A first step toward detecting SSH identity theft in HPC cluster environments: discriminating masqueraders based on command behavior

Cardiff, Wales, UK May 09-May 12

RSS feed for this publication

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/CCGRID.2005.1558542

Fifth IEEE International Symposium on ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by W. Yurcik Articles by Chao Liu

	ASCII Text	x
	W. Yurcik, Chao Liu, "A first step toward detecting SSH identity theft in HPC cluster environments: discriminating masqueraders based on command behavior," Cluster Computing and the Grid, IEEE International Symposium on, vol. 1, pp. 111-120, Fifth IEEE International Symposium on Cluster Computing and the Grid (CCGrid'05) - Volume 1, 2005.

	BibTex	x
	@article{ 10.1109/CCGRID.2005.1558542, author = {W. Yurcik and Chao Liu}, title = {A first step toward detecting SSH identity theft in HPC cluster environments: discriminating masqueraders based on command behavior}, journal ={Cluster Computing and the Grid, IEEE International Symposium on}, volume = {1}, year = {2005}, isbn = {0-7803-9074-1}, pages = {111-120}, doi = {http://doi.ieeecomputersociety.org/10.1109/CCGRID.2005.1558542}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Cluster Computing and the Grid, IEEE International Symposium on TI - A first step toward detecting SSH identity theft in HPC cluster environments: discriminating masqueraders based on command behavior SN - 0-7803-9074-1 SP111 EP120 A1 - W. Yurcik, A1 - Chao Liu, PY - 2005 VL - 1 JA - Cluster Computing and the Grid, IEEE International Symposium on ER -

W. Yurcik, Nat. Center for Supercomput. Applications, Illinois Univ., Urbana-Champaign, IL, USA

Chao Liu, Nat. Center for Supercomput. Applications, Illinois Univ., Urbana-Champaign, IL, USA

Recent attacks enabled by stolen authentication passwords and keys have allowed intruders to masquerade as legitimate users on high performance computing clusters. With the motivation of detecting masqueraders on clusters, this work seeks to discriminate different types of users based on their command behavior - in particular, user command behavior on a multi-user public machine versus user command behavior on a high performance computing cluster. Our intuition is that these users act differently and the unique high performance cluster environment is constrained such that command behavior discrimination is enhanced versus enterprise environments. We formalize this into a classification problem to be solved by a support vector machine with TF-IDF feature construction techniques from the field of Information Retrieval. We present results showing the effectiveness of this approach exhibiting high precision depending on the length of monitoring in both time and number of commands. In particular we show that as few as 10 commands may be enough to recognize a masquerading attacker on a high performance computing cluster.

Citation:

W. Yurcik, Chao Liu, "A first step toward detecting SSH identity theft in HPC cluster environments: discriminating masqueraders based on command behavior," ccgrid, vol. 1, pp.111-120, Fifth IEEE International Symposium on Cluster Computing and the Grid (CCGrid'05) - Volume 1, 2005

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.