AAAI Publications, The Twenty-Sixth International FLAIRS Conference

Font Size: 
An Expectation Maximization Approach to Detecting Compromised Remote Access Accounts
Kevin Gold, Ben Priest, Kevin M. Carter

Last modified: 2013-05-19


We present a method for detecting when a user’s remote ac- cess account has been compromised in such a way that an attacker model can be learned during operations. A Naive Bayes model is built for each user that stores the likelihood for each remote session based on a variety of features avail- able in the access logs. During operation, we leverage Ex- pectation Maximization on new data to update both the user and attacker models, based on the likelihood of the observed session, and perform a model comparison to test for compro- mise. The system scales linearly with the number of users in computation and memory. We present experimental results on a medium-sized enterprise network of over two thousand users, performing “masquerade detection” in which the activ- ity of one user is discovered within another user’s logs.


masquerade detection; naive Bayes; virtual private network; account compromise

Full Text: PDF