The Windows-Users and -Intruder simulations Logs dataset (WUIL): An experimental framework for masquerade detection mechanisms

We introduce a new masquerade dataset, called Windows-Users and -Intruder simulations Logs (WUIL), which, unlike existing datasets, involves more faithful masquerade attempts. While building WUIL, we have worked under the hypothesis that the way in which a user navigates her file system structure can neatly separate a masquerade attack. Thus, departing from standard practice, we state that it is not a user action, but the object upon which the action is carried out what distinguishes user participation. We shall argue that this approach, based on file system navigation provides a richer means, and at a higher-level of abstraction, for building novel models for masquerade detection. We shall devote an important part of this paper to describe WUIL's content: what information about user activity is stored and how it is represented; prominent characteristics of the participant users; the kinds of masquerade attacks to be timely detected; and the way they have been simulated. We shall argue that WUIL provides reliable data for experimenting on close to real-life instances of masquerade detection, as well as for conducting fair comparisons on rival detection mechanisms, hoping it will be of use to the research community. As a side contribution of this paper, we use WUIL to conduct a simple comparison of two masquerade detection methods: one based on SVM, and the other based on KNN. While this comparison experiment is not central to the paper, we expect it to motivate research exploring deeper the masquerade detection problem, and spreading the use of WUIL. In a similar vein, we provide directions for further research, hinting on how to use the features contained in WUIL, and hoping others would find them appealing. (C) 2013 Elsevier Ltd. All rights reserved.