Dectecting the Abnormal: Machine Learning in Computer Security

Get BibTex-formatted data

Author

Terran Lane, Carla E. Brodley

Entry type

techreport

Abstract

Two problems of importance in computer security are to 1) detect the presence of an intruder masquerading as the valid user and 2) detect the perpetration of abusive actions on the part of an otherwise innocuous. In this paper we present a machine learning approach to anomaly detection, designed to handle these two problems. Our system learns a user profile for each user account and subsequently employs it to detect anomalous behavior in that account. Based on sequences of actions (UNIX commands) of the current user\'s inputstream, the system compares each fixed-length input sequence with a historical library of the account\'s command sequences using a similarity measure. The system must learn to classify current behavior as consistent or anomalous with past behavior using only positive examples of the account\'s valid user. Our empirical results demonstrate tha in most cases it is possible to distinguish the legitimate user from an intruder and, furthermore, that an instance selection technique based on a memory page-replacement algorithm is capable of drastically reducing library size without hindering detection accuracy.

URL

http://ftp.cerias.purdue.edu/p ... lane-brodley-learning.pdf

Institution

Purdue University

Key alpha

Lane

Affiliation

Purdue University

Publication Date

2001-01-01

Keywords

Application, Learning from positive examples, Sequence learning., Clasification, Recognition, Computer Security, Anomoly detection

Language

Ennglish

Subject

computer security

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Techreport{ Lane,
	title = "Dectecting the Abnormal: Machine Learning in Computer Security",
	author = "Terran Lane, Carla E. Brodley",
	institution = "Purdue University",
	abstract = "Two problems of importance in computer security are to 1) detect the presence of an intruder masquerading as the valid user and 2) detect the perpetration of abusive actions on the part of an otherwise innocuous.  In this paper we present a machine learning approach to anomaly detection, designed to handle these two problems.  Our system learns a user profile for each user account and subsequently employs it to detect anomalous behavior in that account.  Based on sequences of actions (UNIX commands) of the current user\'s inputstream, the system compares each fixed-length input sequence with a historical library of the account\'s command sequences using a similarity measure.  The system must learn to classify current behavior as consistent or anomalous with past behavior using only positive examples of the account\'s valid user.  Our empirical results demonstrate tha in most cases it is possible to distinguish the legitimate user from an intruder and, furthermore, that an instance selection technique based on a memory page-replacement algorithm is capable of drastically reducing library size without hindering detection accuracy.",
	affiliation = "Purdue University",
	keywords = "Application, Learning from positive examples, Sequence learning., Clasification, Recognition, Computer Security, Anomoly detection",
	language = "Ennglish",
	subject = "computer security",
	url = "http://ftp.cerias.purdue.edu/pub/papers/carla-brodley/lane-brodley-learning.pdf",
}