Open Access  Subscription or Fee Access

Knowledge about computer users is very beneficial for assisting them, predicting their future actions or detecting masqueraders. In this paper, a new approach for creating and recognizing automatically the behavior profile of a computer user is presented. In this case, a computer user behavior is represented as the sequence of the commands she/he types during her/his work. This sequence is transformed into a distribution of relevant subsequences of commands in order to find out a profile that defines its behavior. Also, because a user profile is not necessarily fixed but rather it evolves/changes, we propose an evolving method to keep up to date the created profiles using an Evolving Systems approach. In this paper, we combine the evolving classifier with a trie-based user profiling to obtain a powerful self-learning online scheme. We also develop further the recursive formula of the potential of a data point to become a cluster center using cosine distance, which is provided in the Appendix. The novel approach proposed in this paper can be applicable to any problem of dynamic/evolving user behavior modeling where it can be represented as a sequence of actions or events. It has been evaluated on several real data streams.

User Behavior Profiles, Masqueraders, Command Interrupter

D. Godoy and A. Amandi, “User Profiling in Personal Information Agents: A Survey,” Knowledge Eng. Rev., vol. 20, no. 4, pp. 329-361, 2005.

J.A. Iglesias, A. Ledezma, and A. Sanchis, “Creating User Profiles from a Command-Line Interface: A Statistical Approach,” Proc. Int’l Conf. User Modeling, Adaptation, and Personalization (UMAP), pp. 90-101, 2009.

M. Schonlau, W. Dumouchel, W.H. Ju, A.F. Karr, and Theus, “Computer Intrusion: Detecting Masquerades,” Statistical Science, vol. 16, pp. 58-74, 2001.

R.A. Maxion and T.N. Townsend, “Masquerade Detection Using Truncated Command Lines,” Proc. Int’l Conf. Dependable Systems and Networks (DSN), pp. 219-228, 2002.

A. Alaniz-Macedo, K.N. Truong, J.A. Camacho-Guerrero, and M. Graca-Pimentel, “Automatically Sharing Web Experiences through a Hyperdocument Recommender System,” Proc. ACM Conf. Hypertext and Hypermedia (HYPERTEXT ’03), pp. 48-56, 2003.

D.L. Pepyne, J. Hu, and W. Gong, “User Profiling for Computer Security,” Proc. Am. Control Conf., pp. 982-987, 2004.

D. Godoy and A. Amandi, “User Profiling for Web Page Filtering,” IEEE Internet Computing, vol. 9, no. 4, pp. 56-64, July/ Aug. 2005.

J. Anderson, Learning and Memory: An Integrated Approach. John Wiley and Sons, 1995.

Y. Horman and G.A. Kaminka, “Removing Biases in Unsuper-vised Learning of Sequential Patterns,” Intelligent Data Analysis, vol. 11, no. 5, pp. 457-480, 2007.

T. Lane and C.E. Brodley, “Temporal Sequence Learning and Data Reduction for Anomaly Detection,” Proc. ACM Conf. Computer and Comm. Security (CCS), pp. 150-158, 1998.

S.E. Coull, J.W. Branch, B.K. Szymanski, and E. Breimer, “Intrusion Detection: A Bioinformatics Approach,” Proc. Ann. Computer Security Applications Conf. pp. 24-33, 2003.

P. Angelov and X. Zhou, “Evolving Fuzzy Rule-Based Classifiers from Data Streams,” IEEE Trans. Fuzzy Systems: Special Issue on Evolving Fuzzy Systems, vol. 16, no. 6, pp. 1462-1475, Dec. 2008.

M. Panda and M.R. Patra, “A Comparative Study of Data Mining Algorithms for Network Intrusion Detection,” Proc. Int’l Conf. Emerging Trends in Eng, pp. 504-507, 2008.

A. Cufoglu, M. Lohi, and K. Madani, “A Comparative Study of Selected Classifiers with Classification Accuracy in User Profil-ing,” Proc. WRI World Congress on Computer Science and Information Eng. (CSIE), pp. 708-712, 2009.

R. Polikar, L. Upda, S.S. Upda, and V. Honavar, “Learn++: An Incremental Learning Algorithm for Supervised Neural Net-works,” IEEE Trans. Systems, Man and Cybernetics, Part C (Applications and Rev.), vol. 31, no. 4, pp. 497-508, http:// dx.doi.org/10.1109/5326.983933, Nov. 2001.

D. Kalles and T. Morris, “Efficient Incremental Induction of Decision Trees,” Machine Learning, vol. 24, no. 3, pp. 231-242, 1996.

F.J. Ferrer-Troyano, J.S. Aguilar-Ruiz, and J.C.R. Santos, “Data Streams Classification by Incremental Rule Learning with Para-meterized Generalization,” Proc. ACM Symp. Applied Computing (SAC), pp. 657-661, 2006.

J.C. Schlimmer and D.H. Fisher, “A Case Study of Incremental Concept Induction,” Proc. Fifth Nat’l Conf. Artificial Intelligence (AAAI), pp. 496-501, 1986.

P.E. Utgoff, “Id5: An Incremental Id3,” Proc. Int’l Conf. Machine Learning, pp. 107-120, 1988.

P.E. Utgoff, “Incremental Induction of Decision Trees,” Machine Learning, vol. 4, no. 2, pp. 161-186, 1989.

G.A. Carpenter, S. Grossberg, and D.B. Rosen, “Art2-a: An Adaptive Resonance Algorithm for Rapid Category Learning and Recognition,” Neural Networks, vol. 4, pp. 493-504, 1991.

G.A. Carpenter, S. Grossberg, N. Markuzon, J.H. Reynolds, and D.B. Rosen, “Fuzzy Artmap: A Neural Network Architecture for Incremental Supervised Learning of Analog Multidimensional Maps,” IEEE Trans. Neural Networks, vol. 3, no. 5, pp. 698-713, Sept. 1992.

N. Kasabov, “Evolving Fuzzy Neural Networks for Supervised/ Unsupervised Online Knowledge-Based Learning,” IEEE Trans. Systems, Man and Cybernetics—Part B: Cybernetics, vol. 31, no. 6, 902-918, Dec. 2001.

T. Seipone and J.A. Bullinaria, “Evolving Improved Incremental Learning Schemes for Neural Network Systems,” Proc. IEEE Congress on Evolutionary Computation, pp. 2002-2009, 2005.

T. Kohonen, J. Kangas, J. Laaksonen, and K. Torkkola, “Lvq pak: A Program Package for the Correct Application of Learning Vector Quantization Algorithms,” Proc. IEEE Int’l Conf. Neural Networks, 725-730, 1992.

F. Poirier and A. Ferrieux, “Dvq: Dynamic Vector Quantization —An Incremental Lvq,” Proc. Int’l Conf. Artificial Neural Networks, 1333-1336, 1991.

R.K. Agrawal and R. Bala, “Incremental Bayesian Classification for Multivariate Normal Distribution Data,” Pattern Recognition Letters, vol. 29, no. 13, pp. 1873-1876, http://dx.doi.org/10.1016/ j.patrec.2008.06.010, 2008.

K. M, A. Chai, H.L. Chieu, and H.T. Ng, “Bayesian Online Classifiers for Text Classification and Filtering,” Proc. Int’l Conf. Research and Development in Information Retrieval (SIGIR), pp. 97-104, 2002.

R. Xiao, J. Wang, and F. Zhang, “An Approach to Incremental SVM Learning Algorithm,” Proc. IEEE Int’l Conf. Tools with Artificial Intelligence, pp. 268-278, 2000.

G. Widmer and M. Kubat, “Learning in the Presence of Concept Drift and Hidden Contexts,” Machine Learning, vol. 23, pp. 69-101, 1996.

a P. Riley and M.M. Veloso, “On Behavior Classification in Adversarial Environments,” Proc. Int’l Symp. Distributed Autono-mous Robotic Systems (DARS), pp. 371-380, 2000.

E. Fredkin, “Trie Memory,” Comm. ACM, vol. 3, no. 9, pp. 490-499, 1960.

J.A. Iglesias, A. Ledezma, and A. Sanchis, “Sequence Classifica-tion Using Statistical Pattern Recognition,” Proc. Int’l Conf. Intelligent Data Analysis (IDA), pp. 207-218, 2007.

G.A. Kaminka, M. Fidanboylu, A. Chang, and M.M. Veloso, “Learning the Sequential Coordinated Behavior of Teams from Observations,” Proc. RoboCup Symp., pp. 111-125, 2002.

J.A. Iglesias, A. Ledezma, and A. Sanchis, “A Comparing Method of Two Team Behaviours in the Simulation Coach Competition,” Proc. Int’l Conf. Modeling Decisions for Artificial Intelligence (MDAI), 117-128, 2006.

R. Agrawal and R. Srikant, “Mining Sequential Patterns,” Proc. Int’l Conf. Data Eng., pp. 3-14, 1995.