Statistical Science

Computer Intrusion: Detecting Masquerades

William DuMouchel, Wen-Hua Ju, Alan F. Karr, Matthias Schonlau, Martin Theusan, and Yehuda Vardi

Full-text: Open access


Masqueraders in computer intrusion detection are people who use somebody else’s computer account. We investigate a number of statistical approaches for detecting masqueraders. To evaluate them, we collected UNIX command data from 50 users and then contaminated the data with masqueraders. The experiment was blinded. We show results from six methods, including two approaches from the computer science community.

Article information

Statist. Sci., Volume 16, Number 1 (2001), 58-74.

First available in Project Euclid: 27 August 2001

Permanent link to this document

Digital Object Identifier

Mathematical Reviews number (MathSciNet)

Zentralblatt MATH identifier

anomaly Bayes compression computer security high­order Markov profiling Unix


Schonlau, Matthias; DuMouchel, William; Ju, Wen-Hua; Karr, Alan F.; Theusan, Martin; Vardi, Yehuda. Computer Intrusion: Detecting Masquerades. Statist. Sci. 16 (2001), no. 1, 58--74. doi:10.1214/ss/998929476.

Export citation


  • Amoroso, E. (1999). Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response. Intrusion.Net Books, Sparta, NJ.
  • Davison, B. D. and Hirsh, H. (1998). Predicting sequences of user actions. In Predicting the Future: AI Approaches to Time Series Problems. Technical report WS-98-07 (Proceedings of AAAI-98/ICML-98 Workshop) 5-12. AAAI Press, Madison, WI.
  • Denning, D. E. (1997). Cyberspace attacks and countermeasures. In Internet Besieged (D. E. Denning and P. J. Denning, eds.) 29-55. ACM Press, New York.
  • Denning, D. E. and Denning, P. J. (eds) (1997). Internet Besieged. ACM Press, New York.
  • Dumouchel, W. (1999). Computer intrusion detection based on Bayes Factors for comparing command transition probabilities. Technical Report 91, National Institute of Statistical Sciences. Available at
  • Dumouchel, W. and Schonlau, M. (1998). A fast computer intrusion detection algorithm based on hypothesis testing of command transition probabilities. In Proceedings ofThe Fourth International Conference of Knowledge Discovery and Data Mining 189-193. New York.
  • Dumouchel, W. and Schonlau, M. (1999). A comparison of test statistics for computer intrusion detection based on principal components regression of transition probabilities. In Proceedings ofthe 30th Symposium on the Interface: Computing Science and Statistics 30 404-413.
  • (1996). A sense of self for Unix processes. IEEE Symposium on Security and Privacy, Oakland, California.
  • Javitz, H. S. and Valdes, A. (1993). The NIDES statistical component: description and justification. Technical report, SRI International, Menlo Park, CA.
  • Ju, W. and Vardi, Y. (1999). A hybrid high-order Markov chain model for computer intrusion detection. Technical Report 92, National Institute Statistical Sciences. Available at
  • Lane, T. and Brodley, C. E. (1998). Approaches to online learning and concept drift for user identification in computer security. In Proceedings ofthe Fourth International Conference of Knowledge Discovery and Data Mining 259-263. AAAI Press, Menlo Park, CA. Lippmann, R., Fried, D., Graf, I., Haines, J., Kendall, K., McClung, D., Weber, D., Webster, S., Wyschogrod, D.,
  • Cunningham, R. and Zissman, M. (2000). Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation. MIT Lincoln Laboratory. Unpublished manuscript. Lunt, T. F., Jagannathan, R., Lee, R., Listgarten, S., Edwards, D. L., Neumann, P. G., Javitz, H. S. and Valdes, A.
  • (1988). Development and application of IDES: A realtime intrusion-detection expert system. Technical report, Computer Science Laboratory SRI International, Menlo Park, CA.
  • Marchette, D. (1999). A statistical method for profiling network traffic. In Proceedings ofthe 1st USENIX Workshop on Intrusion Detection and Network Monitoring 119-128.
  • Paxson, V. (1998). Bro: A system for detecting network intruders in real-time. In Proceedings ofthe 7th USENIX Security Symposium.
  • Porras, P. and Neumann, P. (1997). Emerald: Event monitoring enabling responses to anomalous live disturbances. In Proceedings ofthe National Information Systems Security Conference.
  • Power, R. (1999). Current and Future Danger: A CSI Primer on Computer Crime and Information Warfare, 3rd ed. Computer Security Institute, San Francisco. President's Commission on Critical Infrastructure Protec
  • tion (1998). Critical Foundations. United States Government Printing Office, GPO 040-000-00699-1. Washington, DC.
  • Raftery, A. E. (1985). A model for high-order Markov chains. J. Roy. Statist. Soc. Ser. B 47 528-539.
  • Raftery, A. E. and Tavare, S. (1994). Estimation and modeling of repeated patterns in high-order Markov chains with the mixture transition distribution model. Appl. Statist. 43 179-199.
  • Scott, S. (2001). Detecting network intrusion using a Markov modulated nonhomogeneous Poisson process. Available at sls/research.html.
  • Schonlau, M. and Theus, M. (2000). Detecting masquerades in intrusion detection based on unpopular commands. Inform. Process. Lett. 76 33-38. Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R. and
  • Zerkle, D. (1996). GRIDS-A graph-based intrusion detection system for large networks. In Proceedings The Nineteenth National Information Systems Security Conference.
  • Tan, K. (1995). An application of neural networks to Unix computer security. In IEEE International Conference on Neural Networks. IEEE, New York.
  • Welch, T. A. (1984). A technique for high performance data compression. IEEE Computer 17 8-19.