ARTICLE IN PRESS Computational Statistics Data Analysis ( ) –.pdf

ARTICLE IN PRESS Computational Statistics Data Analysis ( ) – /locate/csda A Bayesian paradigm for designing intrusion detection systems Steven L. Scott The Marshall School of Business, University of Southern California, Los Angeles, CA 90089-1421, USA Abstract This article describes a model based approach to designing network intrusion detection sys- tems. The article considers general methods applicable to many dierent types of networks, using specic algorithms as examples. The central theme is that latent variable hierarchical mod- els constructed using Bayesian methods lead to coherent systems that can handle the complex distributions involved with network trac. Bayes’ rule provides a means of combining competing intrusion detection methods such as anomaly detection and pattern recognition. Bayesian meth- ods present evidence of intrusion as probabilities, which are easy for human fraud investigators to interpret. Hierarchical models allow transactions to communicate information about possible intrusions across time and accounts. These hierarchical models contain a transaction level model describing how well individual network transactions t user and intruder proles, an account level model parameterizing bursts associated with network intrusion, and a network-level model that adjusts account level model parameters when an intrusion on one or more account is suspected. c 2003 Elsevier B.V. All rights reserved. Keywords: Markov modulated Poisson process; Graphical model; Hierarchical model; Mixture model; Fraud; Bayesian model averaging 1. Introduction This