Windows NT one-class masquerade detection

Document Type

Conference Proceeding

Publication Date

12-1-2004

Abstract

Previous research has mainly studied UNIX system command line users, while here we investigate Windows system users, utilizing real network data. This work primarily focuses on one-class support vector machine (SVM) masquerade detection. One-class training requires only the user's own legitimate sessions to build up the user's profile. The one-class approach offers significant ease of management of the roster of users, in that the addition of new users or deletion of legacy ones requires much smaller effort compared to the multi-class case. Two-class SVM study has also been carried out for the purpose of comparison. ROC scores have been computed to use to compare the performance in detecting different masqueraders. The two-class training achieves a 63% hit rate with a low false alarm rate (about 3.7%), comparable to the best UNIX system results. The results of one-class training show a detection rate of about 66.7% with a corresponding false alarm rate of about 22%. Even though the one-class training approach results in some sacrifice of performance for false alarms, the gains in ease of roster management and reduction in training needed may be more desirable in some practical environments. © 2004 IEEE.

Identifier

15944403914 (Scopus)

ISBN

[0780385721, 9780780385726]

Publication Title

Proceedings Fron the Fifth Annual IEEE System Man and Cybernetics Information Assurance Workshop Smc

First Page

82

Last Page

87

This document is currently not available here.

Share

COinS