Abstract
To gain access to account privileges, an intruder masquerades as the proper account user. This paper proposes a new strategy for detecting masquerades in a multiuser system. To detect masquerading sessions, one profile of command usage is built from the sessions of the proper user, and a second profile is built from the sessions of the remaining known users. The sequence of the commands in the sessions is reduced to a histogram of commands, and the naive-Bayes classifier is used to decide the identity of new incoming sessions. The standard naive-Bayes classifier is extended to take advantage of information from new unidentified sessions. On the basis of the current profiles, a newly presented session is first assigned a probability of being a masquerading session, and then the profiles are updated to reflect the new session. As prescribed by the expectation-maximization algorithm, this procedure is iterated until both the probabilities and the profiles are self-consistent. Experiments on a standard artificial dataset demonstrate that this self-consistent naive-Bayes classifier beats the previous best-performing detector and reduces the missing-alarm rate by 40%.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Dempster, A.P., Laird, N.M., Rubin, D.B.: Maximum likelihood from incomplete data via the EM algorithm. Journal of the Royal Statistical Society, Series B 39(1), 1–38 (1977)
Day, N.E.: Estimating the components of a mixture of two normal distributions. Biometrika 56, 463–474 (1969)
DuMouchel, W.: Computer intrusion detection based on Bayes factors for comparing command transition probabilities. Technical Report 91, National Institute of Statistical Sciences, Research Triangle Park, North Carolina 27709-4006 (1999)
DuMouchel, W., Schonlau, M.: A comparison of test statistics for computer intrusion detection based on principal components regression of transition probabilities. In: Proceedings of the 30th Symposium on the Interface: Computing Science and Statistics, vol. 30, pp. 404–413 (1999)
Hasselblad, V.: Estimation of parameters for a mixture of normal distributions. Technometrics 8, 431–444 (1966)
Hasselblad, V.: Estimation of finite mixtures of distributions from the exponential family. Journal of American Statistical Association 64, 1459–1471 (1969)
Ju, W.-H., Vardi, Y.: A hybrid high-order Markov chain model for computer intrusion detection. Technical Report 92, National Institute for Statistical Sciences, Research Triangle Park, North Carolina 27709–4006 (1999)
Loeb, V.: Spy case prompts computer search, Washington Post, March 5, p. A01 (2001)
Maxion, R.A., Townsend, T.N.: Masquerade Detection Using Truncated Command Lines. In: International Conference on Dependable Systems and Networks (DSN 2002), Washington, DC, June 23-26, pp. 219–228. IEEE Computer Society Press, Los Alamitos (2002)
Nigam, K., McCallum, A.K., Thrun, S., Mitchell, T.: Text classification from labeled and unlabeled documents using EM. Machine Learning 39(2), 103–134 (2000)
Schonlau, M., DuMouchel, W., Ju, W.-H., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: detecting masquerades.”. Statistical Science 16(1), 58–74 (2001)
Schonlau, M., Theus, M.: Detecting masquerades in intrusion detection based on unpopular commands. Information Processing Letters 76(1-2), 33–38 (2000)
Wolfe, J.H.: Pattern clustering by multivariate mixture analysis. Multivariate Behavioral Research 5, 329–350 (1970)
Yung, K.H.: Using feedback to improve masquerade detection. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 48–62. Springer, Heidelberg (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yung, K.H. (2004). Using Self-Consistent Naive-Bayes to Detect Masquerades. In: Dai, H., Srikant, R., Zhang, C. (eds) Advances in Knowledge Discovery and Data Mining. PAKDD 2004. Lecture Notes in Computer Science(), vol 3056. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24775-3_41
Download citation
DOI: https://doi.org/10.1007/978-3-540-24775-3_41
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22064-0
Online ISBN: 978-3-540-24775-3
eBook Packages: Springer Book Archive