Masquerade mimicry attack detection: A randomised approach

A masquerader is an (often external) attacker who, after succeeding in obtaining a legitimate user's credentials, attempts to use the stolen identity to carry out malicious actions. Automatic detection of masquerading attacks is generally undertaken by approaching the problem from an anomaly detection perspective: a model of normal behaviour for each user is constructed and significant departures from it are identified as potential masquerading attempts. One potential vulnerability of these schemes lies in the fact that anomaly detection algorithms are generally susceptible to deception. In this work, we first investigate how a resourceful masquerader can successfully evade detection while still accomplishing his goals. For this, we introduce the concept of masquerade mimicry attacks, consisting of carefully constructed attacks that are not identified as anomalous. We then explore two different detection schemes to thwart such attacks. We first study the introduction of a blind randomisation strategy into a baseline anomaly detector. We then propose a more accurate algorithm, called Probabilistic Padding Identification (PPI) and based on the Kullback-Leibler divergence, which attempts to identify if a sufficiently anomalous attack is present within an apparently normal behavioural pattern. Our experimental results indicate that the PPI algorithm achieves considerably better detection quality than both blind randomised strategies and adversarial-unaware approaches. (C) 2011 Elsevier Ltd. All rights reserved.