In this dissertation, we examine the machine learning issues raised by the domain of anomaly detection for computer security.  The anomaly detection task is to recognize the presence of an unusual and potentially hazardous state within the activities of a computer user, system, or network.  “Unusual” is defined with respect to some model of “normal” behavior which may be either hard-coded or learned from observation.  We focus here on learning models of normalcy at the user behavioral level, as observed through command line data.  An anomaly detection agent faces many learning problems including learning from streams of temporal data, learning from instances of a single class, and adaptation to a dynamically changing concept.  We describe two approaches to the construction of such models: one that employs instance-based models of user behaviors and one that uses hidden Markov models.  We demonstrate the performance of sensors based on these models under a wide range of parameter settings and show conditions under which maximal classification performance is achieved.  Using provided labels of users’ job descriptions, we demonstrate that users can be roughly divided into behavioral classes related to their experience level,  Finally, we study methods for adapting user models to changing behavioral patterns and show the methods’ performance strengths and weaknesses.

The GSSP Committee seeks to develop and maintain Generally-Accepted System Security Principles with guidance from information security professionals and organizations having extensive experience in defining and stating the principles of information sdecurity.

I will argue that one class of issues in computer ethics often associated with privacy and a punative right to privacy is best-analyzed in terms that make no substantive reference to privacy at all.  These issues concern the way that networked information technology creates new ways in which conventional rights to personal security can be threatened.  However one choses to analyze rights, rights to secure person and property will be among the most basic, the least controversial and the most universally recognized.  A risk based approach to these issues provides a clearer statement of what is ethically important, as well as what is ethically problematic.  Once the issues of security have articulated clearly, it becomes possible to make out genuine issues of privacy in contrast to them.

The anomaly detection problem has been widely studied in the computer security literature.  In this paper we present a machine learning approach to anomaly detection.  Our system builds user profiles based on command sequences and compares current input sequences to the profile using a similarity measure.  The system must learn to classify current behavior as consistent or anomalous with past behavior using only positive examples of the account’s valid user.  Our empirical results demonstrate that this is a promising approach to distinguishing the legitamate user from an intruder

The task in the computer security domain of anomaly detection is to characterize the bahaviors of a computer user (the \‘valid\’, or \‘normal\’ user) so that unusual occurrences can be detected by comparison of the current input stream to the valid user’s profile.  This task requires an online learning system that can respond to concept drift and handle discrete non-metric time sequence data.  We present an architecture for online learning in the anomaly detection domain and address the issues of incremental updating of system parameters and instance selection.  We demonstrate a method for measuring direction and magnitude of concept drift in the classification space and present and evaluate approaches to the above stated issues which make use of the drift measurement.