Empirical evaluation of SVM-based masquerade detection using UNIX commands

Han Sung Kim, Sung Deok Cha

Research output: Contribution to journalArticle

44 Citations (Scopus)

Abstract

Masqueraders who impersonate other users pose serious threat to computer security. Unfortunately, firewalls or misuse-based intrusion detection systems are generally ineffective in detecting masqueraders. Although anomaly detection techniques have long been considered as an effective approach to complement misuse detection techniques, they are not widely used in practice due to poor accuracy and relatively high degree of false alarms. In this paper, we performed an empirical study investigating the effectiveness of SVM (support vector machine) in detecting masquerade activities using two different UNIX command sets used in previous studies [R. Maxion, N. Townsend, Proceedings of international conference on dependable systems and networks (DSN-02), p. 219-28, June 2002; R. Maxion, Proceedings of international conference on dependable systems and networks (DSN-03), p. 5-14, June 2003]. Concept of "common commands" was introduced as a feature to more effectively reflect diverse command patterns exhibited by various users. Though still imperfect, we detected masqueraders 80.1% and 94.8% of the time, while the previous studies reported the accuracy of 69.3% and 62.8%, respectively, using the same data set containing only the command names. When command names and arguments were included in the experiment, SVM-based approach detected masqueraders 87.3% of the time while the previous study, using the same data set, reported 82.1% of accuracy. These combined experiments convincingly demonstrate that SVM is an effective approach to masquerade detection.

Original languageEnglish
Pages (from-to)160-168
Number of pages9
JournalComputers and Security
Volume24
Issue number2
DOIs
Publication statusPublished - 2005 Mar
Externally publishedYes

Keywords

  • Anomaly detection
  • Intrusion detection
  • Machine learning
  • Masquerade detection
  • Support vector machine (SVM)

ASJC Scopus subject areas

  • Computer Science(all)
  • Law

Fingerprint Dive into the research topics of 'Empirical evaluation of SVM-based masquerade detection using UNIX commands'. Together they form a unique fingerprint.

  • Cite this