Abstract
Masquerade detection undertakes to determine whether or not one computer user has impersonated another, typically by detecting significant anomalies in the victim’s normal behavior, as represented by a user profile formed from system audit data, command histories, and other information characteristic of individual users. Among the many intrusion/masquerade-detection algorithms in use today is the naive Bayes classifier, which has been observed to perform imperfectly from time to time, as will any detector. This paper investigates the prospect of a naive Bayes flaw that prevents detection of attacks conducted by so-called “super-masqueraders” whose incursions are consistently undetected across an entire range of victims. It is shown in this paper, through controlled experimentation and a rigorous mathematical exposition, that a weakness in the detector causes it to miss attacks under certain conditions. Furthermore, meeting those conditions – and crafting an undetectable attack – is often entirely within the control of the attacker. This paper also demonstrates, however, that such attacks can be overcome by fortifying the algorithm with a diverse detection capability. The “fortified” detector improves detection and, more significantly, removes the threat of the supermasquerader, virtually eliminating the impact of the algorithm’s defect.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
P. Domingos and M. Pazzani. On the optimality of the simple Bayesian classifier under zeroone loss. Machine Learning, Vol. 29, No. 2-3, pages 103-130, November 1997.
W. DuMouchel and M. Schonlau. A fast computer intrusion detection algorithm based on hypothesis testing of command transition probabilities. In R. Agrawal and P. Stolorz, (Eds.), The Fourth International Conference of Knowledge Discovery and Data Mining (KDD-98), pages 189-193, 27-31 August 1998, New York, NY. AAAI Press: Menlo Park, CA.
S. Forrest, S. A. Hofmeyr, A. Somayaji and T. A. Longstaff. A sense of self for Unix processes. In IEEE Symposium on Security and Privacy, pages 120-128, 6-8 May 1996, Oakland, CA. IEEE Computer Society Press, Los Alamitos, CA.
T. F. Lunt. A survey of intrusion-detection techniques. Computers & Security, Vol. 12, No. 4, pages 405-418, June 1993.
M. V. Mahoney and P. K. Chan. Detecting novel attacks by identifying anomalous network packet headers. Technical Report CS-2001-02, Florida Institute of Technology, Department of Computer Science, October 2001.
R. A. Maxion. Masquerade detection using enriched command lines. In International Conference on Dependable Systems and Networks (DSN-03), pages 5-14, 22-25 June 2003, San Francisco, CA. IEEE Computer Society Press, Los Alamitos, CA.
R. A. Maxion and T. N. Townsend. Masquerade detection using truncated command lines. In International Conference on Dependable Systems and Networks (DSN-02), pages 219-228, 23-26 June 2002, Washington, D.C. IEEE Computer Society Press, Los Alamitos, California.
R. A. Maxion and T. N. Townsend. Masquerade detection augmented with error analysis. IEEE Transactions on Reliability, Vol. 53, No. 1, pages 124-147, March 2004.
A. McCallum and K. Nigam. A comparison of event models for naive Bayes text classification. In Learning for Text Categorization, pages 41-48, 27 July 1998, Madison, WI, 1998. AAAI Press, Menlo Park, CA. (Papers from the 1998 AAAI Workshop, published as AAAI Technical Report WS-98-05.)
T. M. Mitchell. Machine Learning. McGraw-Hill, Boston, 1997.
I. Rish, J. Hellerstein and J. Thathachar. An analysis of data characteristics that affect naive Bayes performance. Technical report RC21993, IBM T.J. Watson Research Center, 30 Saw Mill River Road, Hawthorne, NY 10532, 2001.
M. Schonlau, W. DuMouchel, W.H. Ju, A. F. Karr, M. Theus and Y. Vardi. Computer intrusion: Detecting masquerades. Statistical Science, Vol. 16, No. 1, pages 58-74, February 2001.
S. J. Stolfo, F. Apap, E. Eskin, K. Heller, S. Hershkop, A. Honig and K. Svore. A comparative evaluation of two algorithms for windows registry anomaly detection. Technical report, Columbia University, 23 February 2004.
K.M.C Tan, K. S. Killourhy and R. A. Maxion. “Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits”. In Fifth International Symposium on Recent Advances in Intrusion Detection (RAID-2002), Andreas Wespi, Giovanni Vigna and Luca Deri (Eds.), 16-18 October 2002, Zurich, Switzerland, pp. 54-73. Lecture Notes in Computer Science #2516, Springer-Verlag, Berlin, 2002.
K. M. C. Tan and R. A. Maxion. “Why 6?” Defining the operational limits of stide, an anomaly-based intrusion detector. In Proceedings of the IEEE Symposium on Security and Privacy, pages 188-201, 12-15 May 2002, Berkeley, CA. IEEE Computer Society Press, Los Alamitos, CA.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Killourhy, K.S., Maxion, R.A. (2008). Naive Bayes as a Masquerade Detector: Addressing a Chronic Failure. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds) Insider Attack and Cyber Security. Advances in Information Security, vol 39. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-77322-3_6
Download citation
DOI: https://doi.org/10.1007/978-0-387-77322-3_6
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-77321-6
Online ISBN: 978-0-387-77322-3
eBook Packages: Computer ScienceComputer Science (R0)