Abstract
Remote access to distributed hyper-linked information proves to be one of
the killer applications for computer networks. More and more content in
current inter and intra nets is available as hyper-data, a form easing
its distribution and semantic organization.
In the framework of the Internet's Web-Portals and Pay-Sites,
mechanisms for login based on username and password enable the
dynamic customization as well as partial protection of the content.
In other applications (e.g. commercial intra-nets) various
similar schemes of authentication are deployed.
Nevertheless, stolen passwords are an easy avenue to identity theft, in
both public and commercial data networks. Once a perpetrator enters a
system, assuming an authorized user's identity, the task of actually
detecting this intrusion becomes non-trivial and is often ignored completely.
Thus, in addition to the initial authentication step we propose a runtime
intrusion detection mechanism, required to maintain a virtually continuous
user authentication process and detect identity theft and password misuses.
The current paper focuses on designing a pervasive intrusion detection
method for hyper-data systems, based on training on and analyzing of access
patterns to hyper-linked data, aiming at detecting intruders and raising a
red flag at the content provider's side. Our solution is based on a new
technique, on-the-fly adaptive training for normality on streams of data
access patterns. This enables runtime intrusion detection through analysis
of correlations between current patterns and the adaptive past-knowledge.
Such a method is to be used in conjunction with current username-password
protection schemes.
We introduce the motivation behind our solution , discuss
the novel detection and training metrics and propose a real-life
deployment design. We implement the main algorithm and perform
experiments for assessing its intrusion detection ability, with
very encouraging results. We also discuss the deployment of our
method for detecting automatic spam-bot accesses.