Using Feedback to Improve Masquerade Detection

  • Kwong H. Yung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2846)


To gain access to account privileges, an intruder masquerades as the proper account user. Information from user feedback helps to improve the accuracy of classifiers used for detecting masquerades. Instead of operating in isolation, the online sequential classifier can request feedback from the user. In the full-feedback policy, the classifier verifies every session; in the feedback-on-alarm policy, the classifier confirms only suspicious sessions. Surprisingly, confirming only a few sessions under the feedback-on-alarm policy is enough to be competitive with verifying all sessions under the full-feedback policy. Experiments on a standard artificial dataset demonstrate that the naive-Bayes classifier boosted by the feedback-on-alarm policy beats the previous best-performing detector and reduces the number of missing alarms by 30%.


feedback-on-alarm feedback policy sequential classifier online classifier naive-Bayes classifier adaptive classifier masquerading session masquerading user masquerade detection intrusion detection 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    DuMouchel, W.: Computer intrusion detection based on Bayes factors for comparing command transition probabilities. Technical Report 91, National Institute of Statistical Sciences, Research Triangle Park, North Carolina 27709–4006 (1999)Google Scholar
  2. 2.
    DuMouchel, W., Schonlau, M.: A comparison of test statistics for computer intrusion detection based on principal components regression of transition probabilities. In: Proceedings of the 30th Symposium on the Interface: Computing Science and Statistics, vol. 30, pp. 404–413 (1999)Google Scholar
  3. 3.
    Ju, W.-H., Vardi, Y.: A hybrid high-order Markov chain model for computer intrusion detection. Technical Report 92, National Institute for Statistical Sciences, Research Triangle Park, North Carolina 27709–4006 (1999)Google Scholar
  4. 4.
    Loeb, V.: Spy case prompts computer search. Washington Post, p. A01, March 05 (2001)Google Scholar
  5. 5.
    Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: International Conference on Dependable Systems and Networks (DSN 2002), Washington, DC, June 23–26, pp. 219–228. IEEE Computer Society Press, Los Alamitos (2002)CrossRefGoogle Scholar
  6. 6.
    McCallum, A.K., Nigam, K.: Employing EM in pool-based active learning for text classification. In: Machine Learning: Proceedings of the Fifteenth International Conference (ICML 1998), pp. 350–358 (1998)Google Scholar
  7. 7.
    Schonlau, M., et al.: Computer intrusion: detecting masquerades. Statistical Science 16(1), 58–74 (2001)MATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Schonlau, M., Theus, M.: Detecting masquerades in intrusion detection based on unpopular commands. Information Processing Letters 76(1-2), 33–38 (2000)CrossRefGoogle Scholar
  9. 9.
    Tedeschi, B.: E-commerce report: crime is soaring in cyberspace, but many companies keep it quiet. The New York Times, p. C4 column 1, January 27 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Kwong H. Yung
    • 1
  1. 1.Computer Science DepartmentStanford UniversityStanfordUSA

Personalised recommendations