Sequence Matching and Learning in Anomaly Detection for Computer Security

Get BibTex-formatted data

Download

PDF

Author

Terran Lane

Entry type

techreport

Abstract

Two problems of importance in computer security are to 1) detect the presence of an intruder masquerading as the valid user and 2) detect the perpetration of abusive actions on the part of an otherwise innocuous user. We have developed an approach to these problems that examines sequences of user actions (UNIX commands) to classify behavior as normal or anomalous. In this paper we explore the matching function needed to compare a current behavioral sequence to a historical profile. We discuss the difficulties of performing matching in human-generated data and show that exact string matching is insufficient to this domain. We demonstrate a number of partial matching functions and examine their behaviors on user command data. In particular, we explore two methods for weighting scores by adjacency of matches as well as two growth functions (polynomial and exponential) for scoring similarities. We find, empirically, that a partial matching function, biased toward adjacent matches, with a polynomial growth rate is superior for this domain.

Download

PDF

Date

1997

URL

https://www.cerias.purdue.edu/ ... orts-ssl/public/97-04.pdf

Journal

AAAI-97 Workshop on AI Approaches to Fraud Detection and Risk Management

Key alpha

lane

Number

COAST TR 97-04

School

ECE, COAST, Purdue University

Publication Date

0000-00-00

Location

A hard-copy of this is in the CERIAS Library

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Techreport{ lane,
	title = "Sequence Matching and Learning in Anomaly Detection for Computer Security",
	author = "Terran Lane",
	year = "1997",
	journal = "AAAI-97 Workshop on AI Approaches to Fraud Detection and Risk Management",
	number = "COAST TR 97-04",
	school = "ECE, COAST, Purdue University",
	abstract = "Two problems of importance in computer security are to 1) detect the presence of
an intruder masquerading as the valid user and 2) detect the perpetration of
abusive actions on the part of an otherwise innocuous user. We have developed an
approach to these problems that examines sequences of user actions (UNIX commands)
to classify behavior as normal or anomalous. In this paper we explore the matching
function needed to compare a current behavioral sequence to a historical profile.
We discuss the difficulties of performing matching in human-generated data and show
that exact string matching is insufficient to this domain. We demonstrate a number
of partial matching functions and examine their behaviors on user command data. In
particular, we explore two methods for weighting scores by adjacency of matches as
well as two growth functions (polynomial and exponential) for scoring similarities.
We find, empirically, that a partial matching function, biased toward adjacent
matches, with a polynomial growth rate is superior for this domain.",
	url = "https://www.cerias.purdue.edu/techreports-ssl/public/97-04.pdf",
}