2016 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing
The Approach to Detect Abnormal Access Behavior
Based on Naive Bayes Algorithm
Yong Ma
Information Security Evaluation Center
Civil Aviation University
Tianjin, China
heimajushi@sina.com
Abstract — Recently the act of fraud aimed at the air tickets is
more and more rampant. Lawbreakers get passenger
information from illegal channels, not only make a lot of
passengers suffering financial loss, but also influence the
reputation and business of airline. There are many ways that
passenger information easy to be leaked, in this paper, we just
focus on the detection of abnormal access behaviors that hacker
intrudes the frequent passenger system to get the passenger
information. In this paper, we analyze the passenger’s behavior
of visiting the frequent passenger system deeply. Then we base on
the naïve bayes algorithm to detect the behavior of passengers, so
that we can decide whether the account is abnormal. Through the
experiment and evaluation, we demonstrate that our approach is
effective to identify the illegal log in of hackers and makes a great
help in improving the security of passenger information.
Keywords—abnormal Access Behavior detection; Naive Bayes
Algorithm; information security
ALGORITHM INTRODUCTION
A. Bayesian algorithm
The Naive Bayes has been used in this paper to identify the
abnormal access behavior. Bayesian algorithm is a
classification method in statistics. It classifies based on
Probability and Statistic.
1) The Naive Bayes classification is described as below:
a) Assuming that there is a data sample X, it has n
characteristic attribute, that is X = {x1,x2,...,xn}.
b) C is the classific groups of all the data samples, those
samples belongs to m categories respectively, that is C =
{c1,c2,...,cm}.
c) Given a new data sample X which hasn't been
classified. If P(ci|X) > P(cj|X), i ≠ j, then the sample X is
supposed to belong to ci based on the Naive Bayes.
d) Based on the Bayes' theorem, P(ci|X) = P(X|ci)P(ci) /
P(X).
e) To all the categories, P(X) is constant, so that the
MAP P(cj|X) can be translated into the MPP P(X|ci)P(ci).
978-1-5090-0984-8/16 $31.00 © 2016 IEEE
DOI 10.1109/IMIS.2016.83
Shuang Liang, Xuan Chen, Chunfu Jia
College of Computer and Control Engineering
Nankai University
Tianjin, China
liangshuang@mail.nankai.edu.cn
chenxuan@mail.nankai.edu.cn,
cfjia@nankai.edu.cn
f) On account of the characteristic attribute of various
categories is mutual independence, P(X|ci)P(ci) =
P(x1|ci)P(x2|ci)…P(xn|ci)P(ci) = P(ci) ∏ P(xj|ci), 0 < j < n
2) The Naive Bayes classification is used in this paper is
mainly due to the following reasons:
a) Correlation between the characteristic attributes of
passenger access behavior is quite limited, so that various
characteristic attributes can be assumed to be mutual
independence, also it's the precondition for using the Naive
Bayes.
b) The Naive Bayes gives statistics the probability
distribution, it has a more stable classification efficiency,
especially when classify the characteristic attributes of
Discreteness, it has a high accuracy.
c) The achievement of the Naive Bayes is relatively
simple, the requirement on the number of characteristic
attributes which are needed in classification is few, what’s
more, it’s less sensitive to the missing data.
B. The Classification Process of Passenger Access Behavior
1) Data preprocessing stage
It mainly analysis and research for the data got from the log
of passenger access system, determine the characteristic
attributes of passenger access behavior [1]. Classify the
training sample according to users reported information and the
system automatic detection information to form the training
sample of passenger access system. Either the extraction of the
characteristic attributes of access behavior or the accuracy on
classification of the training set will directly affect the quality
of the classifier [2].
2) Generate a classifier
It mainly choose the algorithm of classification and use the
training sample set to generating classifier in this phase. This
paper uses the Bayesian algorithm, so that the classifier
generated from the calculating of the probability of each
characteristic attribute and the classification of conditional
probability of the training sample set.
313
 Through the analysis, following characteristic attributes of
the access behavior are defined in this article:
a) Definition 1: access terminal changing frequency =
the number of access terminal type/ passenger registration
time.
b) Definition 2: access address changing frequency =
the number of different login IP/ passenger registration time.
c) Definition 3: the number of login error refers to the
number of time a passenger enter the wrong password when
accessing the passenger system.
d) Definition 4: the range of accessing refers to contents
of accessing when a passenger log in the system, including
function for credits, function for booking tickets, and function
for back Meal Service.
e) Definition 5: the frequency of the accessing=the
times of accessing / passenger registration time.
C. The Naive Bayes classification modeling
1) The data sample: X = {access terminal changing
frequency, access address changing frequency, the number of
Fig. 1. Chart1-classify flow login error, the range of accessing, the frequency of the
accessing}.
TABLE I. TRAINING SAMPLE SET 2) Classification properties: {normal access, abnormal
count of normal account Count of abnormal account total access}.
13200 1800 15000 3) Classification.
TABLE III. TESTING SAMPLE SET If p(xj|ci)≠0, j = {1,2,3,4,5}, i = {1,2}.
count of normal account Count of abnormal account total C=Max {P(ci) ∏ P(xj|ci)}.
4580 420 5000 If p(xj|ci)=0j = {1,2,3,4,5}, i = {1,2}.
All characteristic attributes value plus one, and then
3) Using the classifier to classify
In this phase the classifier can be used to test the test calculate the probability distribution.
sample set, input the unclassified set of access attributes, use C=Max {P(ci) ∏ P(xj|ci)}.
the classifier generated by the Naive Bayes to classify, the By the reason of the assumption of independence between
output the result. Specific flow chart is as fig.1 shows. characteristic attributes of the system access behavior, once
appear a characteristic probability is 0, the accuracy of the
classifier will be greatly reduced. Laplace calibration is
II. DATA PREPROCESSING AND MODELING introduced in data calculation to avoid this situation [4]. In this
paper only involves normal accounts and abnormal accounts,
A. The data source and the characteristic attributes of them are more visible, so
The data in this paper derived from passenger system on that the situation that probability is 0 will not occur during
mobile end of an airline company, the data samples are in a algorithm implementation. But there may be a property that
total of 20000. The original sample properties are as table 1 probability is low, once low probability appears, the
follows. modification of estimated classification probability is necessary.
Equipmen Log in Log in Log out Access contents The Naive Bayes classification is introduced in this paper
t model IP time time information
to classify the passenger access behavior of passenger system.
15000 data among all is the training sample set, as table I Carry on the statistical analysis of the abnormal access
shows, and the other 5000 is a testing sample set, as table II behavior respectively when test sample set is 1000, 2000, 3000,
shows. The abnormal access account from user’s report and 4000 and 5000.
airlines daily test results [3].
TABLE IIIII. TESTING RESULT
The number of test samples 1000 2000 3000 4000 5000
B. Data preprocessing The number of abnormal 43 72 89 102 120
Analysis found that the original sample set classified the access accounts
characteristic attribute of access behavior, so that data The number of correctly 37 62 73 84 97
identified abnormal access
preprocessing is necessary before using the Naïve Bayes to accounts
classify. The number of normal access 8 10 12 23 23
identified as abnormal access
1) The extraction of characteristic attribute

314

Recognition
 rate of Bayes
algorithm
 2) The classification results of Bayesian classification

 False positive
rate of Bayes
 algorithm

 Recognition
rate of error
 logging
 approach
 False positive
 rate of error
logging
     approach
Fig.2. Recognition results
In order to taking further analysis of the classification
results, this paper carried out the following definition:
a) Definition 6: the rate of correctly identified abnormal
access account = the number of correctly identified abnormal
access accounts/the number of abnormal access accounts.
b) Definition 7: the rate of misinformation of abnormal
access = the number of normal access identified as abnormal
access / (the number of correctly identified abnormal access
accounts + the number of normal access identified as
abnormal access).
The difference of identification effect between using the
Naive Bayes classification and using the incorrect login
decision mechanism only is as fig.2 shows.
Through the above we can find that the recognition rate of
Bayesian classification algorithm was higher than the method
based on error logging generally. What’s more, Bayesian
classification algorithm is more stable. While the accuracy of
the method based on error logging is undulate, analyzing this
part of the subset of the test sample we found that in this subset
the sample having characteristic attribute of error logging is
more, so it occur as shown in figure.
For the rate of false positives, the reason why the rate of
false positives of login error identification method is lower than
the false positives of Bayesian classification algorithm is that
the decision condition of login error identification method is
clear. But as shown in the figure above, the rate of false
positives of these two method is very close, and overlapped
partly. Generally, the difference of these two method is not
much.
By analysis we can know that Bayesian classification
algorithm has a good effect in identifying the passenger
abnormal access behavior. Comparing with the original
315
detecting method in frequent passenger system, Bayesian
classification algorithm has following advantages:
1) The classification results of Bayesian classification
algorithm is more stable and less undulate.
algorithm is obvious. The correct recognition rate is more than
80%, that is much higher than original detecting method in
frequent passenger system.
3) By testing the test sample we find that the rate of false
positives between the Bayesian classification algorithm and
the original detecting method in frequent passenger system is
very close.
But there are some shortcomings we need to improve and
complete in classification through Bayesian classification
algorithm:
1) The Naive Bayes classification relies on the accuracy of
training sample set highly [5]. But in practice we can’t find all
abnormal access account. So, the training sample set need to
verify and organize further.
2) In order to make sure that feature attributes are
independent of each other, we just chose 5 feature attributes to
conduct the experiment. The result of classification maybe
impact because the feature attributes is less.
Experimental results demonstrate that the Naive Bayes
classification can improve the identification effect obviously in
frequent passenger system. It makes a contribute to improving
the security of frequent passenger account. Besides, it also has
important significance in improving the airline service quality
and security. Generally, the Naive Bayes classification can
achieve the desired results of the airline.
ACKNOWLEDGMENT
We would like to thank the anonymous reviewers of this
paper for their helpful feedback and our friend Zheli Liu for his
insightful comments and suggestions for this paper. We are
very appreciate the help they gave us. This work is supported
by the Civil Airport Information Security Technology Research
under Grants MHRD20150233
REFERENCES
[1] Cooley S. Systems and methods for detecting abnormal behavior of
networked devices: US8973133[P]. 2015.
[2] Heo Y J, Sohn S G, Kim B K, et al. SYSTEM AND METHOD FOR
DETECTING ABNORMAL BEHAVIOR OF CONTROL SYSTEM: ,
US20150341380[P]. 2015.
[3] Kim T, Kim H. A system for detection of abnormal behavior in BYOD
based on web usage patterns[C]// Information and Communication
Technology Convergence (ICTC), 2015 International Conference on.
IEEE, 2015.
[4] Lai Y, Zhang W, Yang Z. Software Abnormal Behavior Detection Based
on Function Semantic Tree[J]. Ieice Transactions on Information &
Systems, 2015, E98.D(10):1777-1787.
[5] Ni S Y, Lan Y T, Lin I T C, et al. Abnormal behavior detection system
and method using automatic classification of multiple features: US,
US8885929[P]. 2014.