Learning Symbolic User Models for Intrusion Detection: A Method and Initial Results




Michalski, Ryszard S.
Kaufman, Kenneth A.
Pietrzykowski, Jaroslaw
Śnieżyński, Bartłomiej
Wojtusiak, Janusz

Journal Title

Journal ISSN

Volume Title



This paper briefly describes the LUS-MT method for automatically learning user signatures (models of computer users) from datastreams capturing users’ interactions with computers. The signatures are in the form of collections of multistate templates (MTs), each characterizing a pattern in the user’s behavior. By applying the models to new user activities, the system can detect an imposter or verify legitimate user activity. Advantages of the method include the high expressive power of the models (a single template can characterize a large number of different user behaviors) and the ease of their interpretation, which makes possible their editing or enhancement by an expert. Initial results are very promising and show the potential of the method for user modeling.




Michalski, R. S., Kaufman, K., Pietrzykowski, J., Sniezynski, B. and Wojtusiak, J., "Learning Symbolic User Models for Intrusion Detection: A Method and Initial Results," Proceedings of the Intelligent Information Processing and Web Mining Conference, IIPWM 06, Ustron, Poland, June 19-22, 2006.