Clustering-Based Cyber Situational Awareness: A Practical Approach for Masquerade Attack Detection

Cyber Situational Awareness (CSA) is crucial for detecting and mitigating security threats in evolving digital environments. Traditional intrusion detection systems face challenges related to computational efficiency, scalability, and interpretability, particularly in the detection of masquerade attacks, where attackers mimic legitimate user behavior. This exploratory study conducts a preliminary investigation into a clustering-based approach that integrates OK-Means, an optimized variant of K-Means, with k-Nearest Neighbors (k-NN) to improve intrusion detection. The proposed approach is evaluated using the Windows-Users and Intruder Simulations Logs (WUIL) dataset to assess its feasibility and preliminary performance. Experimental results suggest that this method can achieve up to 99\% recall in masquerade attack detection while reducing execution time by 85\% compared to conventional k-NN classifiers. Additionally, the integration of explainability mechanisms, such as clustering visualization and attack introspection tools, provides security analysts with interpretable insights into system decisions. As an initial exploration, this study provides early-stage insights into clustering-based CSA methods and lays the groundwork for future research. The findings suggest that this approach can be further developed and extended to other cybersecurity domains, such as phishing and malware detection, contributing to AI-driven security frameworks.