Automated modeling of human behaviors is useful in the computer
security domain of anomaly detection.  In the user modeling facet of
the anomaly detection domain, the task is to develop a model or
profile of the normal working state of a computer system user
and to detect anomalous conditions as deviations from expected
behavior patterns.  In this paper, we examine the use of hidden Markov
models (HMMs) as user profiles for the anomaly detection task.  We
formulate a user identity classification system based on the posterior
likelihood of the model parameters and present an approximation that
allows this quantity to be quickly estimated to a high degree of
accuracy for subsequences of the total sequence of observed data.  We
give an empirical analysis of the HMM anomaly detection sensor.  We
examine performance across a range of model sizes (i.e. number of
hidden states).  We demonstrate that, for most of our user population,
a single-state model is inferior to the multi-state models, and that,
within multi-state models, those with more states tend to model the
profiled user more effectively but imposters less effectively than do
smaller models.  These observations are consistent with the
interpretation that larger models are necessary to capture high
degrees of user behavioral complexity.  We describe extensions of
these techniques to other tasks and domains.