Command logs of computer users are recorded to thwart masquerading users. Several statistical techniques are proposed and tested on a standard dataset of user command logs. These anomaly-detection schemes reduce each user session into a histogram of commands. Several distance measures are used to compare command frequencies of two sessions, including the chi-square test and the likelihood-ratio test of classical statistical inference, the relative-entropy distance and the Kullback-Leibler distance of information theory, and the Jackard correlation and the vector-space model of information retrieval. As is typical of intrusion-detection studies, examples of masquerading sessions are not available in the training set, which consists of fifty sessions for each of fifty distinct users. Instead, sessions of each user serve as masquerading sessions for the other users. This approach proves valuable for setting alarm thresholds and choosing model parameters. The results are competitive with techniques proposed earlier and demonstrate that even the simple bag-of-words model for command logs is useful for distinguishing masquerading sessions from proper sessions.