Skip to main content

Advertisement

Springer Nature Link
Log in

Using instance-weighted naive Bayes for adapting concept drift in masquerade detection

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Although there are many approaches proposed for masquerade detection in the literature, few of them consider concept drift; the problem of distinguishing malicious behaviours from the natural change in user behaviours. Researchers mainly focus on updating user behaviours for adapting concept drift in masquerade detection. However, these approaches rely on the accuracy of the detector and do not take into account malicious instances which are erroneously added to the updating scheme. In this study, we show that conventional approaches based on instance selection are affected dramatically when misclassified intrusive data are added to the training data. Therefore, we propose a new approach based on instance weighting which updates user behaviours gradually according to the weights assigned to each instance, regardless of them being malicious or non-malicious. The results show that the proposed approach outperforms the other updating schemes in the literature, where the malicious instances are more than 5 % of the benign instances in the updating, which is very likely to happen due to the high miss rate of the existing detectors.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  1. Bertaccihini, M., Fierens, PI.: A survey on Masquerader detection approaches. In: Proceedings of Congreso Iberoamericano de Seguridad Informtica, Universidad de la Repblica de Uruguay, pp. 46–60 (2008)

  2. Bertaccihini, M., Fierens, PI.: Preliminary results on masquerader information-theoretic detection using compression-based similarity metrics. IElectron. J. SADIO 7(1) (2007)

  3. Chen, L., Dong, G.: Masquerader detection using OCLEP: One-class classification using length statistics of emerging patterns. In: Proceedings of the Seventh International Conference on Web-Age Information Management Workshops (2006)

  4. Coull, S.E., Szymanski, B.K.: Sequence alignment for Masquerade detection. Comput. Stat. Data Anal. 52(8), 4116–4131 (2008)

    Google Scholar 

  5. Cummings, A., Lewellen, T., McIntire, D., Moore P., Trzeciak, R.: Insider threat study: Illicit cyber activity involving fraud in the U.S. Financial Services Sector, CERT, Report (2011)

  6. Cybersecurity Watch Survey (2011). http://www.cert.org/insider_threat/

  7. Dash, S.K., Reddy, K.S., Pujari, A.K.: Adaptive Naive Bayes method for masquerade detection. Secur. Commun. Netw. 4, 410–417 (2011)

    Article  Google Scholar 

  8. Evans, S., Eiland, E., Markham, S., Impson, J., Laczo, A.: MDLCompress for intrusion detection: Signature inference and masquerade attack. In: Proceedings of Military Communications Conference (2007)

  9. Fawcett, T.: An introduction to ROC analysis. Pattern Recognit. Lett. 27, 861–874 (2006)

    Article  Google Scholar 

  10. Garg, A., Rahalkar, R., Upadhyaya, S., Kwiat, K.: Profiling users in GUI based systems for masquerade detection. In: Proceedings of the 2006 IEEE Workshop on Information Assurance, pp. 48–54 (2006)

  11. Greenberg, S.: Using Unix: collected traces of 168 Users. Research report 88/333/45, Department of Computer Science, University of Calgary, Calgary, Canada (1998)

  12. Huang, L., Stamp, M.: Masquerade detection using profile hidden Markov models. Comput. Secur. 30, 732–747 (2011)

    Article  Google Scholar 

  13. Jiang, L.: Learning instance weighted Naive Bayes from labeled and unlabeled data. J. Intell. Inf. Syst. 38, 257–268 (2012)

    Article  Google Scholar 

  14. Lane, T., Brodley, CE.: Sequence matching and learning in anomaly detection for computer security. In: Proceedings of AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, pp. 43–49 (1997)

  15. Latendresse, M.: Masquerade detection via customized grammars. In: Proceedings of 2nd International Conference on Detection of Intrusion and Malware, and Vulnerability Assessment, LNCS, vol. 3548, pp. 141–159 (2005)

  16. Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: Proceedings of International Conference on Dependable Systems & Networks, pp. 219–228 (2002)

  17. Maxion, R.A.: Masquerade detection using enriched command lines. In: Proceedings of International Conference on Dependable Systems & Networks, pp. 5–14 (2003)

  18. Maxion, R.A., Townsted, T.N.: Masquerade detection augmented with error analysis. IEEE Trans. Reliab. 53, 124–147 (2004)

    Article  Google Scholar 

  19. McCallum, A., Nigam, K.: A comparison of event models for naive bayes text classification. In: Proceedings of AAAI Workshop on Learning for Text Categorization (1998)

  20. Nguyen, N., Reiher, P., Kuenning GH.: Detecting insider threats by monitoring system call activity. In: Proceedings of IEEE Workshop on Information Assurance, pp. 45–52 (2003)

  21. Oka, M., Oyama, Y., Abe, H., Kato, K.: Anomaly detection using layered networks based on eigen co-occurrence matrix. In: Proceedings of Seventh International Symposium on Recent Advances in Intrusion Detection, pp. 223–237 (2004)

  22. Oka, M., Oyama, Y., Kato, K.: Eigen co-occurrence matrix method for masquerade detection. In: Publications of the Japan Society for Software Science and Technology (2004)

  23. Razo-Zapata, I.S., Mex-Perera, C., Monroy, R.: Masquerade attacks based on user’s profile. J. Syst. Softw. 85, 2640–2651 (2012)

    Article  Google Scholar 

  24. Salem, B.S., Stolfo, S.J.: Detecting masqueraders: A comparison of one-class bag-of-words user behavior modeling techniques. In: Proceedings of 2nd International Workshop on Managing Insider Security Threats, pp. 3–13 (2010)

  25. Salem, M.B., Stolfo, S.J.: Modeling user search behavior for masquerade detection. In: Proceedings of 14th International Symposium on Recent Advances in Intrusion Detection, pp. 181–200 (2011)

  26. Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. Adv. Inf. Secur. 39, 69–90 (2008)

    Article  Google Scholar 

  27. Schonlau Dataset (2001). http://www.schonlau.net

  28. Schonlau, M., DuMoucel, W., Ju, H., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: Detecting masqueraders. Stat. Sci. 16(1), 58–74 (2001)

    Article  MATH  Google Scholar 

  29. Seo, J., Cha, S.: Masquerade detection based on SVM and sequence-based user commands profile. In: Proceedings of 2nd ACM Symposium on Information, Computer and Communications Security, pp. 398–400 (2007)

  30. Tapiador, J.E., Clark, J.A.: Masquerade mimicry attack detection: A randomised approach. Comput. Secur. 30, 297–310 (2011)

    Article  Google Scholar 

  31. Tsymbal, A.: The Problem of Concept Drift: Definitions and Related Work. Technical report, TCD-CS-2004-15, Trinity College Dublin (2004)

  32. Wang, K., Stolfo, SJ.: One-class training for masquerade detection. In: Proceedings of 3rd IEEE Workshop on Data Mining for Computer, Security (2003)

  33. Yung, K.H.: Using feedback to improve masquerade detection. In: Proceedings of International Conference on Applied Cryptography and Network Security. LNCS, vol. 2846, pp. 48–62. Springer, Heidelberg (2003)

  34. Yung, K.H.: Using self-consistent Naive-Bayes to detect masquerades. Stanford Electrical and Computer Science Research Journal, pp. 14–21 (2004)

Download references

Author information

Authors and Affiliations

  1. Department of Computer Engineering, Hacettepe University, 06800 , Ankara, Turkey

    Sevil Sen

Authors
  1. Sevil Sen
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Sevil Sen.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sen, S. Using instance-weighted naive Bayes for adapting concept drift in masquerade detection. Int. J. Inf. Secur. 13, 583–590 (2014). https://doi.org/10.1007/s10207-014-0238-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-014-0238-9

Keywords