Implementing an Anomaly-Based Intrusion Detection System: Focus on Internal Threat – Masquerade Attacks
John Tucker, Matthew K. Coughlan, Thomas Nelson, Benjamin Klimkowski

Abstract
Intrusion Detection Systems (IDS) are systems that detect actions on a network that attempt to compromise the confidentiality, integrity, or availability of a resource (Berge). In this research, we attempt to study anomalybased IDSs. This project will attempt to determine an optimal method for detecting internal attacks. Anomalybased IDS rely upon the ability to detect a significant difference in activity on a network during an attack from the normal activity. A key task for this research will be creating a baseline model of the normal activity of users on a network based upon our “training” data. After we achieve a baseline model, we will then test our model on data that contains possible intrusions. The internal threat portion of the paper will focus on modeling user activity in order to detect attacks, specifically masquerade attacks. Masquerade attacks are “attacks in which one system entity illegitimately poses as another entity” (Berge).

Full Text: PDF