This type of attacks called also the unauthorized attacks, when the intruder is successfully logged in using the legitimate user name and password and trying to misuse the resources of the system. This type of attack is detected by some IDS using anomaly based detection techniques like cluster data mining technique, neural network or some times the expert systems.
I read that OSSEC is using the log mining technique to mix between data mining and log analysis techniques but my questions if OSSEC using this technique can discover these masquerading attacks or not. I did not find any complete technical details in OSSEC documentation for the log mining technique. They explain how can we use it but without explaining how it works exactly. If any one has any documents please send the link here Thanks Hesham
