Campus Access Only
All rights reserved. This publication is intended for use solely by faculty, students, and staff of Nova Southeastern University. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, now known or later developed, including but not limited to photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the author or the publisher.
Date of Award
Dissertation - NSU Access Only
Doctor of Philosophy in Information Systems (DISS)
Graduate School of Computer and Information Sciences
This research addressed one of the hard problems still plaguing the information security profession; detection of network activity deviations from authorized accounts when the deviations are similar to normal network activity. Specifically, when user and administrator type accounts are used for malicious activity, harm can come to the organization. Accurately modeling normal user network activity is hard to accomplish and detecting misuse is a complex problem.
Much work has been done in the past with intrusion detection systems, but being able to detect masquerade events with high accuracy and low false alarm rates continues to be an issue. Bayesian networks have been successfully used in the past to reason under certainty by combining prior knowledge with observed data. The use of dynamic Bayesian Networks, such as multi-entity Bayesian network, extends the capability and can address complex problems.
The goal of the research was to extend previous research with multi-entity Bayesian networks along with discretization methods to improve the effectiveness of the detection rate while maintaining an acceptable level of false positives. Preprocessing continuous variables has proven effective in prior research but has not been applied to multi-entity Bayesian networks in the past. Five different discretization methods were used in this research. Analysis using receiver operating characteristic curves, confusion matrix, and other comparison methods were completed as part of this research.
The results of the research demonstrated that a multi-entity Bayesian network model based on multiple data sources and the relationship between the user attributes could be used to detect unauthorized access to data. The supervised top down discretization methods had better performance related to the overall classification accuracy. Specifically, the class-attribute interdependence maximization discretization method outperformed the other four discretization methods. When compared to previous masquerade detection methods, the class-attribute interdependence maximization discretization method had a comparable true positive rate with a lower false positive rate.
Cris Vincent Ewell. 2011. Detection of Deviations From Authorized Network Activity Using Dynamic Bayesian Networks. Doctoral dissertation. Nova Southeastern University. Retrieved from NSUWorks, Graduate School of Computer and Information Sciences. (146)