Anomaly Detection Using Time Index Differences of Identical Symbols with and without Training Data

Anomaly detection or novelty detection has emerged as a powerful tool for masquerade detection during the past decade. However, the strong dependence of previous methods on uncontaminated training data is a matter of concern. We introduce a novel masquerade detection algorithm based on a statistical test for system parameter drift of time series data. The approach presented may exploit attack-free training data if provided, but is not dependent on it. It transforms the string of commands into a symbol sequence, respectively using the average time index difference of symbols identical to the symbol found at a particular index for anomaly detection. We evaluated the method using the standard data set provided by Schonlau et al., both including and excluding the use of training data. We report the results achieved with and without training data, and compare them to the results attained by several conventional methods using training data.

[1]  M. B. Kennel,et al.  Statistical test for dynamical nonstationarity in observed time-series data , 1995, chao-dyn/9512005.

[2]  Mohammad Zulkernine,et al.  Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection , 2006, 2006 IEEE International Conference on Communications.

[3]  Sushil Jajodia,et al.  Applications of Data Mining in Computer Security , 2002, Advances in Information Security.

[4]  Salvatore J. Stolfo,et al.  One-Class Training for Masquerade Detection , 2003 .

[5]  Yang Zhang,et al.  Combined Support Vector Novelty Detection for Multi-channel Combustion Data , 2007, 2007 IEEE International Conference on Networking, Sensing and Control.

[6]  Eleazar Eskin,et al.  A GEOMETRIC FRAMEWORK FOR UNSUPERVISED ANOMALY DETECTION: DETECTING INTRUSIONS IN UNLABELED DATA , 2002 .

[7]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[8]  Kazuhiko Kato,et al.  Anomaly Detection Using Integration Model of Vector Space and Network Representation , 2007 .

[9]  Kenji Yamanishi,et al.  A unifying framework for detecting outliers and change points from time series , 2006 .

[10]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[11]  R. Kwitt,et al.  Unsupervised Anomaly Detection in Network Traffic by Means of Robust PCA , 2007, 2007 International Multi-Conference on Computing in the Global Information Technology (ICCGI'07).

[12]  Marcus A. Maloof MACHINE LEARNING AND DATA MINING FOR COMPUTER SECURITY: METHODS AND APPLICATIONS , 2011 .

[13]  Philip K. Chan,et al.  Data Cleaning and Enriched Representations for Anomaly Detection in System Calls , 2006 .

[14]  Bin Liu,et al.  Masquerade Detection System Based on Correlation Eigen Matrix and Support Vector Machine , 2006, 2006 International Conference on Computational Intelligence and Security.

[15]  Kenji Yamanishi,et al.  Dynamic Model Selection With its Applications to Novelty Detection , 2007, IEEE Transactions on Information Theory.