Using Feedback to Improve Masquerade Detection
To gain access to account privileges, an intruder masquerades as the proper account user. Information from user feedback helps to improve the accuracy of classifiers used for detecting masquerades. Instead of operating in isolation, the online sequential classifier can request feedback from the user. In the full-feedback policy, the classifier verifies every session; in the feedback-on-alarm policy, the classifier confirms only suspicious sessions. Surprisingly, confirming only a few sessions under the feedback-on-alarm policy is enough to be competitive with verifying all sessions under the full-feedback policy. Experiments on a standard artificial dataset demonstrate that the naive-Bayes classifier boosted by the feedback-on-alarm policy beats the previous best-performing detector and reduces the number of missing alarms by 30%.
Keywordsfeedback-on-alarm feedback policy sequential classifier online classifier naive-Bayes classifier adaptive classifier masquerading session masquerading user masquerade detection intrusion detection
Unable to display preview. Download preview PDF.
- 1.DuMouchel, W.: Computer intrusion detection based on Bayes factors for comparing command transition probabilities. Technical Report 91, National Institute of Statistical Sciences, Research Triangle Park, North Carolina 27709–4006 (1999)Google Scholar
- 2.DuMouchel, W., Schonlau, M.: A comparison of test statistics for computer intrusion detection based on principal components regression of transition probabilities. In: Proceedings of the 30th Symposium on the Interface: Computing Science and Statistics, vol. 30, pp. 404–413 (1999)Google Scholar
- 3.Ju, W.-H., Vardi, Y.: A hybrid high-order Markov chain model for computer intrusion detection. Technical Report 92, National Institute for Statistical Sciences, Research Triangle Park, North Carolina 27709–4006 (1999)Google Scholar
- 4.Loeb, V.: Spy case prompts computer search. Washington Post, p. A01, March 05 (2001)Google Scholar
- 6.McCallum, A.K., Nigam, K.: Employing EM in pool-based active learning for text classification. In: Machine Learning: Proceedings of the Fifteenth International Conference (ICML 1998), pp. 350–358 (1998)Google Scholar
- 9.Tedeschi, B.: E-commerce report: crime is soaring in cyberspace, but many companies keep it quiet. The New York Times, p. C4 column 1, January 27 (2003)Google Scholar