Off-campus Eastern Washington University users: To download EWU Only theses, please use the following link to log into our proxy server with your EWU NetID and password.

Non-EWU users: Please talk to your local librarian about requesting this thesis through Interlibrary loan.

Date of Award

Winter 2010


Access perpetually restricted to EWU users with an active EWU NetID

Document Type

Thesis: EWU Only

Degree Name

Master of Science (MS) in Computer Science


Computer Science


Insider threat detection is still a relatively new area of study in Computer Science. Perhaps the most thoroughly researched topic is in the area of masquerade detection. A masquerader is someone posing as a specific legitimate user when they are really another person. Several different ways of determining the presence of a masquerader have been proposed and researched, but there are significant problems including low detection rates and high false positive results. Roy Maxion and Kevin Killourhy utilized a Naive Bayes classifier for detection using enriched Unix command lines, which are command line entries that still contain flags and other data. They discovered a problem with users that they dubbed supermasqueraders. These were users that would avoid detection no matter what data sets they were tested against. This was due to an intrinsic problem in the Naive Bayes classifier which would miss positive classifications when more than a small portion of the test block command lines were never before seen commands. They added a simple secondary check to solve this problem which greatly improved the results obtained. This thesis will attempt to validate and improve upon results obtained by Maxion and Killourhy in their paper, 'Naive Bayes as a Masquerade Detector: Addressing a Chronic Failure.