Return to search

Detection of Deviations From Authorized Network Activity Using Dynamic Bayesian Networks

This research addressed one of the hard problems still plaguing the information security profession; detection of network activity deviations from authorized accounts when the deviations are similar to normal network activity. Specifically, when user and administrator type accounts are used for malicious activity, harm can come to the organization. Accurately modeling normal user network activity is hard to accomplish and detecting misuse is a complex problem.
Much work has been done in the past with intrusion detection systems, but being able to detect masquerade events with high accuracy and low false alarm rates continues to be an issue. Bayesian networks have been successfully used in the past to reason under certainty by combining prior knowledge with observed data. The use of dynamic Bayesian Networks, such as multi-entity Bayesian network, extends the capability and can address complex problems.
The goal of the research was to extend previous research with multi-entity Bayesian networks along with discretization methods to improve the effectiveness of the detection rate while maintaining an acceptable level of false positives. Preprocessing continuous variables has proven effective in prior research but has not been applied to multi-entity Bayesian networks in the past. Five different discretization methods were used in this research. Analysis using receiver operating characteristic curves, confusion matrix, and other comparison methods were completed as part of this research.
The results of the research demonstrated that a multi-entity Bayesian network model based on multiple data sources and the relationship between the user attributes could be used to detect unauthorized access to data. The supervised top down discretization methods had better performance related to the overall classification accuracy. Specifically, the class-attribute interdependence maximization discretization method outperformed the other four discretization methods. When compared to previous masquerade detection methods, the class-attribute interdependence maximization discretization method had a comparable true positive rate with a lower false positive rate.

Identiferoai:union.ndltd.org:nova.edu/oai:nsuworks.nova.edu:gscis_etd-1145
Date01 January 2011
CreatorsEwell, Cris Vincent
PublisherNSUWorks
Source SetsNova Southeastern University
Detected LanguageEnglish
Typetext
Formatapplication/pdf
SourceCEC Theses and Dissertations

Page generated in 0.002 seconds