Summary:
This statistical method can compare in real time the sequence of commands given by each user to a profile of that user’s past behavior. We use a Bayes Factor statistic to test the null hypothesis that the observed command transition probabilities come from a profiled transition matrix. The alternative hypothesis is formed as a Dirichlet mixture of multinomial command probabilities. Based on a population of research users on a single computer, data from some users are inserted into the histories of other users to simulate intrusions. The Bayes factor based on the observation of a block of 100 commands had a false alarm rate of about 6.6% while detecting about 78% of blocks from simulated intrusions. We integrate the test into a detection scheme using control charts.
tr91.pdf