CCE Theses and Dissertations

Campus Access Only

All rights reserved. This publication is intended for use solely by faculty, students, and staff of Nova Southeastern University. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, now known or later developed, including but not limited to photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the author or the publisher.

Date of Award

2011

Document Type

Dissertation - NSU Access Only

Degree Name

Doctor of Philosophy in Information Systems (DISS)

Department

Graduate School of Computer and Information Sciences

Advisor

James Cannady

Committee Member

Glyn Gowing

Committee Member

George Thurmond

Keywords

Bayesian Networks, Information Security, Intrusion Detection

Abstract

This research addressed one of the hard problems still plaguing the information security profession; detection of network activity deviations from authorized accounts when the deviations are similar to normal network activity. Specifically, when user and administrator type accounts are used for malicious activity, harm can come to the organization. Accurately modeling normal user network activity is hard to accomplish and detecting misuse is a complex problem.

Much work has been done in the past with intrusion detection systems, but being able to detect masquerade events with high accuracy and low false alarm rates continues to be an issue. Bayesian networks have been successfully used in the past to reason under certainty by combining prior knowledge with observed data. The use of dynamic Bayesian Networks, such as multi-entity Bayesian network, extends the capability and can address complex problems.

The goal of the research was to extend previous research with multi-entity Bayesian networks along with discretization methods to improve the effectiveness of the detection rate while maintaining an acceptable level of false positives. Preprocessing continuous variables has proven effective in prior research but has not been applied to multi-entity Bayesian networks in the past. Five different discretization methods were used in this research. Analysis using receiver operating characteristic curves, confusion matrix, and other comparison methods were completed as part of this research.

The results of the research demonstrated that a multi-entity Bayesian network model based on multiple data sources and the relationship between the user attributes could be used to detect unauthorized access to data. The supervised top down discretization methods had better performance related to the overall classification accuracy. Specifically, the class-attribute interdependence maximization discretization method outperformed the other four discretization methods. When compared to previous masquerade detection methods, the class-attribute interdependence maximization discretization method had a comparable true positive rate with a lower false positive rate.

To access this thesis/dissertation you must have a valid nova.edu OR mynsu.nova.edu email address and create an account for NSUWorks.

Free My Thesis

If you are the author of this work and would like to grant permission to make it openly accessible to all, please click the Free My Thesis button.

  Contact Author

  Link to NovaCat

Share

COinS