TY - JOUR
T1 - Empirical evaluation of SVM-based masquerade detection using UNIX commands
AU - Kim, Han Sung
AU - Cha, Sung Deok
N1 - Funding Information:
Authors would like to thank Dr. Jahwan Kim of KAIST for his comment on our experiment and paper. Research reported in this paper has been funded, in part, by research funding to AITrc ( http://aitrc.kaist.ac.kr ), SPIC ( http://spic.kaist.ac.kr ) and IIRTRC ( http://iitrc.cnu.ac.kr ).
PY - 2005/3
Y1 - 2005/3
N2 - Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Although anomaly detection techniques have long been considered as an effective approach to complement misuse detection techniques, they are not widely used in practice due to poor accuracy and relatively high degree of false alarms. In this paper, we performed an empirical study investigating the effectiveness of SVM (support vector machine) in detecting masquerade activities using two different UNIX command sets used in previous studies [R. Maxion, N. Townsend, Proceedings of international conference on dependable systems and networks (DSN-02), p. 219-28, June 2002; R. Maxion, Proceedings of international conference on dependable systems and networks (DSN-03), p. 5-14, June 2003]. Concept of "common commands" was introduced as a feature to more effectively reflect diverse command patterns exhibited by various users. Though still imperfect, we detected masqueraders 80.1% and 94.8% of the time, while the previous studies reported the accuracy of 69.3% and 62.8%, respectively, using the same data set containing only the command names. When command names and arguments were included in the experiment, SVM-based approach detected masqueraders 87.3% of the time while the previous study, using the same data set, reported 82.1% of accuracy. These combined experiments convincingly demonstrate that SVM is an effective approach to masquerade detection.
AB - Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Although anomaly detection techniques have long been considered as an effective approach to complement misuse detection techniques, they are not widely used in practice due to poor accuracy and relatively high degree of false alarms. In this paper, we performed an empirical study investigating the effectiveness of SVM (support vector machine) in detecting masquerade activities using two different UNIX command sets used in previous studies [R. Maxion, N. Townsend, Proceedings of international conference on dependable systems and networks (DSN-02), p. 219-28, June 2002; R. Maxion, Proceedings of international conference on dependable systems and networks (DSN-03), p. 5-14, June 2003]. Concept of "common commands" was introduced as a feature to more effectively reflect diverse command patterns exhibited by various users. Though still imperfect, we detected masqueraders 80.1% and 94.8% of the time, while the previous studies reported the accuracy of 69.3% and 62.8%, respectively, using the same data set containing only the command names. When command names and arguments were included in the experiment, SVM-based approach detected masqueraders 87.3% of the time while the previous study, using the same data set, reported 82.1% of accuracy. These combined experiments convincingly demonstrate that SVM is an effective approach to masquerade detection.
KW - Anomaly detection
KW - Intrusion detection
KW - Machine learning
KW - Masquerade detection
KW - Support vector machine (SVM)
UR - http://www.scopus.com/inward/record.url?scp=17844372755&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=17844372755&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2004.08.007
DO - 10.1016/j.cose.2004.08.007
M3 - Article
AN - SCOPUS:17844372755
VL - 24
SP - 160
EP - 168
JO - Computers and Security
JF - Computers and Security
SN - 0167-4048
IS - 2
ER -