The nature of statistical learning theory
The nature of statistical learning theory
Handling concept drifts in incremental learning with support vector machines
KDD '99 Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining
Masquerade Detection Using Truncated Command Lines
DSN '02 Proceedings of the 2002 International Conference on Dependable Systems and Networks
Intrusion Detection: A Bioinformatics Approach
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Estimating the Support of a High-Dimensional Distribution
Neural Computation
Sequence alignment for masquerade detection
Computational Statistics & Data Analysis
LIBSVM: A library for support vector machines
ACM Transactions on Intelligent Systems and Technology (TIST)
ALERT-ID: analyze logs of the network element in real time for intrusion detection
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Hi-index | 0.00 |
A masquerade attack is a consequence of identity theft. In such attacks, the impostor impersonates a legitimate insider while performing illegitimate activities. These attacks are very hard to detect and can cause considerable damage to an organization. Prior work has focused on user command modeling to identify abnormal behavior indicative of impersonation. In this paper, we investigate the performance of two one-class user behavior profiling techniques: one-class Support Vector Machines (ocSVMs) and a Hellinger distance-based user behavior profiling technique. Both techniques model bags of words or commands and do not model sequences of commands. We use both techniques for masquerade detection and compare the experimental results. The objective is to evaluate which modeling technique is most suitable for use in an operational monitoring system, hence our focus is on accuracy and operational performance characteristics. We show that one-class SVMs are most practical for deployment in sensors developed for masquerade detection in the general case. We also show that for specific users whose profile fits the average user profile, one-class SVMs may not be the best modeling approach. Such users pose a more serious threat since they may be easier to mimic. Copyright © 2011 John Wiley & Sons, Ltd. (We show that one-class SVMs are most practical for deployment in sensors developed for masquerade detection in the general case. We also show that for specific users whose profile fits the average user profile, one-class SVMs may not be the best modeling approach. Such users pose a more serious threat since they may be easier to mimic.)