Investigating a Possible Flaw in a Masquerade Detection System

摘要

Masquerade detection undertakes to determine whether or not one computer user has impersonated another, typically by detecting significant anomalies in the victim's normal behavior, as represented by a user profile formed from system audit data, command histories, and other information characteristic of individual users. Among the many intrusion/masquerade-detection algorithms in use today is the naive Bayes classifier, which has been observed to perform imperfectly from time to time, as will any detector. This paper investigates the prospect of a naive Bayes flaw that foils the detection of attacks conducted by so-called 'super-masqueraders' whose incursions are consistently undetected across an entire range of victims. It is shown, through a rigorous mathematical exposition and an empirical analysis involving over 13,000 experiments, that the detector harbors a weakness (that could be exploited by an attacker) causing it to err under certain conditions. The paper explores and describes those conditions, and suggests how they can be overcome by fortifying the algorithm with a diverse detection capability.