Naive Bayes as a Masquerade Detector: Addressing a Chronic Failure

Abstract

Masquerade detection undertakes to determine whether or not one computer user has impersonated another, typically by detecting significant anomalies in the victim's normal behavior, as represented by a user profile formed from system audit data, command histories, and other information characteristic of individual users. Among the many intrusion/masquerade-detection algorithms in use today is the naive Bayes classifier, which has been observed to perform imperfectly from time to time, as will any detector. This paper investigates the prospect of a naive Bayes flaw that prevents detection of attacks conducted by so-called "super-masqueraders" whose incursions are consistently undetected across an entire range of victims. It is shown in this paper, through controlled experimentation and a rigorous mathematical exposition, that a weakness in the detector causes it to miss attacks under certain conditions. Furthermore, meeting those conditions - and crafting an undetectable attack - is often entirely within the control of the attacker. This paper also demonstrates, however, that such attacks can be overcome by fortifying the algorithm with a diverse detection capability. The "fortified" detector improves detection and, more significantly, removes the threat of the supermasquerader, virtually eliminating the impact of the algorithm's defect.