Search for: All records

When a cyberattack occurs, tracking the attack back to an actual individual person can be problematic. Even identifying the workstation or device that it originated from does not necessarily identify the attacker, as the attacking device could, itself, be compromised. A system to determine whether activities that occur are from the same user or not facilitates forensic analysis as well as the detection of concurrent attacks from different devices by the same user. This paper proposes a system for identifying attackers based on behaviors expressed via their use of the Bash command line interface, the most common shell on Linux distributions. Prior systems were limited by issues such as requiring labeled user data which is difficult to acquire or not being specific enough to monitor individual persons. The approach proposed herein does not require labeled data and is specific enough to target individual users. The proposed system analyzes the level of variance between commands used and calculates an anomaly score for each given command. It uses these anomaly scores to compare Bash history sets together to identify if they were created by the same user. © 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.