Efficient masquerade detection using SVM based on common command frequency in sliding windows

Han Sung Kim, Sungdeok Cha

Research output: Contribution to journalArticle

3 Citations (Scopus)

Abstract

Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Anomaly detection techniques have been proposed as a complementary approach to overcome such limitations. However, they are not accurate enough in detection, and the rate of false alarm is too high for the technique to be applied in practice. For example, recent empirical studies on masquerade detection using UNIX commands found the accuracy to be below 70%. In this research, we performed a comparative study to investigate the effectiveness of SVM (Support Vector Machine) technique using the same data set and configuration reported in the previous experiments. In order to improve accuracy of masquerade detection, we used command frequencies in sliding windows as feature sets. In addition, we chose to ignore commands commonly used by all the users and introduce the concept of voting engine. Though still imperfect, we were able to improve the accuracy of masquerade detection to 80.1% and 94.8%, whereas previous studies reported accuracy of 69.3% and 62.8% in the same configurations. This study convincingly demonstrates that SVM is useful as an anomaly detection technique and that there are several advantages SVM offers as a tool to detect masqueraders.

Original languageEnglish
Pages (from-to)2446-2452
Number of pages7
JournalIEICE Transactions on Information and Systems
VolumeE87-D
Issue number11
Publication statusPublished - 2004 Nov 1
Externally publishedYes

Fingerprint

Support vector machines
UNIX
Intrusion detection
Security of data
Engines
Experiments

Keywords

  • Anomaly detection
  • Intrusion detection
  • Machine learning
  • Masquerade detection
  • SVM (Support Vector Machine)
  • User command

ASJC Scopus subject areas

  • Computer Graphics and Computer-Aided Design
  • Information Systems
  • Software

Cite this

Efficient masquerade detection using SVM based on common command frequency in sliding windows. / Kim, Han Sung; Cha, Sungdeok.

In: IEICE Transactions on Information and Systems, Vol. E87-D, No. 11, 01.11.2004, p. 2446-2452.

Research output: Contribution to journalArticle

@article{2230c595236d4741a4ea84ae2ac4bf3d,
title = "Efficient masquerade detection using SVM based on common command frequency in sliding windows",
abstract = "Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Anomaly detection techniques have been proposed as a complementary approach to overcome such limitations. However, they are not accurate enough in detection, and the rate of false alarm is too high for the technique to be applied in practice. For example, recent empirical studies on masquerade detection using UNIX commands found the accuracy to be below 70{\%}. In this research, we performed a comparative study to investigate the effectiveness of SVM (Support Vector Machine) technique using the same data set and configuration reported in the previous experiments. In order to improve accuracy of masquerade detection, we used command frequencies in sliding windows as feature sets. In addition, we chose to ignore commands commonly used by all the users and introduce the concept of voting engine. Though still imperfect, we were able to improve the accuracy of masquerade detection to 80.1{\%} and 94.8{\%}, whereas previous studies reported accuracy of 69.3{\%} and 62.8{\%} in the same configurations. This study convincingly demonstrates that SVM is useful as an anomaly detection technique and that there are several advantages SVM offers as a tool to detect masqueraders.",
keywords = "Anomaly detection, Intrusion detection, Machine learning, Masquerade detection, SVM (Support Vector Machine), User command",
author = "Kim, {Han Sung} and Sungdeok Cha",
year = "2004",
month = "11",
day = "1",
language = "English",
volume = "E87-D",
pages = "2446--2452",
journal = "IEICE Transactions on Information and Systems",
issn = "0916-8532",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "11",

}

TY - JOUR

T1 - Efficient masquerade detection using SVM based on common command frequency in sliding windows

AU - Kim, Han Sung

AU - Cha, Sungdeok

PY - 2004/11/1

Y1 - 2004/11/1

N2 - Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Anomaly detection techniques have been proposed as a complementary approach to overcome such limitations. However, they are not accurate enough in detection, and the rate of false alarm is too high for the technique to be applied in practice. For example, recent empirical studies on masquerade detection using UNIX commands found the accuracy to be below 70%. In this research, we performed a comparative study to investigate the effectiveness of SVM (Support Vector Machine) technique using the same data set and configuration reported in the previous experiments. In order to improve accuracy of masquerade detection, we used command frequencies in sliding windows as feature sets. In addition, we chose to ignore commands commonly used by all the users and introduce the concept of voting engine. Though still imperfect, we were able to improve the accuracy of masquerade detection to 80.1% and 94.8%, whereas previous studies reported accuracy of 69.3% and 62.8% in the same configurations. This study convincingly demonstrates that SVM is useful as an anomaly detection technique and that there are several advantages SVM offers as a tool to detect masqueraders.

AB - Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Anomaly detection techniques have been proposed as a complementary approach to overcome such limitations. However, they are not accurate enough in detection, and the rate of false alarm is too high for the technique to be applied in practice. For example, recent empirical studies on masquerade detection using UNIX commands found the accuracy to be below 70%. In this research, we performed a comparative study to investigate the effectiveness of SVM (Support Vector Machine) technique using the same data set and configuration reported in the previous experiments. In order to improve accuracy of masquerade detection, we used command frequencies in sliding windows as feature sets. In addition, we chose to ignore commands commonly used by all the users and introduce the concept of voting engine. Though still imperfect, we were able to improve the accuracy of masquerade detection to 80.1% and 94.8%, whereas previous studies reported accuracy of 69.3% and 62.8% in the same configurations. This study convincingly demonstrates that SVM is useful as an anomaly detection technique and that there are several advantages SVM offers as a tool to detect masqueraders.

KW - Anomaly detection

KW - Intrusion detection

KW - Machine learning

KW - Masquerade detection

KW - SVM (Support Vector Machine)

KW - User command

UR - http://www.scopus.com/inward/record.url?scp=10444221762&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=10444221762&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:10444221762

VL - E87-D

SP - 2446

EP - 2452

JO - IEICE Transactions on Information and Systems

JF - IEICE Transactions on Information and Systems

SN - 0916-8532

IS - 11

ER -