity profiles are proposed along with the corresponding data structures. The solution analyzes the activity of the computer user in a relatively short period of time, building a user’s profile. The profile is based on the most recent activity of the user, therefore, it is named the local profile. Further analysis involves creating a more general structure based on a defined number of local profiles of one user, called the fuzzy profile. It represents a generalized behavior of the computer system user. The fuzzy profiles are used directly to detect abnormalities in users’ behavior, and thus possible intrusions. The proposed solution is prepared to be able to create user’s profiles based on any countable features derived from user’s actions in computer system (i.e., used commands, mouse and keyboard data, requested network resources). The presented method was tested using one of the commonly available standard intrusion data sets containing command names executed by users of a Unix system. Therefore, the obtained results can be compared with other approaches. The results of the experiments have shown that the method presented in this article is comparable with the best intrusion detection methods, tested with the same data set, in the matter of the obtained results. The proposed solution is characterized by a very low computational complexity, which has been confirmed by experimental results.