Publication Date

Spring 2016

Degree Type

Master's Project

Degree Name

Master of Science (MS)


Computer Science

First Advisor

Tom Austin

Second Advisor

Mark Stamp

Third Advisor

Robert Chun


masquarade intrusion detection Hidden Markov Model


Masquerade detection is the ability to detect attackers known as masqueraders that intrude on another user’s system and pose as legitimate users. Once a masquerader obtains access to a user’s system, the masquerader has free reign over whatever data is on that system. In this research, we focus on masquerade detection and user classi cation using the following two di erent approaches: the heavy hitter approach and 2 di erent approaches based on hidden Markov models (HMMs), the dueling-HMM and threshold-HMM strategies.

The heavy hitter approach computes the frequent elements seen in the training data sequence and test data sequence and computes the distance to see whether the test data sequence is masqueraded or not. The results show very misleading classi cations, suggesting that the approach is not viable for masquerade detection.

A hidden Markov model is a tool for representing probability distributions over sequences of observations [9]. Previous research has shown that using a threshold-based hidden Markov model (HMM) approach is successful in a variety of categories: malware detection, intrusion detection, pattern recognition, etc. We have veri ed that using a threshold-based HMM approach produces high accuracy with low amounts of a false positives. Using the dueling- HMM approach, which utilizes multiple training HMMs, we obtain an overall accuracy of 81.96%. With the introduction of the bias in the dueling-HMM approach, we produce similar results to the results obtained in the threshold-based HMM approach, where we see many non-masqueraded data detected, while many masqueraded data avoid detection, yet still result in an high overall accuracy.