Expectation Maximization Approach to Detecting Compromised Remote Access Accounts.

摘要

We present a method for detecting when a user’s remote access account has been compromised in such a way that an attacker model can be learned during operations. A Naive Bayes model is built for each user that stores the likelihood for each remote session based on a variety of features available in the access logs. During operation, we leverage Expectation Maximization on new data to update both the user and attacker models, based on the likelihood of the observed session, and perform a model comparison to test for compromise. The system scales linearly with the number of users in computation and memory.We present experimental results on a medium-sized enterprise network of over two thousand users, performing “masquerade detection” in which the activity of one user is discovered within another user’s logs.