Account Profiling with UNIX commands

David R Landry (dlandry@afit.af.mil)
Wed, 31 Aug 1994 13:49:19 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jessie Bhangoo: "Introduction (late)"
Previous message: Gene Spafford: "Tripwire V1.2 Release (Finally!)"
Next in thread: tlunt@ARPA.MIL: "Re: Account Profiling with UNIX commands"

> Anyone have any thoughts on how to build an account profile so that a sudden
> change in behaviour will be obvious?


I am working on profiling users based on their use of certain commands.
The input to my program is logs based on the lastcomm command such as:

rusers       X dlandry  ttyp0      0.16 secs Thu Aug 25 18:47
mps            dlandry  ttyp0      0.14 secs Thu Aug 25 18:47
rn             dlandry  ttyp0      1.16 secs Thu Aug 25 18:42


My output after processing the logs looks like this:

--------------------------------------------------------------- 
  username  Com Unix1 Unix2 Mail News Info Ed Pro Int  HAR BAD  
--------------------------------------------------------------- 
     user1   X    X           X                X   X         
     user2   X                                     X         
     user3   X    X     X     X        X    X  X   X         
     user4   X    X                            X   X         
     user5   X    X     X     X                              
--------------------------------------------------------------

Com indicates commonly used UNIX commands / programs such as sh and csh.
Unix1 indicates use of commands such as mv, cp.
Unix2 indicates use of commands such as awk, find.
Mail indicates use of any mailing tools.
News indicates use of any news group readers.
Ed indicates use of the editors vi or emacs.
Pro indicates use of programming languages such as c++, cc.
Int indicates use of internet commands such as telnet, ftp, etc.
HAR and BAD look for specific attack signature related commands.

After comparing two weeks of data, 83 % of the users had the exact same
profile or a subset of their profile.  The others added a category or two,
indicating their profile was not complete or "a possible intrusion."

I realize this is a very primitive method of security and many systems
out there (IDES, NIDES, DIDS, Haystack) are light years beyond this 
in statistically analyzing users.  I also realize that most system
administrators do not have these tools.

My question to the intrusion group is this.  Am I going in a valid 
direction ?  Are you all thinking - yeah, that's kind of neat or
we did that about 10 years ago ? 
Do investigations into user profiling still need to be done ?
Have all the problems been solved in this area ?  

I am very familiar with IDS out there, I would just like a
response as to what areas need more research and development.

--------------------------------------
2LT David R. Landry
Graduate Student, AI/Computer Security
Air Force Institute of Technology
dlandry@afit.af.mil

Next message: Jessie Bhangoo: "Introduction (late)"
Previous message: Gene Spafford: "Tripwire V1.2 Release (Finally!)"
Next in thread: tlunt@ARPA.MIL: "Re: Account Profiling with UNIX commands"