Naive Bayes as a Masquerade Detector: Addressing a Chronic Failure

  • Kevin S. Killourhy
  • Roy A. Maxion
Part of the Advances in Information Security book series (ADIS, volume 39)


Masquerade detection undertakes to determine whether or not one computer user has impersonated another, typically by detecting significant anomalies in the victim’s normal behavior, as represented by a user profile formed from system audit data, command histories, and other information characteristic of individual users. Among the many intrusion/masquerade-detection algorithms in use today is the naive Bayes classifier, which has been observed to perform imperfectly from time to time, as will any detector. This paper investigates the prospect of a naive Bayes flaw that prevents detection of attacks conducted by so-called “super-masqueraders” whose incursions are consistently undetected across an entire range of victims. It is shown in this paper, through controlled experimentation and a rigorous mathematical exposition, that a weakness in the detector causes it to miss attacks under certain conditions. Furthermore, meeting those conditions – and crafting an undetectable attack – is often entirely within the control of the attacker. This paper also demonstrates, however, that such attacks can be overcome by fortifying the algorithm with a diverse detection capability. The “fortified” detector improves detection and, more significantly, removes the threat of the supermasquerader, virtually eliminating the impact of the algorithm’s defect.


Training Data False Alarm Rate Test Block Command Line Legitimate User 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    P. Domingos and M. Pazzani. On the optimality of the simple Bayesian classifier under zeroone loss. Machine Learning, Vol. 29, No. 2-3, pages 103-130, November 1997.Google Scholar
  2. [2]
    W. DuMouchel and M. Schonlau. A fast computer intrusion detection algorithm based on hypothesis testing of command transition probabilities. In R. Agrawal and P. Stolorz, (Eds.), The Fourth International Conference of Knowledge Discovery and Data Mining (KDD-98), pages 189-193, 27-31 August 1998, New York, NY. AAAI Press: Menlo Park, CA.Google Scholar
  3. [3]
    S. Forrest, S. A. Hofmeyr, A. Somayaji and T. A. Longstaff. A sense of self for Unix processes. In IEEE Symposium on Security and Privacy, pages 120-128, 6-8 May 1996, Oakland, CA. IEEE Computer Society Press, Los Alamitos, CA.Google Scholar
  4. [4]
    T. F. Lunt. A survey of intrusion-detection techniques. Computers & Security, Vol. 12, No. 4, pages 405-418, June 1993.Google Scholar
  5. [5]
    M. V. Mahoney and P. K. Chan. Detecting novel attacks by identifying anomalous network packet headers. Technical Report CS-2001-02, Florida Institute of Technology, Department of Computer Science, October 2001.Google Scholar
  6. [6]
    R. A. Maxion. Masquerade detection using enriched command lines. In International Conference on Dependable Systems and Networks (DSN-03), pages 5-14, 22-25 June 2003, San Francisco, CA. IEEE Computer Society Press, Los Alamitos, CA.Google Scholar
  7. [7]
    R. A. Maxion and T. N. Townsend. Masquerade detection using truncated command lines. In International Conference on Dependable Systems and Networks (DSN-02), pages 219-228, 23-26 June 2002, Washington, D.C. IEEE Computer Society Press, Los Alamitos, California.Google Scholar
  8. [8]
    R. A. Maxion and T. N. Townsend. Masquerade detection augmented with error analysis. IEEE Transactions on Reliability, Vol. 53, No. 1, pages 124-147, March 2004.Google Scholar
  9. [9]
    A. McCallum and K. Nigam. A comparison of event models for naive Bayes text classification. In Learning for Text Categorization, pages 41-48, 27 July 1998, Madison, WI, 1998. AAAI Press, Menlo Park, CA. (Papers from the 1998 AAAI Workshop, published as AAAI Technical Report WS-98-05.)Google Scholar
  10. [10]
    T. M. Mitchell. Machine Learning. McGraw-Hill, Boston, 1997.Google Scholar
  11. [11]
    I. Rish, J. Hellerstein and J. Thathachar. An analysis of data characteristics that affect naive Bayes performance. Technical report RC21993, IBM T.J. Watson Research Center, 30 Saw Mill River Road, Hawthorne, NY 10532, 2001.Google Scholar
  12. [12]
    M. Schonlau, W. DuMouchel, W.H. Ju, A. F. Karr, M. Theus and Y. Vardi. Computer intrusion: Detecting masquerades. Statistical Science, Vol. 16, No. 1, pages 58-74, February 2001.Google Scholar
  13. [13]
    S. J. Stolfo, F. Apap, E. Eskin, K. Heller, S. Hershkop, A. Honig and K. Svore. A comparative evaluation of two algorithms for windows registry anomaly detection. Technical report, Columbia University, 23 February 2004.Google Scholar
  14. [14]
    K.M.C Tan, K. S. Killourhy and R. A. Maxion. “Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits”. In Fifth International Symposium on Recent Advances in Intrusion Detection (RAID-2002), Andreas Wespi, Giovanni Vigna and Luca Deri (Eds.), 16-18 October 2002, Zurich, Switzerland, pp. 54-73. Lecture Notes in Computer Science #2516, Springer-Verlag, Berlin, 2002.Google Scholar
  15. [15]
    K. M. C. Tan and R. A. Maxion. “Why 6?” Defining the operational limits of stide, an anomaly-based intrusion detector. In Proceedings of the IEEE Symposium on Security and Privacy, pages 188-201, 12-15 May 2002, Berkeley, CA. IEEE Computer Society Press, Los Alamitos, CA.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  • Kevin S. Killourhy
    • 1
  • Roy A. Maxion
    • 1
  1. 1.Computer Science DepartmentCarnegie Mellon University

Personalised recommendations