TempatMDS: A Masquerade Detection System Based on Temporal and Spatial Analysis of File Access Records

The need for protecting information stored in the personal computer prompts the development of masquerade detection system (MDS) which raises an alert whenever it detects an anomaly in user behavior. The audit log analysis of local access to files is an effective way to detect masquerader. Due to privacy limitations of file content, most file based detection algorithms mainly focus on the file paths. These methods either formulate the file paths as multiple local features and then input into the classifier, or compare the current file paths with the past ones. However, few works take file actions into account, such as delivering the file to the external drive. By contrast, in this paper we simultaneously consider the file actions and the file paths, and propose a MDS based on the temporal and spatial analysis of file access records (TempatMDS). On the one hand, spatial analysis concentrates on the file path and models path relationships between files accessed in different periods of time, called sub-activity in this paper, as a file access network. Then activity classes are extracted from the network to indicate the user's assignments and the anomaly score of sub-activity is defined as negatively related to the closeness of sub-activity with the activity class. On the other hand, under the assumption that the user usually accesses certain files depend on current assignments in a repetitive way, temporal analysis constructs the file actions sequences from sub-activities, and formulates the anomaly score of sub-activity as negatively related to the sequence occurrence probability. Finally, the ultimate detection result is determined by fusing the anomaly scores from the spatial and temporal analysis in a robust manner. The effectiveness of TempatMDS is clearly demonstrated by its excellent performances on a collected dataset, involving the real file access records from 10 users in our lab and attack data simulated by impersonating the genuine user, in comparison with state-of-the-arts.