Detecting Network Intrusion Using a Markov Modulated Nonhomogeneous Poisson Process

Network intrusion occurs when a criminal gains access to a customer's telephone, computer, bank, or other type of account. Detecting network intrusion is an important problem that has received little attention in the statistics literature. This article proposes a Markov modulated nonhomogeneous Poisson process (MMNHPP) to monitor transactions on a customer's account for deviations from the customer's established behavior patterns. An important beneet of the MMNHPP is its ability to model the posterior probability of a criminal presence as a function of time. The MMNHPP combines aspects of the Markov modulated Poisson process and the nonhomogeneous Poisson process to model point processes exhibiting both regular patterns and irregular bursts of activity. The need to accommodate both types of behavior is demonstrated using data from two telephone accounts. MMNHPP parameters are sampled from their posterior distribution given a set of observed event times using an MCMC algorithm. The algorithm switches between drawing missing descriptions of criminal activity given model parameters and sampling model parameters given complete data. An augmented variables scheme is used to render otherwise strongly related elements of the missing data independent in their posterior distribution. Stochastic forward backward recursions for nonstationary hidden Markov models allow the augmenting variables, and thus the entire missing data vector, to be sampled by a single Gibbs step.