Empirical evaluation of SVM-based masquerade detection using UNIX commands

Han Sung Kim, Sungdeok Cha

Research output: Contribution to journalArticle

40 Citations (Scopus)

Abstract

Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Although anomaly detection techniques have long been considered as an effective approach to complement misuse detection techniques, they are not widely used in practice due to poor accuracy and relatively high degree of false alarms. In this paper, we performed an empirical study investigating the effectiveness of SVM (support vector machine) in detecting masquerade activities using two different UNIX command sets used in previous studies [R. Maxion, N. Townsend, Proceedings of international conference on dependable systems and networks (DSN-02), p. 219-28, June 2002; R. Maxion, Proceedings of international conference on dependable systems and networks (DSN-03), p. 5-14, June 2003]. Concept of "common commands" was introduced as a feature to more effectively reflect diverse command patterns exhibited by various users. Though still imperfect, we detected masqueraders 80.1% and 94.8% of the time, while the previous studies reported the accuracy of 69.3% and 62.8%, respectively, using the same data set containing only the command names. When command names and arguments were included in the experiment, SVM-based approach detected masqueraders 87.3% of the time while the previous study, using the same data set, reported 82.1% of accuracy. These combined experiments convincingly demonstrate that SVM is an effective approach to masquerade detection.

Original languageEnglish
Pages (from-to)160-168
Number of pages9
JournalComputers and Security
Volume24
Issue number2
DOIs
Publication statusPublished - 2005 Mar 1
Externally publishedYes

Fingerprint

UNIX
Support vector machines
evaluation
experiment
Intrusion detection
Security of data
Experiments
threat
time

Keywords

  • Anomaly detection
  • Intrusion detection
  • Machine learning
  • Masquerade detection
  • Support vector machine (SVM)

ASJC Scopus subject areas

  • Computer Science(all)

Cite this

Empirical evaluation of SVM-based masquerade detection using UNIX commands. / Kim, Han Sung; Cha, Sungdeok.

In: Computers and Security, Vol. 24, No. 2, 01.03.2005, p. 160-168.

Research output: Contribution to journalArticle

@article{59ba228a529d4543a37a5a274b52284b,
title = "Empirical evaluation of SVM-based masquerade detection using UNIX commands",
abstract = "Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Although anomaly detection techniques have long been considered as an effective approach to complement misuse detection techniques, they are not widely used in practice due to poor accuracy and relatively high degree of false alarms. In this paper, we performed an empirical study investigating the effectiveness of SVM (support vector machine) in detecting masquerade activities using two different UNIX command sets used in previous studies [R. Maxion, N. Townsend, Proceedings of international conference on dependable systems and networks (DSN-02), p. 219-28, June 2002; R. Maxion, Proceedings of international conference on dependable systems and networks (DSN-03), p. 5-14, June 2003]. Concept of {"}common commands{"} was introduced as a feature to more effectively reflect diverse command patterns exhibited by various users. Though still imperfect, we detected masqueraders 80.1{\%} and 94.8{\%} of the time, while the previous studies reported the accuracy of 69.3{\%} and 62.8{\%}, respectively, using the same data set containing only the command names. When command names and arguments were included in the experiment, SVM-based approach detected masqueraders 87.3{\%} of the time while the previous study, using the same data set, reported 82.1{\%} of accuracy. These combined experiments convincingly demonstrate that SVM is an effective approach to masquerade detection.",
keywords = "Anomaly detection, Intrusion detection, Machine learning, Masquerade detection, Support vector machine (SVM)",
author = "Kim, {Han Sung} and Sungdeok Cha",
year = "2005",
month = "3",
day = "1",
doi = "10.1016/j.cose.2004.08.007",
language = "English",
volume = "24",
pages = "160--168",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Limited",
number = "2",

}

TY - JOUR

T1 - Empirical evaluation of SVM-based masquerade detection using UNIX commands

AU - Kim, Han Sung

AU - Cha, Sungdeok

PY - 2005/3/1

Y1 - 2005/3/1

N2 - Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Although anomaly detection techniques have long been considered as an effective approach to complement misuse detection techniques, they are not widely used in practice due to poor accuracy and relatively high degree of false alarms. In this paper, we performed an empirical study investigating the effectiveness of SVM (support vector machine) in detecting masquerade activities using two different UNIX command sets used in previous studies [R. Maxion, N. Townsend, Proceedings of international conference on dependable systems and networks (DSN-02), p. 219-28, June 2002; R. Maxion, Proceedings of international conference on dependable systems and networks (DSN-03), p. 5-14, June 2003]. Concept of "common commands" was introduced as a feature to more effectively reflect diverse command patterns exhibited by various users. Though still imperfect, we detected masqueraders 80.1% and 94.8% of the time, while the previous studies reported the accuracy of 69.3% and 62.8%, respectively, using the same data set containing only the command names. When command names and arguments were included in the experiment, SVM-based approach detected masqueraders 87.3% of the time while the previous study, using the same data set, reported 82.1% of accuracy. These combined experiments convincingly demonstrate that SVM is an effective approach to masquerade detection.

AB - Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Although anomaly detection techniques have long been considered as an effective approach to complement misuse detection techniques, they are not widely used in practice due to poor accuracy and relatively high degree of false alarms. In this paper, we performed an empirical study investigating the effectiveness of SVM (support vector machine) in detecting masquerade activities using two different UNIX command sets used in previous studies [R. Maxion, N. Townsend, Proceedings of international conference on dependable systems and networks (DSN-02), p. 219-28, June 2002; R. Maxion, Proceedings of international conference on dependable systems and networks (DSN-03), p. 5-14, June 2003]. Concept of "common commands" was introduced as a feature to more effectively reflect diverse command patterns exhibited by various users. Though still imperfect, we detected masqueraders 80.1% and 94.8% of the time, while the previous studies reported the accuracy of 69.3% and 62.8%, respectively, using the same data set containing only the command names. When command names and arguments were included in the experiment, SVM-based approach detected masqueraders 87.3% of the time while the previous study, using the same data set, reported 82.1% of accuracy. These combined experiments convincingly demonstrate that SVM is an effective approach to masquerade detection.

KW - Anomaly detection

KW - Intrusion detection

KW - Machine learning

KW - Masquerade detection

KW - Support vector machine (SVM)

UR - http://www.scopus.com/inward/record.url?scp=17844372755&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=17844372755&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2004.08.007

DO - 10.1016/j.cose.2004.08.007

M3 - Article

AN - SCOPUS:17844372755

VL - 24

SP - 160

EP - 168

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

IS - 2

ER -