Masquerade detection using profile hidden Markov models

In this paper, we consider the problem of masquerade detection, based on user-issued UNIX commands. We present a novel detection technique based on profile hidden Markov models (PHMMs). For comparison purposes, we implement an existing modeling technique based on hidden Markov models (HMMs). We compare these approaches and show that, in general, our PHMM technique is competitive with HMMs. However, the standard test data set lacks positional information. We conjecture that such positional information would give our PHMM a significant advantage over HMM-based detection. To lend credence to this conjecture, we generate a simulated data set that includes positional information. Based on this simulated data, experimental results show that our PHMM-based approach outperforms other techniques when limited training data is available.