Using Self-Consistent Naive-Bayes to Detect Masquerades

Yung, Kwong H.

doi:10.1007/978-3-540-24775-3_41

Kwong H. Yung¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 3056))

Included in the following conference series:

Pacific-Asia Conference on Knowledge Discovery and Data Mining

2945 Accesses
8 Citations

Abstract

To gain access to account privileges, an intruder masquerades as the proper account user. This paper proposes a new strategy for detecting masquerades in a multiuser system. To detect masquerading sessions, one profile of command usage is built from the sessions of the proper user, and a second profile is built from the sessions of the remaining known users. The sequence of the commands in the sessions is reduced to a histogram of commands, and the naive-Bayes classifier is used to decide the identity of new incoming sessions. The standard naive-Bayes classifier is extended to take advantage of information from new unidentified sessions. On the basis of the current profiles, a newly presented session is first assigned a probability of being a masquerading session, and then the profiles are updated to reflect the new session. As prescribed by the expectation-maximization algorithm, this procedure is iterated until both the probabilities and the profiles are self-consistent. Experiments on a standard artificial dataset demonstrate that this self-consistent naive-Bayes classifier beats the previous best-performing detector and reduces the missing-alarm rate by 40%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Softcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Dempster, A.P., Laird, N.M., Rubin, D.B.: Maximum likelihood from incomplete data via the EM algorithm. Journal of the Royal Statistical Society, Series B 39(1), 1–38 (1977)
MATH MathSciNet Google Scholar
Day, N.E.: Estimating the components of a mixture of two normal distributions. Biometrika 56, 463–474 (1969)
Article MATH MathSciNet Google Scholar
DuMouchel, W.: Computer intrusion detection based on Bayes factors for comparing command transition probabilities. Technical Report 91, National Institute of Statistical Sciences, Research Triangle Park, North Carolina 27709-4006 (1999)
Google Scholar
DuMouchel, W., Schonlau, M.: A comparison of test statistics for computer intrusion detection based on principal components regression of transition probabilities. In: Proceedings of the 30th Symposium on the Interface: Computing Science and Statistics, vol. 30, pp. 404–413 (1999)
Google Scholar
Hasselblad, V.: Estimation of parameters for a mixture of normal distributions. Technometrics 8, 431–444 (1966)
Article MathSciNet Google Scholar
Hasselblad, V.: Estimation of finite mixtures of distributions from the exponential family. Journal of American Statistical Association 64, 1459–1471 (1969)
Article Google Scholar
Ju, W.-H., Vardi, Y.: A hybrid high-order Markov chain model for computer intrusion detection. Technical Report 92, National Institute for Statistical Sciences, Research Triangle Park, North Carolina 27709–4006 (1999)
Google Scholar
Loeb, V.: Spy case prompts computer search, Washington Post, March 5, p. A01 (2001)
Google Scholar
Maxion, R.A., Townsend, T.N.: Masquerade Detection Using Truncated Command Lines. In: International Conference on Dependable Systems and Networks (DSN 2002), Washington, DC, June 23-26, pp. 219–228. IEEE Computer Society Press, Los Alamitos (2002)
Chapter Google Scholar
Nigam, K., McCallum, A.K., Thrun, S., Mitchell, T.: Text classification from labeled and unlabeled documents using EM. Machine Learning 39(2), 103–134 (2000)
Article MATH Google Scholar
Schonlau, M., DuMouchel, W., Ju, W.-H., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: detecting masquerades.”. Statistical Science 16(1), 58–74 (2001)
Article MATH MathSciNet Google Scholar
Schonlau, M., Theus, M.: Detecting masquerades in intrusion detection based on unpopular commands. Information Processing Letters 76(1-2), 33–38 (2000)
Article Google Scholar
Wolfe, J.H.: Pattern clustering by multivariate mixture analysis. Multivariate Behavioral Research 5, 329–350 (1970)
Article Google Scholar
Yung, K.H.: Using feedback to improve masquerade detection. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 48–62. Springer, Heidelberg (2003)
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

Statistics Department, Stanford University, 390 Serra Mall, Stanford, CA, 94305-4020, USA
Kwong H. Yung

Authors

Kwong H. Yung
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

School of Engineering and Information Technology, Deakin University, VIC 3125, Australia
Honghua Dai
University of Illinois at Urbana-Champaign, 61801, Urbana, IL, USA
Ramakrishnan Srikant
Faculty of Engineering and Information Technology, Centre for Quantum Computation and Intelligent Systems, and Australian ACS National Committee for Artificial Intelligence, University of Technology, Sydney, Australia
Chengqi Zhang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Yung, K.H. (2004). Using Self-Consistent Naive-Bayes to Detect Masquerades. In: Dai, H., Srikant, R., Zhang, C. (eds) Advances in Knowledge Discovery and Data Mining. PAKDD 2004. Lecture Notes in Computer Science(), vol 3056. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24775-3_41

Download citation

DOI: https://doi.org/10.1007/978-3-540-24775-3_41
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22064-0
Online ISBN: 978-3-540-24775-3
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics