Abstract
Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Although anomaly detection techniques have long been considered as an effective approach to complement misuse detection techniques, they are not widely used in practice due to poor accuracy and relatively high degree of false alarms. In this paper, we performed an empirical study investigating the effectiveness of SVM (support vector machine) in detecting masquerade activities using two different UNIX command sets used in previous studies [R. Maxion, N. Townsend, Proceedings of international conference on dependable systems and networks (DSN-02), p. 219-28, June 2002; R. Maxion, Proceedings of international conference on dependable systems and networks (DSN-03), p. 5-14, June 2003]. Concept of "common commands" was introduced as a feature to more effectively reflect diverse command patterns exhibited by various users. Though still imperfect, we detected masqueraders 80.1% and 94.8% of the time, while the previous studies reported the accuracy of 69.3% and 62.8%, respectively, using the same data set containing only the command names. When command names and arguments were included in the experiment, SVM-based approach detected masqueraders 87.3% of the time while the previous study, using the same data set, reported 82.1% of accuracy. These combined experiments convincingly demonstrate that SVM is an effective approach to masquerade detection.
| Original language | English |
|---|---|
| Pages (from-to) | 160-168 |
| Number of pages | 9 |
| Journal | Computers and Security |
| Volume | 24 |
| Issue number | 2 |
| DOIs | |
| Publication status | Published - 2005 Mar 1 |
| Externally published | Yes |
Fingerprint
Keywords
- Anomaly detection
- Intrusion detection
- Machine learning
- Masquerade detection
- Support vector machine (SVM)
ASJC Scopus subject areas
- Computer Science(all)
Cite this
Empirical evaluation of SVM-based masquerade detection using UNIX commands. / Kim, Han Sung; Cha, Sungdeok.
In: Computers and Security, Vol. 24, No. 2, 01.03.2005, p. 160-168.Research output: Contribution to journal › Article
}
TY - JOUR
T1 - Empirical evaluation of SVM-based masquerade detection using UNIX commands
AU - Kim, Han Sung
AU - Cha, Sungdeok
PY - 2005/3/1
Y1 - 2005/3/1
N2 - Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Although anomaly detection techniques have long been considered as an effective approach to complement misuse detection techniques, they are not widely used in practice due to poor accuracy and relatively high degree of false alarms. In this paper, we performed an empirical study investigating the effectiveness of SVM (support vector machine) in detecting masquerade activities using two different UNIX command sets used in previous studies [R. Maxion, N. Townsend, Proceedings of international conference on dependable systems and networks (DSN-02), p. 219-28, June 2002; R. Maxion, Proceedings of international conference on dependable systems and networks (DSN-03), p. 5-14, June 2003]. Concept of "common commands" was introduced as a feature to more effectively reflect diverse command patterns exhibited by various users. Though still imperfect, we detected masqueraders 80.1% and 94.8% of the time, while the previous studies reported the accuracy of 69.3% and 62.8%, respectively, using the same data set containing only the command names. When command names and arguments were included in the experiment, SVM-based approach detected masqueraders 87.3% of the time while the previous study, using the same data set, reported 82.1% of accuracy. These combined experiments convincingly demonstrate that SVM is an effective approach to masquerade detection.
AB - Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Although anomaly detection techniques have long been considered as an effective approach to complement misuse detection techniques, they are not widely used in practice due to poor accuracy and relatively high degree of false alarms. In this paper, we performed an empirical study investigating the effectiveness of SVM (support vector machine) in detecting masquerade activities using two different UNIX command sets used in previous studies [R. Maxion, N. Townsend, Proceedings of international conference on dependable systems and networks (DSN-02), p. 219-28, June 2002; R. Maxion, Proceedings of international conference on dependable systems and networks (DSN-03), p. 5-14, June 2003]. Concept of "common commands" was introduced as a feature to more effectively reflect diverse command patterns exhibited by various users. Though still imperfect, we detected masqueraders 80.1% and 94.8% of the time, while the previous studies reported the accuracy of 69.3% and 62.8%, respectively, using the same data set containing only the command names. When command names and arguments were included in the experiment, SVM-based approach detected masqueraders 87.3% of the time while the previous study, using the same data set, reported 82.1% of accuracy. These combined experiments convincingly demonstrate that SVM is an effective approach to masquerade detection.
KW - Anomaly detection
KW - Intrusion detection
KW - Machine learning
KW - Masquerade detection
KW - Support vector machine (SVM)
UR - http://www.scopus.com/inward/record.url?scp=17844372755&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=17844372755&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2004.08.007
DO - 10.1016/j.cose.2004.08.007
M3 - Article
VL - 24
SP - 160
EP - 168
JO - Computers and Security
JF - Computers and Security
SN - 0167-4048
IS - 2
ER -